Securing Exchange 2000Securing Exchange 2000
Chris WeberChris [email protected]@foundstone.com
http://www.foundstone.comhttp://www.foundstone.comhttp://www.privacydefended.com http://www.privacydefended.com
Trustworthy Exchanges and the Art of doing it yourselfTrustworthy Exchanges and the Art of doing it yourself
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
SynopsisSynopsis
Focused on single backend Exchange Server with front-end OWA serverFocused on single backend Exchange Server with front-end OWA serverHacking ExchangeHacking Exchange
ScanningScanning EnumeratingEnumerating AttackingAttacking
The Exchange ApplicationThe Exchange Application Secure AdministrationSecure Administration System PoliciesSystem Policies MalwareMalware OWAOWA Known VulnerabilitiesKnown Vulnerabilities
Other Fundamental ConsiderationsOther Fundamental Considerations IIS 5.0IIS 5.0 Windows OSWindows OS NetworkNetwork
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
What is not coveredWhat is not covered
A lot!A lot! Connectors and ReplicationConnectors and Replication Internet POP3/SMTP clients like Outlook Internet POP3/SMTP clients like Outlook
ExpressExpress BackupsBackups Monitoring and status notificationsMonitoring and status notifications PKIPKI
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Security PolicySecurity Policy
Organizational security policies should be Organizational security policies should be in place to guide daily actions.in place to guide daily actions.
Never start configuring without having a Never start configuring without having a “management supported” plan in place.“management supported” plan in place.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Secure Network DiagramSecure Network Diagram
Front EndExchange/OWA
BackEnd Exchange
DMZ Firewall
Internet Firewall
UntrustedDMZ
TrustedCorporate LAN
Internet Firewall:
DENY ALL by defaultIncoming from Internet Allow TCP port 25 (SMTP) TCP/UDP port 53 (DNS) TCP port 443 (HTTPS)Outgoing Allow: Only established connections
DMZ Firewall:
DENY ALL by defaultIncoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPCstatic port) TCP port 3268 (GC)
Outgoing Allow: Only established connections
SMTP forwarder/content filter
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Hacking Exchange 2000Hacking Exchange 2000Why Hack Exchange?Why Hack Exchange?
Learn host configuration informationLearn host configuration information Learn of hidden Public FoldersLearn of hidden Public Folders Glean User account names and email addressesGlean User account names and email addresses
Information GatheringInformation Gathering Network port scanNetwork port scan Server enumerationServer enumeration
NetBIOSNetBIOSLDAPLDAPRPCRPC
User and configuration enumerationUser and configuration enumerationLDAP with Null sessionLDAP with Null sessionNetBIOS will Null sessionNetBIOS will Null session
Pilfering sharesPilfering sharesTracking logsTracking logs
Launching an attackLaunching an attack Aiming for admin accessAiming for admin access
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Hacking Exchange 2000Hacking Exchange 2000LDAP exposes Users and Public Folders hidden from the Exchange Address Lists
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Port ScanPort Scan
172.16.2.10 995/tcp - POP/SSL172.16.2.10 995/tcp - POP/SSL172.16.2.10 1048/tcp172.16.2.10 1048/tcp172.16.2.10 1049/tcp172.16.2.10 1049/tcp172.16.2.10 1053/tcp172.16.2.10 1053/tcp172.16.2.10 1055/tcp172.16.2.10 1055/tcp172.16.2.10 1089/tcp172.16.2.10 1089/tcp172.16.2.10 1104/tcp172.16.2.10 1104/tcp172.16.2.10 1107/tcp172.16.2.10 1107/tcp172.16.2.10 1198/tcp172.16.2.10 1198/tcp172.16.2.10 1200/tcp172.16.2.10 1200/tcp172.16.2.10 1247/tcp172.16.2.10 1247/tcp172.16.2.10 1249/tcp172.16.2.10 1249/tcp172.16.2.10 3372/tcp172.16.2.10 3372/tcp172.16.2.10 3389/tcp - MS Terminal 172.16.2.10 3389/tcp - MS Terminal
Server Server
172.16.2.10 4277/tcp172.16.2.10 4277/tcp
