Presentation on theme: "Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session. Book Drawing."— Presentation transcript:
Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session. Book Drawing
Security for Exchange: Assessment, Auditing, and Hardening Jim McBee ITCS Hawaii
Who is Jim McBee!!?? Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) Principal clients ● USPACOM J2 ● USARPAC G6 Author – Exchange Seven (Sybex) Contributor – Exchange and Outlook Administrator Blog ● Directory Update ●
This session’s coverage Introduction to me and the topic Presentation and demos – About 5 hours Break in the morning and afternoon Lunch Book give away – Drop off your business card or write your name on a slip of paper Topics from today’s session comes from a small commercial consulting practice I run reviewing messaging security Questions and answers ● I’ll try to take questions as they come up as long as this does not slow us down too much.
Free eBook Tips and Tricks Guide To Secure Messaging eBook ● Good follow-up to this presentation
Audience Assumptions You have at least a few months experience running Exchange 5.5, 2000, or You have worked with Active Directory You can install and configure a Windows 2000 / 2003 server
Presentations coverage Risks and threats Reducing exposure Message hygiene Operations and accountability Message content security Best practices and checklists
Introduction to messaging security Some statistics for your boss Getting “reasonably secure” Defining the right balance Believing in evolution
Just the stats, ma’am Viruses, worms, and Trojan horses are increasing complex and “blended” Malware includes viruses, worms, Trojan horses, phishing, and spyware scams 53% of users in the U.S. say they trust less now because of spam, viruses, phishing Between 50 and 80% of all traffic is now spam Malware estimated costs for 2004 between $169B and $204B CipherTrust reported 172,000 new “zombies” each day in May % rise in intellectual property theft/loss. 74% of these security breaches were from the inside. Of the external threats, the most common attack vectors are weak passwords, known vulnerabilities, and social engineering More? ●
Why are these statistics important? They affect the usage of the system They affect the level of trust that users place in the data in the system For most organizations, is “business critical”; data must be secure, available, and trusted Reflect a need for continually evolving messaging system protection ● Protect from inside and outside threats
Defining “Reasonably Secure” Are you doing your “due diligence” One attorney I recently heard speak defined “reasonably secure” as doing AT LEAST what everyone else is doing Taking in to consideration assets, risks, and threats and then defining procedures to mitigate each of these. Being realistic (and thorough) when defining risks ● Data disclosure is realistic ● Denial of service is realistic ● Alien abduction is not as common
Striking a balance… Security should strike a balance between: ● Effective security ● Usability / functionality ● Cost ● Complying with the law
Risk Management Put on your “MBA” hat and take off the “IT” hat Define and document the “process” Locating / defining assets Assessing the risks to these assets Reviewing the threats that may make the risks a reality Mitigating these risks For our discussions in this session, we will limit the scope of this to just messaging
Process What process do you use to go through a risk assessment? Who is involved? ● Subject matter experts (IT department) ● Consultants / outside technical advisors ● Legal ● Senior management Encourage “outside the box thinking” ● Avoid “group think” Document everything about the process, the exchange of ideas, the discussions, disagreements, etc… Senior management must have visibility ● Regarding regulatory compliance, corporate officers may often have fiscal or legal responsibility for IT security “Process” is going to become a way of life for Information Technology
What are your assets? Data / intellectual property Knowledge workers / productivity ● Lost productivity = $$$ Business reputation Mail servers and network infrastructure Bandwidth ● To Internet ● To customers ● To users Service availability
What are the risks against to these assets Financial loss Law suits / regulatory liabilities Accidental / intentional disclosure of intellectual property Users with idle time or unable to work (lost productivity) Unable to meet commitments to customers and vendors Lost sales or opportunities Damage to reputation / community embarrassment
