Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services...
-
Upload
antony-floyd -
Category
Documents
-
view
214 -
download
0
Transcript of Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services...
Sec 306
Security in Exchange 2003 and Beyond
Fred Baumhardt
Infrastructure Team
Technology Services Group – Microsoft UK
Sasa Juratovic
Messaging Team
Session Agenda
Microsoft TwC – and Security Framework
Exchange 2003 Security enhancementsCore O/S – what improves in Win 2003
Core Exchange security functionality
Anti-virus, Anti-spam & content filtering
Client Communications and OWA
Exchange Security Architecture
..
The No BS version of Trustworthy Computing
Focused – Intensive - Ongoing effort
NOT A MARKETING CAMPAIGNExtensive developer training and focus
Improved test & attack tools, and dedicated security testing
Architectural Review for all components and features – very strict feature triage criteria
Cross-component functional and security analysis
..
Microsoft’s SD3+C Model
Secure by DesignSecure by Design
Secure by DefaultSecure by Default
Secure in Secure in DeploymentDeployment
CommunicationCommunication
Security aware features and architectureSecurity aware features and architectureReduce vulnerabilities in the codeReduce vulnerabilities in the codeExchange – OWA – IIS – Spam &AV – FE/BE Exchange – OWA – IIS – Spam &AV – FE/BE
Reduce attack surface areaReduce attack surface areaFeatures default off and with minimum privilegeFeatures default off and with minimum privilegeExchange- STMP Relay – IIS – lower privilege srvExchange- STMP Relay – IIS – lower privilege srv
Protect, Detect, Defend, Recover and ManageProtect, Detect, Defend, Recover and ManageProcess: How To’s, Guidance, MSA. ISAProcess: How To’s, Guidance, MSA. ISAPeople: Training, Templates, Job Aids, HelpPeople: Training, Templates, Job Aids, Help
MS.COM: MSRC, /Security, /TechNetMS.COM: MSRC, /Security, /TechNetPR: Proactive, ReactivePR: Proactive, ReactiveCommunity buildingCommunity building
..
Windows 2003 ImprovementsCore OS is Radically more secure
Reduced surface area (40% of NT4 lines code)
IIS extensively hardened and improved
Improvements in all areasIPsec failover RPC over HTTP
NLB Wider Kerberos support
AD improved with:Cross-forest trust and authentication
Group usage and replication improved
SID filtering on trusts and blocking
There are tradeoffs to running Exchange 2003 on Windows 2000
..
Core Exchange Security Improvements
Many secure-by-default settings
More restrictive permissions
New transport featuresNew Internet Connection Wizard simplifies SMTP configuration
Cross-forest authentication supportNOTE: 1 forest still = 1 Exchange organization
Core Exchange SecuritySecure by Default
Relaying always offDefault 10MB message limit for send, receive, and PFDeny logon ACE for Domain Users on Exchange 2003 serversPOP3, IMAP4, NNTP off by default for new installs (not Upgrade)OMA off by default on all installsOWA password changes off by default
Core Exchange SecurityMore Restrictive Permissions
Services run as LocalServiceTighter permissions on Exchange Domain Servers group
May break ExMerge or other apps that use EDS group
Fix for cluster reinstall permissions problemInstalling add’l servers requires EFA at admin group, not org levelNo default top-level PF creation
No longer granted when adding servers
Anti-Virus Improvements
VS API 2.5Improved support for scanners with all outbound messages guaranteed scan
More MAPI properties exposed and status
Can be used on store-less (FE) servers and gives ability to use anti-spam and AV together
VS API 2.0-based scanners can’t run on store-less front-end servers
Anti-Spam Improvements
Spam is a large problemVolume growing rapidly
Volume – capacity – “noise” that must be scanned
Several ways to deal with spamOffload to clients w/ client or 3rd party software
Server app that blocks on message heuristics
Inbound relay protection and RBLs like ORDB
..
Anti-Spam ImprovementsExchange Perimeter Blocking
Real-time DNS-based block or allow listsIf DNS record for sender’s IP exists, block it
Use third-party block lists or roll your own
Safe list allows mail based on a match
Bastions can invalidate these systemsIf bastion was last IP that relayed – DNS internal
Place on edge – or use another system
..