Scan finished at Fri Feb 22 00:55:48 Scan finished at Fri Feb 22 00:55:48 20022002
Time taken: 65535 ports in 318.138 secs Time taken: 65535 ports in 318.138 secs (206.00 ports/sec)(206.00 ports/sec)
D:\tools>fscan -p 1-65535 -z 128 exchangeD:\tools>fscan -p 1-65535 -z 128 exchangeFScan v1.12 - Command line port scanner.FScan v1.12 - Command line port scanner.Copyright 2000 (c) by Foundstone, Inc.Copyright 2000 (c) by Foundstone, Inc.http://www.foundstone.comhttp://www.foundstone.com
Scan started at Fri Feb 22 00:50:30 2002Scan started at Fri Feb 22 00:50:30 2002
172.16.2.10 25/tcp - SMTP172.16.2.10 25/tcp - SMTP172.16.2.10 80/tcp - HTTP172.16.2.10 80/tcp - HTTP172.16.2.10 119/tcp - NNTP172.16.2.10 119/tcp - NNTP172.16.2.10 135/tcp - RPC/DCE 172.16.2.10 135/tcp - RPC/DCE
endpoint mapper endpoint mapper172.16.2.10 139/tcp - NetBIOS session 172.16.2.10 139/tcp - NetBIOS session serviceservice172.16.2.10 143/tcp - IMAP172.16.2.10 143/tcp - IMAP172.16.2.10 443/tcp - HTTPS172.16.2.10 443/tcp - HTTPS172.16.2.10 445/tcp - Microsoft SMB/CIFS172.16.2.10 445/tcp - Microsoft SMB/CIFS172.16.2.10 563/tcp - NNTP/SSL172.16.2.10 563/tcp - NNTP/SSL172.16.2.10 593/tcp - HTTP RPC endpoint 172.16.2.10 593/tcp - HTTP RPC endpoint mappermapper172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10
993/tcp 993/tcp
XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339)XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339)
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Port and Process MappingsPort and Process Mappings
Useful tools:Useful tools: FPORT.EXE FPORT.EXE
(from (from www.foundstone.comwww.foundstone.com)) TLIST.EXE /STLIST.EXE /S
(from Windows 2000 installation CD \Support (from Windows 2000 installation CD \Support directory)directory)
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
fport.exefport.exeFPort v1.31 - TCP/IP Process to Port MapperFPort v1.31 - TCP/IP Process to Port MapperCopyright 2000 by Foundstone, Inc.Copyright 2000 by Foundstone, Inc.http://www.foundstone.comhttp://www.foundstone.comSecuring the dot com worldSecuring the dot com worldPid Process Port Proto Path Pid Process Port Proto Path 1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 139 TCP 1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe8 System -> 445 TCP 8 System -> 445 TCP 1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe 512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe 1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe 600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe 600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe 860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe 860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe 1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
tlist.exe /stlist.exe /s 0 System Process 0 System Process 8 System 8 System 172 SMSS.EXE 172 SMSS.EXE 200 CSRSS.EXE 200 CSRSS.EXE 224 WINLOGON.EXE 224 WINLOGON.EXE 252 SERVICES.EXE Svcs: 252 SERVICES.EXE Svcs:
Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStoragAlerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmie,seclogon,TrkWks,W32Time,Wmi
264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs 368 termsrv.exe Svcs: TermService368 termsrv.exe Svcs: TermService 512 svchost.exe Svcs: RpcSs512 svchost.exe Svcs: RpcSs 540 SPOOLSV.EXE Svcs: Spooler540 SPOOLSV.EXE Svcs: Spooler 600 msdtc.exe Svcs: MSDTC600 msdtc.exe Svcs: MSDTC 748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS 764 LLSSRV.EXE Svcs: LicenseService764 LLSSRV.EXE Svcs: LicenseService 808 regsvc.exe Svcs: RemoteRegistry808 regsvc.exe Svcs: RemoteRegistry 840 LOCATOR.EXE Svcs: RpcLocator840 LOCATOR.EXE Svcs: RpcLocator 860 mstask.exe Svcs: Schedule860 mstask.exe Svcs: Schedule 944 WinMgmt.exe Svcs: WinMgmt944 WinMgmt.exe Svcs: WinMgmt1000 dfssvc.exe Svcs: Dfs1000 dfssvc.exe Svcs: Dfs1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC1044 MAD.EXE Svcs: MSExchangeSA1044 MAD.EXE Svcs: MSExchangeSA1076 mssearch.exe Svcs: MSSEARCH1076 mssearch.exe Svcs: MSSEARCH1524 STORE.EXE Svcs: MSExchangeIS1524 STORE.EXE Svcs: MSExchangeIS1556 EMSMTA.EXE Svcs: MSExchangeMTA1556 EMSMTA.EXE Svcs: MSExchangeMTA2360 CSRSS.EXE Title: 2360 CSRSS.EXE Title: 2384 WINLOGON.EXE Title: NetDDE Agent2384 WINLOGON.EXE Title: NetDDE Agent2464 rdpclip.exe Title: CB Monitor Window2464 rdpclip.exe Title: CB Monitor Window2508 explorer.exe Title: Program Manager2508 explorer.exe Title: Program Manager2560 mshta.exe Title: Windows 2000 Configure Your Server2560 mshta.exe Title: Windows 2000 Configure Your Server2580 svchost.exe Svcs: TapiSrv2580 svchost.exe Svcs: TapiSrv2652 mdm.exe Title: OleMainThreadWndName2652 mdm.exe Title: OleMainThreadWndName2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s 2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s 976 notepad.exe Title: fport - Notepad976 notepad.exe Title: fport - Notepad 768 TLIST.EXE 768 TLIST.EXE
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
SMTP relay disabledSMTP relay disabledRights to the MailboxRights to the Mailbox Admin is DENIED access to mailboxes (by Admin is DENIED access to mailboxes (by
default), but easily changeddefault), but easily changed ““Exchange Domain Servers” group full accessExchange Domain Servers” group full access %COMPUTERNAME%$ full access%COMPUTERNAME%$ full access
No more Service AccountNo more Service Account Your LSA Secrets are safe…Your LSA Secrets are safe…
Some Security related changes from 5.5 to 2000
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Security Checklist:Security Checklist:http://www.microsoft.com/technet/treeview/defauhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asplt.asp?url=/technet/security/tools/w2ksvrcl.asp Disable unnecessary services and portsDisable unnecessary services and ports Enable AuditingEnable Auditing Rename local Admin account and enable a strong Rename local Admin account and enable a strong
passwordpassword ACL and monitor critical Registry keysACL and monitor critical Registry keys
Watch event logs for failed login attemptsWatch event logs for failed login attempts
Exchange 2000Exchange 2000Secure Administration – Lock it down
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
Administrative RolesAdministrative Roles Exchange AdministratorExchange Administrator Exchange Full AdministratorExchange Full Administrator Exchange View Only AdministratorExchange View Only Administrator XADM: How to Get Service Account Access to All XADM: How to Get Service Account Access to All
Mailboxes in Exchange 2000 (Q262054)Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054 us;Q262054
Delegation WizardDelegation Wizard Use to add/edit Admin rolesUse to add/edit Admin roles
Secure Administration - Roles
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
XADM: Enhancing the Security of XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Exchange 2000 for the Exchange Domain Servers Group (Q313807) Servers Group (Q313807)
The All-Powerful Exchange Domain Servers Group
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Registry HackRegistry Hack To show the security tab in System ManagerTo show the security tab in System Manager
HKCU\Software\Microsoft\Exchange\ExAdminHKCU\Software\Microsoft\Exchange\ExAdmin
Value: ShowSecurityPageValue: ShowSecurityPage
Date: 1 (REG_DWORD)Date: 1 (REG_DWORD) XADM: Security Tab Not Available on All XADM: Security Tab Not Available on All
Objects in System Manager (Q259221) Objects in System Manager (Q259221)
Exchange 2000Exchange 2000Secure Administration – Security Permissions Page
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
Security of SharesSecurity of Shares Tracking Logs:Tracking Logs:
%COMPUTERNAME%.log%COMPUTERNAME%.log
Contain user information such as email Contain user information such as email addresses and usernames.addresses and usernames.