Predicting the “threats” Accidental disclosure of intellectual property Intentional disclosure of intellectual property Denial-of-service (any interruption of messaging services) Hackers Sending malware or spam to YOUR customers Malware / Virus / Trojan Horses / Spyware / Phishing Misuse of the messaging system (passing around inappropriate content) which may result in company liability Data theft (via hacking, backup media theft, hard drive theft, impersonating a user)
Threats: What are the attack vectors that can be used against you? Bad physical security / access control Vulnerable servers exposed to the Internet ● Directly exposed mailbox servers (port 25 or 80/443) open directly to server from the Internet. Weak DMZ security Poor message hygiene control Social engineering Careless users Malicious users Poor backup media handling procedures Excessive administrative procedures Single point of failure for inbound and outbound message handling
Threats: Entry points for malware Inbound Users surfing the Internet Users downloading from outside provider (via POP3/IMAP4/free web providers) Wireless network hacking VPN connections (home and laptop) Users bringing computers in from outside (personal laptops) Connections with business partners Removable media (USB drives, iPods, CD, DVD, floppy, PDA, cell phones)
Mitigation How do you mitigate all of this? ● That is what this session is all about Taking the necessary steps to provide “reasonable security” Firewalls / appliances / gateways / managed providers Good server management and configuration practices Filtering out as much unwanted content before it reaches the mail server Acceptable use policies and information security policies Applying appropriate levels of content security
Vulnerabilities Improving physical security Backup media Operating system Exchange updates Users Quick assessments
Physical security Law # 3 of the 10 Immutable Laws of Security ● “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” Locked doors / access control system that records entry information Mandatory sign-in sheets Cameras
Backup media Tape media can be your Achilles heel ● Many stories of backup tapes being compromised Often tapes are stored outside of the data center Consider data encryption technologies for tape media ● Store in physically secure location If off-site, transport in locked containers
Operating system stability Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. Apply applicable critical updates within 3 – 4 weeks ● Applicable? Does the fix affect your configuration? ● Don’t apply on the day they are released Apply service packs within 1 to 2 months ● Read the SP “readme” first Use ‘Microsoft Update’ or WSUS ● Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system Sufficient free disk space on all disk drives
Exchange updates Critical patches within 3 – 4 weeks of release Service packs within 1 to 2 months of release Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP)
A word about scheduled downtime Don’t sacrifice reliability for availability If you don’t have downtime built-in to your operations, then how can you apply patches and updates? Plan for a scheduled outage once every 2 weeks ● Schedule these late at night ● These outages should not affect your “nines” ● You don’t have to use them if you don’t need them
Users 60 – 70% of all security breaches occur from within. ● (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) Require an Acceptable Use Policy ● Must have “bite” ● Must be enforceable ● Must be legal ● See Require an IT Acceptable Use Policy For IT, require an IT AUP or Ethics Statement ● “Don’t read other people’s mail” Clearly define your information security policies
Quick Assessments - ExBPA Exchange Best Practices Analyzer ●
Quick Assessments - MSBA Microsoft Baseline Security Analyzer ●
Locking down servers Reduce a server’s attack surface Disabling unnecessary services Statically mapping RPC ports Configure Exchange to accept only certain versions of MAPI clients Apply policies consistently with GPOs Open SMTP relays? Apply IPSec MAC address filtering on hubs/switches
Disabling unnecessary services Install only Windows components necessary to run the server POP3 / IMAP4/NNTP MS Exchange Events MS Exchange MTA Stacks Browser Messenger Alerter MS Search TELNET
Statically map RPC ports Does not make security any tighter, but does let you easily identify the RPC traffic on your network. ● Exchange Server – KB ● Active Directory – KB ● Also useful if you have a data center firewall or WAN-firewall
Restrict MAPI versions Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 ● HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem ● Create REG_DWORD Disable MAPI Clients ● Put in to data field See KB and ● InstantDoc #26505 Can help reduce the spread of viruses and worms by allowing only more recent versions Use with caution!