Anti-Spam ImprovementsOther ImprovementsFilter inbound mail by address or domain
With blank senders or unresolvable addressesTurning this on may allow address enumeration attacks
Drop the connection after 20 unresolvable attempts
Outlook 2003 and OWA 2003Block attachments, Strip scripts, and beacons
Allow user to maintain Trusted and Junk Senders lists and can store on server
..
Networking Security
Securing the network transport between servers and clients critical
Outlook Clients (OWA, 2003) can natively use encryption –RPC - SSL
..
COMSEC ImprovementsRPC over HTTP
Most places disallow raw RPC traffic to/from Internet
Example: CommNet!
Leads to “feature” of using VPNs or tunneling for Outlook to bypass firewalls Heavy connection setup/teardown penalty
ISA’s RPC publishing one popular alternative
Still requires that RPC ports be opened..
RPC over HTTP
Windows 2003 can tunnel RPC over HTTPUses TCP80 (Universal Firewall Bypass Protocol) Can also use TCP443 SSL – UFBP encrypted Full Outlook functionality
New mail notification Public folders Free/Busy
Synchronization Password changes
Requires Windows 2003, Exchange 2003, Outlook 2003, Windows XP SP1+hotfix
ISA adds value – terminate SSL and scan it – check HTTP syntax – OR use the native RPC filter and avoid the above system requirements
..
RPC over HTTP RPC over HTTP mailbox accessmailbox access
demodemo
COMSEC Improvements
IPsec for clustersClustered IPsec SAs don’t have 5-minute expiry
Allows efficient use of IPsec between FE and clustered BE*
Kerberos for MAPI connectionsKeeps less-secure NTLM data off the wire
*And clustering now *And clustering now rocksrocks..
OWA Security Improvements
S/MIME access
Privacy enhancement
Attachment control
Cookie-based authentication
OWA S/MIME
S/MIME is a terrific technology
Large Microsoft customers wanted to make it portable
Basic problem of certificate/key accessYou don’t want your private key on the server
Signing/decrypting with the server’s own keys is basically useless
OWA Security ImprovementsPrivacy Enhancements
Automatic stripping of web beacons
HTML images aren’t automatically downloaded
Redirector allows admin control over which links are accessible
OWA Security ImprovementsCookie Authentication
E2K-style authenticationUser logs in
Credentials cached by browser
As long as browser’s running, user can log in
This is undesirable…No way to time out sessions
No way to prevent toilet-seat attacks
Solution: go back to the future
Cookie AuthenticationCookie Authentication
demodemo
OWA Security ImprovementsCookie Authentication
User logs in to logon form
ASP on server requests authenticationIf it fails, user can’t log in
If it succeeds, cookie sent to user browser
OWA requests cookie for each pageServer can expire cookie on demand
Cookie has finite shelf life
Other Security Improvements
Real-Time Collaboration securityClient-server sessions can now use SSL
Information Rights ManagementGoal is to let information creator control
Lifetime of informationWhat can be done with itWho can do it
ExamplesDon’t allow this email to be forwardedMake this document expire on 1 January
Best Practices - Infrastructure
Exchange Security is 50% Exchange – 50% Infrastructure – 50% Planning
Defense in depth is keyLayer 7 firewalls, encryption, authentication, and physical security, infrastructure like ADDon’t forget IDS – and its limitationsHave a response plan – and a plan for the plan
Secure Anything your Exchange relies on:DNS poisoning and spoofingDomain Controller DoS – and attacksFirewall and Router ACLs tightly controlled
..
Best Practices - Thinking
Think like a hacker What sensitive data exists, What’s it worth?
How can I get to it, Will I get caught ?
Operate securely – know what to do if:You have been hacked (if you know)
Your server collapses (for any reason)
A major virus or DoS is discovered
Do –your colleagues know – think before it happens- can they recover ?
..
Best Practices Content
Stop spamReduce it – the less there is coming in- the less your AV has to scan and processKill authenticated relay and Guest account should be disabledInvestigate spam-blockers and RBLs – Bastion relays can invalidate RBLs
Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE – pre-authenticate OWA with ISA FP1
Deploy S/MIME where appropriate..
Best Practices- Clients
Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE Pre-authenticate OWA with ISA FP1
Deploy S/MIME where appropriatePlan RPC/HTTP – assess the impacts of people using it OUT of your organisationStart transitioning away from legacy client protocols like POP if you can – the less to worry about the better.
..
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion:Administrator's Companion:0-7356-1979-40-7356-1979-4
9/24/039/24/03
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.