EVERYONE or Authenticated Users can read EVERYONE or Authenticated Users can read by defaultby default
Securing File Shares
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Disable unnecessary services and Disable unnecessary services and protocolsprotocols For both Exchange and WindowsFor both Exchange and Windows Do you need POP3? IMAP? HTTP?Do you need POP3? IMAP? HTTP? Do you need the Alerter service? Do you need the Alerter service?
Messenger? DHCP client?Messenger? DHCP client?
Exchange 2000Exchange 2000Secure Administration - TURN OFF WHAT YOU DON’T NEED
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
System PoliciesSystem Policies Server policyServer policy Mailbox policyMailbox policy Public Folder policyPublic Folder policy
System Policies
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Use SMTP content filter for Internet emailUse SMTP content filter for Internet email Use a separate host or a firewall for SMTP relayUse a separate host or a firewall for SMTP relay Catch incoming/outgoing malware elsewhere, and Catch incoming/outgoing malware elsewhere, and
relieve your Exchange server of the loadrelieve your Exchange server of the load
Virus protection in the Information StoreVirus protection in the Information Store Well, some viruses originate within, so you still need Well, some viruses originate within, so you still need
protection.protection. Several server based virus scanners will protect (i.e. Several server based virus scanners will protect (i.e.
MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield)GroupShield)
Virus protection on the clientVirus protection on the client
Exchange 2000Exchange 2000Malware - Virus, trojan and worm protection
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange and OutlookExchange and Outlook
Prevent scripts and Active content from Prevent scripts and Active content from running on your user’s workstationsrunning on your user’s workstations Set the Security Zone in Outlook to Set the Security Zone in Outlook to
“Restricted Sites” – under Tools > Options > “Restricted Sites” – under Tools > Options > SecuritySecurity
Keep up-to-date with latest MS Outlook Keep up-to-date with latest MS Outlook and Internet Explorer patches and security and Internet Explorer patches and security hotfixeshotfixes
Malware – Protection in Outlook
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Outlook Web AccessOutlook Web Access
General OWA securityGeneral OWA security Lock down IISLock down IIS
Security checklists Security checklists http://www.microsoft.com/technet/treeview/default.asp?http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.aspurl=/technet/security/tools/tools.aspIISLock.exeIISLock.exe
Definitely use SSLDefinitely use SSL Decide on Front-end vs. Back-end modelDecide on Front-end vs. Back-end model
Must read: Must read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFronhttp://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asptBack.asp
Front-End serverFront-End serverIsolate it even in the DMZ (it should only communicate with the Isolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC)Exchange BE server and an AD DC)
Intranet Firewall between Front End and Back EndIntranet Firewall between Front End and Back End Use STATIC RPC ports:Use STATIC RPC ports:
http://support.microsoft.com/support/kb/articles/q224/1/96.asphttp://support.microsoft.com/support/kb/articles/q224/1/96.asp
Installation and Design Considerations
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Secure Network DiagramSecure Network Diagram
Front EndExchange/OWA
BackEnd Exchange
DMZ Firewall
Internet Firewall
UntrustedDMZ
TrustedCorporate LAN
SMTP forwarder/content filter
Internet Firewall:
DENY ALL by defaultIncoming from Internet Allow TCP port 25 (SMTP) TCP/UDP port 53 (DNS) TCP port 443 (HTTPS)Outgoing Allow: Only established connections
DMZ Firewall:
DENY ALL by defaultIncoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPCstatic port) TCP port 3268 (GC)
Outgoing Allow: Only established connections
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
FirewallsFirewalls
Internet firewallInternet firewall DENY ALL incoming and DENY ALL incoming and
outgoingoutgoing Allow only what you need! For Allow only what you need! For
example:example:
Incoming from Internet Allow: TCP port 443 (HTTPS) TCP port 25 (SMTP) TCP/UDP port 53 (DNS)
Outgoing Allow: Only established connections
IntranetIntranet Assign static RPC ports to the Assign static RPC ports to the
Exchange ServerExchange Server
DMZ firewallDMZ firewall DENY ALL incoming and DENY ALL incoming and
outgoinoutgoin Allow only what you need! For Allow only what you need! For
example:example: Incoming from DMZ Allow:Incoming from DMZ Allow: TCP port 80 (HTTP)
TCP/UDP port 88 (Kerberos) TCP/UDP port 53 TCP/UDP port 389 (LDAP) TCP port 3268 (GC) TCP port 135 (endpoing mapper) TCP port 1025 (optional RPC
static port) TCP port 445 (SMB/CIFS)Outgoing Allow: Only established connections
DENY everything. Only allow what you need!