Group Policy Objects Use GPOs to deploy consistent settings Define ● Auditing ● Security ● Password / lockout ● Services
Sample GPO This sample can be found at ● It WILL probably break something! Expects W2K or later clients Test your policies gradually
Open SMTP Relay? No one needs an open SMTP relay The spammers and worms WILL find you! Restrict relay to your own networks Require authentication for clients Exchange servers in your organization always authenticate
IPSec More than a reasonable measure Allows IP-layer encryption and packet authentication Additional CPU overhead IPSec policies can get complex if you implement to a subset of workstations Prevents spoofing and man-in-the-middle attacks
MAC address filtering on hubs / switches This is pretty extreme Do this if you are concerned about intruders getting physical access to your infrastructure Requires almost constant management for changes / adds / moves
Security at the perimeter Focus is on “security” not “message hygiene” The Internet “path” to your mail servers Denial of service attacks Intercept inbound traffic in your DMZ Restrictions, restrictions, restrictions…
The path to your mail servers Getting directly to mail servers is simple MX records define your inbound SMTP servers A or CNAME records point to your OWA, ActiveSync, POP3, or IMAP4 resources These records may reveal IP addresses that point DIRECTLY to your mailbox servers Your goal must be to reduce or eliminate this direct exposure
Denial-of-service and Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. ● Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. Directory harvesting and tarpits
An ugly trend: Virus writers, spammers, and ‘bots / zombies
Directory harvesting / dictionary spamming Directory harvesting tries to find valid SMTP addresses using dictionary or random strings Dictionary spamming sends to a dictionary full of common names This can overwhelm a mail server Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) A tarpit slows them down ● See KB ● Recommended for Internet facing SMTP virtual servers Only one address in this list was valid, probably the “index patient”
Prevent direct access to mailbox servers Don’t allow direct access to mail server resources Inbound SMTP mail through an SMTP relay ● Can be an “appliance”, Windows, or UNIX system ● Can act as part of your messaging hygiene system. ● More on this later Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy ● ISA Server ● IronPort ● Whale Communications Prevents direct exposure for mailbox servers, front-ends, and bridgeheads
Use SMTP Relays and ISA Server proxies
Remote Outlook client options Some remote users are just going to have to have Outlook Don’t open RPC ports directly to Exchange for remote Outlook clients Use VPN Use RPC application layer filter on firewall Use RPC over HTTPS instead
Restrictions, restrictions, restrictions Mailbox Message size Recipients per message Automatic responses Internet facing SMTP virtual servers Distribution list usage Monitor disk space usage and set alerts Users are going to hate you for this!
Mailbox Limits A necessary evil Adjust based on you organization’s needs Don’t limit users if they have a job to do Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail
Exchange reports on closed mailboxes Monitoring for event ID 8528 can help you determine if mailboxes are filling up
Message Size / Recipient Limits Default inbound and outbound message sizes is 10MB. Usually adequate for most organizations This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user.
Inbound limits from Internet Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead If this SMTP VS is used for internal message traffic, it may hurt public folder replication
Outbound limits to the Internet Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server)
Automatic Responses Defaults do not allow automatic responses This may have been changed You can override this by creating additional Internet Message Formats for specific domains Considered risky due to “social engineering” risks
Distribution list security Prevent abuse of your distribution lists Limit maximum message size Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) Limit who can send to the list internally
Monitor disk space and set alerts Common cause of downtime Built-in monitoring tools can alert you to possible problems Additional monitoring tools can automate disk usage and provide trend analysis and usage reports
Monitoring usage from a script Exchange MVP Glen Scales wrote a really nice script to report store usage and trends
Restricting maximum store size Exchange 2003 SP2 allows maximum store size to be set ● When a store exceeds that size, it is dismounted Use with great care! You can still cause your users downtime with this feature.
Outlook Web Access security Implement a reverse proxy Enable Forms Based Authentication ● Session timeouts Use SSL Train users to logout and close browser window URLScan
Put the front-end in the DMZ??? Conventional thinking says put front-end server in the DMZ. This requires many ports to be opened to internal network.
Reverse proxy for OWA Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened.
Reverse proxy for OWA More information ● Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology ● Protecting Exchange Servers by Don Jones ● Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder ● A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek
Enable Forms Based Authentication Enable on the front- end servers Implements timeouts ● Public = 15 minutes ● Private = 24 hours ● Customizable Allows customizable logon page
Forms Based Authentication
Always use SSL from a trusted authority Very bad to get users in the habit of ignoring security alerts Many sources for low- cost, trusted SSL certificates ● GoDaddy – ● InstantSSL –
Basic authentication passwords are very easy to intercept Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== Run it through any Base64 decoding program and you get: namerica/arand:$culliRulz Domain name: namerica ; User: arand ; password: $culliRulz Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded!
