Securing Exchange Securing Exchange 2000 2000 Chris Weber Chris Weber [email protected][email protected]http://www.foundstone.com http://www.foundstone.com http:// http:// www.privacydefended.com www.privacydefended.com Trustworthy Exchanges and the Art of doing Trustworthy Exchanges and the Art of doing it yourself it yourself
29
Embed
Securing Exchange 2000 Chris Weber [email protected] Trustworthy Exchanges and the Art.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Focused on single backend Exchange Server with front-end OWA serverFocused on single backend Exchange Server with front-end OWA serverHacking ExchangeHacking Exchange
Organizational security policies should be Organizational security policies should be in place to guide daily actions.in place to guide daily actions.
Never start configuring without having a Never start configuring without having a “management supported” plan in place.“management supported” plan in place.
DENY ALL by defaultIncoming from Internet Allow TCP port 25 (SMTP) TCP/UDP port 53 (DNS) TCP port 443 (HTTPS)Outgoing Allow: Only established connections
DMZ Firewall:
DENY ALL by defaultIncoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPCstatic port) TCP port 3268 (GC)
Outgoing Allow: Only established connections
SMTP forwarder/content filter
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Learn host configuration informationLearn host configuration information Learn of hidden Public FoldersLearn of hidden Public Folders Glean User account names and email addressesGlean User account names and email addresses
Information GatheringInformation Gathering Network port scanNetwork port scan Server enumerationServer enumeration
NetBIOSNetBIOSLDAPLDAPRPCRPC
User and configuration enumerationUser and configuration enumerationLDAP with Null sessionLDAP with Null sessionNetBIOS will Null sessionNetBIOS will Null session
SMTP relay disabledSMTP relay disabledRights to the MailboxRights to the Mailbox Admin is DENIED access to mailboxes (by Admin is DENIED access to mailboxes (by
default), but easily changeddefault), but easily changed ““Exchange Domain Servers” group full accessExchange Domain Servers” group full access %COMPUTERNAME%$ full access%COMPUTERNAME%$ full access
No more Service AccountNo more Service Account Your LSA Secrets are safe…Your LSA Secrets are safe…
Some Security related changes from 5.5 to 2000
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Security Checklist:Security Checklist:http://www.microsoft.com/technet/treeview/defauhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asplt.asp?url=/technet/security/tools/w2ksvrcl.asp Disable unnecessary services and portsDisable unnecessary services and ports Enable AuditingEnable Auditing Rename local Admin account and enable a strong Rename local Admin account and enable a strong
passwordpassword ACL and monitor critical Registry keysACL and monitor critical Registry keys
Watch event logs for failed login attemptsWatch event logs for failed login attempts
Exchange 2000Exchange 2000Secure Administration – Lock it down
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Administrative RolesAdministrative Roles Exchange AdministratorExchange Administrator Exchange Full AdministratorExchange Full Administrator Exchange View Only AdministratorExchange View Only Administrator XADM: How to Get Service Account Access to All XADM: How to Get Service Account Access to All
Mailboxes in Exchange 2000 (Q262054)Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054 us;Q262054
Delegation WizardDelegation Wizard Use to add/edit Admin rolesUse to add/edit Admin roles
Secure Administration - Roles
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
XADM: Enhancing the Security of XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Exchange 2000 for the Exchange Domain Servers Group (Q313807) Servers Group (Q313807)
The All-Powerful Exchange Domain Servers Group
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Disable unnecessary services and Disable unnecessary services and protocolsprotocols For both Exchange and WindowsFor both Exchange and Windows Do you need POP3? IMAP? HTTP?Do you need POP3? IMAP? HTTP? Do you need the Alerter service? Do you need the Alerter service?
Messenger? DHCP client?Messenger? DHCP client?