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000 VulnerabilitiesExchange 2000 Vulnerabilities* February 2002 ** February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets RemoMS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionste Registry Permissions
http://archives.neohapsis.com/archives/vendor/2002-q1/0023.htmlhttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.htmlSeptember 2001September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPUMS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability AvailabilityAugust 2001August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 CoMS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leakntains Memory LeakJuly 2001July 2001MS01-041 : Malformed RPC Request Can Cause Service FailureMS01-041 : Malformed RPC Request Can Cause Service FailureJune 2001June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can ExMS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Scriptecute ScriptMarch 2001March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 andMS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Exchange 2000November 2000November 2000MS00-088 : Exchange User Account VulnerabilityMS00-088 : Exchange User Account Vulnerability
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
The Windows OSThe Windows OS
Security is a pyramidSecurity is a pyramid
Exchange security depends on the OS securityExchange security depends on the OS security Follow checklists and best practices available from Follow checklists and best practices available from
www.microsoft.com/securitywww.microsoft.com/security as well as many third as well as many third parties like SANS (parties like SANS (www.sans.orgwww.sans.org))
Ensure new OS and Exchange installs are hardened Ensure new OS and Exchange installs are hardened before placed into productionbefore placed into production
Don’t let unnecessary services and software run!Don’t let unnecessary services and software run! Keep up-to-date on latest MS Service Packs and Keep up-to-date on latest MS Service Packs and
security hotfixessecurity hotfixes
The FOUNDATION of Exchange
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
Exchange 2000Exchange 2000
SMTP replication in clear text!!!SMTP replication in clear text!!! Use IPSec with encryption parameters to protect this Use IPSec with encryption parameters to protect this
traffictraffic
Public FoldersPublic Folders EVERYONE group can add new folders by defaultEVERYONE group can add new folders by default
Event SinksEvent Sinks XCCC: Script Host Sink Is Not Registered on XCCC: Script Host Sink Is Not Registered on
Exchange 2000 Server by Default (Q264995)Exchange 2000 Server by Default (Q264995) http://www.outlookexchange.com/articles/glenscales/http://www.outlookexchange.com/articles/glenscales/
wssevtar.aspwssevtar.asp by Glen Scales by Glen Scales
Additional Thoughts
Ask a Question Now! ClickAsk a Question Now! Click on the left portion of your s on the left portion of your screen.creen.
Securing Microsoft Exchange 2000 ChSecuring Microsoft Exchange 2000 [email protected] [email protected]
ReferencesReferencesExchangeExchangehttp://www.microsoft.com/exchangehttp://www.microsoft.com/exchange
http://www.microsoft.com/security http://www.microsoft.com/security
http://www.slipstick.comhttp://www.slipstick.com
http://www.msexchange.orghttp://www.msexchange.org
http://www.labmice.nethttp://www.labmice.net
IPSecIPSechttp://www.securityfocus.com/infocus/1519http://www.securityfocus.com/infocus/1519
The EndThe End
Securing Exchange 2000Securing Exchange 2000
Chris WeberChris [email protected]@foundstone.com
http://www.foundstone.comhttp://www.foundstone.comhttp://www.privacydefended.com http://www.privacydefended.com
Ask a Question Now!Ask a Question Now!