Should you use URLScan? Not necessary if using a reverse proxy that performs HTTP application layer inspection URLScan can cause some messages to be un-openable with OWA ● If the subject line has the.../ \ % & characters See KB for more information
Mobile device security Mobile devices often have sensitive data on them. Implement Windows Mobile 2005 FP (available from the device vendor) Use Exchange 2003 SP2 mobile device security features Remote Wipe feature available
User education Train users to ● Always use HTTPS ● Always close the browser window when finished with OWA ● Be on the lookup for suspect kiosks or Internet cafes
Administrative Security Practice principle of “least permission” Properly delegate roles Windows versus Exchange permissions ExMerge permissions
Delegating Exchange roles Mailbox admins (create/delete/modify mail attributes = Exchange View Only Administrator Manage stores, move mailboxes, manage connectors, etc… = Exchange Administrator Modify permissions = Exchange Full Administrator
Exchange permissions versus Windows permissions Delegating Exchange roles does not necessarily give you the Windows permissions necessary Start / stop services = Power User / Administrator Logon to console = Administrator Restart server = Administrator / Power user Manage SMTP Queues = Administrator ● Cannot be changed Possible problem updating addresses ● See
ExMerge Permissions Very handy tool Requires MORE than Exchange Full Administrator access Create security group: Exchange Full Mailbox Access Delegate Exchange View Only Administrator permissions to this group Modify permissions on Security property page, assign Receive As ● See KB Create an ExMerge user and put that user in the Exchange Full Mailbox Access group Secure access to the ExMerge user account Ensure that ExMerge user is neither a member of Domain Admins or Enterprise Admins
Daily Operations Verify successful backups Check available disk space Review event logs Check antivirus software and updates Check SMTP queues The more you know about normal operations, the more quickly you will recognize variances and react to them.
Thing that make you go hummmm…. When monitoring and reviewing your event logs, look for events that you cannot explain or did not expect. Look for anything that is outside of the normal boundaries of operation. Consider also the time of day that some things happen, such as restarts when no one is around or backups running off schedule
Security related events… Is this person supposed to be viewing this mailbox? This might be perfectly legitimate, but it should raise questions.
Security related events… A mailbox store was mounted. Was this scheduled / expected? Thanks to tools like PowerControls or Quests Recovery Manager, I just need your EDB/STM file to do evil.
Security related events… Hey! Who is running a backup in the middle of the day??!!
Security related events… Look for unexpected system restarts This may indicate someone is messing with the hardware
Accountability and Auditing Logging is usually one of those things you don’t know you need until you need it. Caution: Increasing logging/auditing increases overhead Event Log Sizes Diagnostics Logging Message tracking logs Protocol logs Protecting tracking and protocol logs Auditing configuration changes to Exchange
Windows Event Logs Sizes: ● Application – KB ● Security – 49152KB ● System – 49152KB ● See Overwrite as needed Set manually or via GPO Find some tool to archive these and keep
Windows Auditing These events are audited to the Windows Security log More auditing = more overhead Apply to local security policy or via GPO
Diagnostics Logging: Store System Minimum level of logging is sufficient for informational events
Diagnostics logging: Mailbox store Minimum level of logging is sufficient for informational events
Message tracking logs Helpful in diagnosing problems You don’t know you need these until you need them May contain sensitive information, so protect them Automatically purged
HTTP protocol logging Enabled via IIS Admin ● Use W3C log format Enabled on front-end servers used by OWA Will include ActiveSync and OMA traffic These logs do not automatically delete ● For a script see
SMTP protocol logging Enabled in ESM on SMTP virtual server ● Use W3C log format Enable on bridgeheads that accept mail from outside of the organization Useful for troubleshooting and security purposes These logs do not automatically delete ● For a script see
Auditing changes to Exchange configuration Most Exchange configuration is stored in the Active Directory Requires “Audit Directory Service Access” policy enabled Enable “Write” auditing on Exchange organization (via ADSIEdit) Events are logged to Security logs on domain controllers
Resulting events Event reports object and attribute that is changed Not necessarily easy to read unless you know what the attributes are for. Here I changed the inbound message size
What did I do to deserve this? Message hygiene collectively refers to spam, virus, and phishing detection and filtering By some estimates, 50 – 80% of all inbound mail is spam! Some estimates are that users spend 30 – 45 minutes PER DAY sorting through unwanted e- mail There may be some liability involved in spam or phishing schemes ● User sues their employer because they were offended! Or phished!