Exchange 2000Exchange 2000Secure Administration - TURN OFF WHAT YOU DON’T NEED
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Use SMTP content filter for Internet emailUse SMTP content filter for Internet email Use a separate host or a firewall for SMTP relayUse a separate host or a firewall for SMTP relay Catch incoming/outgoing malware elsewhere, and Catch incoming/outgoing malware elsewhere, and
relieve your Exchange server of the loadrelieve your Exchange server of the load
Virus protection in the Information StoreVirus protection in the Information Store Well, some viruses originate within, so you still need Well, some viruses originate within, so you still need
protection.protection. Several server based virus scanners will protect (i.e. Several server based virus scanners will protect (i.e.
MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield)GroupShield)
Virus protection on the clientVirus protection on the client
Exchange 2000Exchange 2000Malware - Virus, trojan and worm protection
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Prevent scripts and Active content from Prevent scripts and Active content from running on your user’s workstationsrunning on your user’s workstations Set the Security Zone in Outlook to Set the Security Zone in Outlook to
“Restricted Sites” – under Tools > Options > “Restricted Sites” – under Tools > Options > SecuritySecurity
Keep up-to-date with latest MS Outlook Keep up-to-date with latest MS Outlook and Internet Explorer patches and security and Internet Explorer patches and security hotfixeshotfixes
Malware – Protection in Outlook
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Definitely use SSLDefinitely use SSL Decide on Front-end vs. Back-end modelDecide on Front-end vs. Back-end model
Must read: Must read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFronhttp://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asptBack.asp
Front-End serverFront-End serverIsolate it even in the DMZ (it should only communicate with the Isolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC)Exchange BE server and an AD DC)
Intranet Firewall between Front End and Back EndIntranet Firewall between Front End and Back End Use STATIC RPC ports:Use STATIC RPC ports:
DENY ALL by defaultIncoming from Internet Allow TCP port 25 (SMTP) TCP/UDP port 53 (DNS) TCP port 443 (HTTPS)Outgoing Allow: Only established connections
DMZ Firewall:
DENY ALL by defaultIncoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPCstatic port) TCP port 3268 (GC)
Outgoing Allow: Only established connections
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Exchange 2000 VulnerabilitiesExchange 2000 Vulnerabilities* February 2002 ** February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets RemoMS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionste Registry Permissions
http://archives.neohapsis.com/archives/vendor/2002-q1/0023.htmlhttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.htmlSeptember 2001September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPUMS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability AvailabilityAugust 2001August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 CoMS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leakntains Memory LeakJuly 2001July 2001MS01-041 : Malformed RPC Request Can Cause Service FailureMS01-041 : Malformed RPC Request Can Cause Service FailureJune 2001June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can ExMS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Scriptecute ScriptMarch 2001March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 andMS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Exchange 2000November 2000November 2000MS00-088 : Exchange User Account VulnerabilityMS00-088 : Exchange User Account Vulnerability
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Exchange security depends on the OS securityExchange security depends on the OS security Follow checklists and best practices available from Follow checklists and best practices available from
www.microsoft.com/securitywww.microsoft.com/security as well as many third as well as many third parties like SANS (parties like SANS (www.sans.orgwww.sans.org))
Ensure new OS and Exchange installs are hardened Ensure new OS and Exchange installs are hardened before placed into productionbefore placed into production
Don’t let unnecessary services and software run!Don’t let unnecessary services and software run! Keep up-to-date on latest MS Service Packs and Keep up-to-date on latest MS Service Packs and
security hotfixessecurity hotfixes
The FOUNDATION of Exchange
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
SMTP replication in clear text!!!SMTP replication in clear text!!! Use IPSec with encryption parameters to protect this Use IPSec with encryption parameters to protect this
traffictraffic
Public FoldersPublic Folders EVERYONE group can add new folders by defaultEVERYONE group can add new folders by default
Event SinksEvent Sinks XCCC: Script Host Sink Is Not Registered on XCCC: Script Host Sink Is Not Registered on
Exchange 2000 Server by Default (Q264995)Exchange 2000 Server by Default (Q264995) http://www.outlookexchange.com/articles/glenscales/http://www.outlookexchange.com/articles/glenscales/
wssevtar.aspwssevtar.asp by Glen Scales by Glen Scales
Additional Thoughts
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.