You think you have problems! One small business ● About 20 active mailboxes ● 90% inbound spam rate ● 18,000 messages in a 24 hour period of time ● Over 50MB worth of disk space to store ● Nearly 65MB worth of Internet bandwidth consumed ● Out of this, 20 viruses/worms were detected
You think you have problems!
Multi-layer protection Employ multiple technologies Intercept inbound mail at different points Use differing scanning and detection technologies Keep as much Malware as possible AWAY from the mailboxes and users
Multi-layer protection to the extreme One organization took the multiple layers to the extreme The need for this system evolved over 5 years Rather than replacing one gateway with a more feature-rich product, they just kept adding more
Multi-layer protection to the extreme
Hygiene system basics We are seeing a convergence of tools and technologies Buying a simple SMTP virus scanning is hard, most include anti-spam technologies Higher-end and specialized systems also include more advanced content inspection
Content inspection Industry often refers to spam and virus detection and “content inspection” I refer to more specialized systems Implement “dictionary scanning” to block inbound or outbound messages Look for messages that may violate Acceptable Use Policy Naughty words, pictures, jokes Prevent sensitive data from being disclosed ● In the U.S. the HIPAA law “requires” this ● Vendors include: Tumbleweed and Clearswift
Content inspection vendors Evaluate a couple of different systems to make sure the product meets your needs. CipherTrust IronMail Tumbleweed MailGate Clearswift MIMEsweeper Symantec Brightmail Aladdin eSafe Barracuda Spam Firewall Sendmail Sentrion Security Appliance Mail Frontier Enterprise Protection NetIQ MailMarshall
Blocked content Define a policy that allows you to block unwanted content ● Hostile content ● Multi-media files ● ZIP files Most antivirus software lets you do this Very common with most IT organizations Blocked list should be published to your users
Virus Detection Virus detection / scanning is pretty common knowledge, but very important Viruses are evolving quickly ● Sometimes 20 – 30 new variants of existing viruses come out daily ● “Virus” is often used when describing worms or Trojans. Most “viruses” today are really worms or blended threats ● Virus writers are continually looking for new system and user exploits You should update signatures between 6 and 12 times per day
Virus detection Methodologies ● Generic / signature based detection ● Heuristic filters Examining content for certain types of expected behavior ● Traffic analysis Analyzing large volumes of traffic for similarities ● Behavioral analysis Executing suspected content in a “virtual” environment
SMTP scanning systems Generic, can front-end any mail system Usually located in the DMZ Usually combines antivirus and anti-spam functions
Antivirus scanning at the Exchange server Requires Exchange-aware virus software ● E2K3 uses AVAPI 2.5 ● Can scan using AVAPI (when message hits the information store) or as message traverses SMTP Should server have a file-based scanner? ● If you do this, ensure that it NEVER scans the EDB, STM, CHK, and LOG files. Also should skip the \windows\system32\inetsrv folder and the SMTP queues folders. If running Exchange 2000, also never scan the M:\ drive See KB : Overview of Exchange Server 2003 and antivirus software
Exchange / AVAPI Software Microsoft Forefront Security for Exchange ● Formerly Sybari Antigen for Exchange Trend ScanMail for Microsoft Exchange 2003 Symantec Mail Security for Microsoft Exchange Sophos PureMessage for Microsoft Exchange F-Secure Anti-Virus for Microsoft Exchange GFI MailSecurity for Exchange F-Prot Antivirus for Exchange Norman Virus Control (NVC) for Exchange McAfee GroupShield® for Microsoft Exchange BitDefender for MS Exchange 2003
Client-side scanning With all this protection on the mail servers, do you still need client-scanners? ● Absolutely. More than one attack vector for viruses. ● Users may download from HTML web mail or remote POP3 accounts
Spam detection / prevention Technologies ● White listing Servers are verified against of known, good senders Appliance / service provider ● Black listing Inbound mail is checked against a database of blocked senders or mail servers Real-time block lists or real-time black hole lists ● Gray listing Inbound mail is temporarily rejected and assumes that valid senders will retry while spammer will not. Exchange does not implement See ● Authenticated sender Yahoo! Domain Keys Sender ID ● These technologies are usually used in conjunction with message inspection
Real-time Block Lists SMTP server that accepts inbound connections checks the IP address against the RBL Connection can be rejected (in the case of Exchange) Inbound message can be tagged for further examination by spam detection software Many of these list providers This can reduce inbound spam by 40 – 50% Can reject valid inbound mail
RBL providers Spamhauswww.spamhaus.orgwww.spamhaus.org ABUSEAT CBL cbl.abuseat.orgcbl.abuseat.org ORDBswww.ordb.orgwww.ordb.org SpamCopwww.spamcop.netwww.spamcop.net ● Pretty aggressive SORBSwww.us.sorbs.netwww.us.sorbs.net ● Pretty aggressive RBL check ● Check to see if a host is on an RBL
Configuring an RBL Configure the DNS suffix Custom message for rejected messages
Sender ID Industry effort to give SMTP servers ability to validate sending SMTP server to see if it is authorized to send mail for the sender of the message Two parts to the technology ● Your domain needs SPF records for authorized SMTP servers ● Your SMTP servers lookup mail for inbound messages and validate that the sending server is authorized to send on behalf of that user
Create DNS SPF records Microsoft provides web-driven wizard ●
Configure Exchange to use Sender ID Exchange 2003 SP2 and hot fix Define internal mail servers Enable on SMTP virtual servers that accept mail from the Internet
Sender ID analysis on one SMTP server 79% of the inbound connections had no DNS SPF records
Using the Intelligent Message Filter Pretty darned good for a free tool Only needs to be enabled on SMTP VS that are exposed to the Internet Reject / Archive / Delete / No Action
IMF customization Automatic filter updates ● See KB ● Released bi-weekly Implementing “custom weighting” ● Define words that NEVER mean spam or ALWAYS mean spam ● See Henrik Walther’s article at Viewing the IMF Archive ●
Effectiveness of RBLs and Recipient Filtering Remember the organization with so much spam? Here is what 2 RBLs and Recipient Filtering did for them ● In 5 days, inbound SMTP connections ● 53% rejected by RBLs ● 35% rejected by “Filter Recipients Who Are Not In The Directory”
Leaving the IMF with the rest The balance of the messages were handled by the IMF 50% of messages ranked SCL of “6” or above
Using managed providers Organization directs MX records to managed provider’s servers Managed provider… ● Has better scalability and redundancy ● Immediate response to day zero threats ● Keeps malware and unwanted content from reaching your perimeter ● Reduce hardware and software required by organization as well as reducing complexity and IT resources required ● Allows organization to only accept inbound SMTP from the provider ● Unwanted content never makes it to the network in the first place ● Reduces threat spam and virus/worm ‘bots Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection
Managed providers Exchange Hosted Services ● Formerly Microsoft FrontBridge MessageLabs Postini OWN ExchangeDefender Blue Ridge InternetWorks Anti-Spam Solutions CyberTrust Managed Firewall Service Symantec Managed Virus Protection Service
Content protection PKI and encryption basics S/MIME Enterprise Rights Management S/MIME and ERM are complimentary technologies
Symmetric encryption Symmetric (a.k.a “secret”) key encryption ● Same key encrypts that decrypts The “secret” key is easily compromised Algorithm examples include DES, 3DES, CAST, AES, RC2, Blowfish, IDEA Original Data Cipher Text Original Data
Asymmetric encryption Original Data Cipher Text Original Data Recipient’s public key Recipient’s private key Public and private key pair Uses two VERY large prime numbers (2^1024 and higher) Computationally difficult to calculate the relationship between the two numbers Encrypting large amounts of data is very processor and time intensive
Encryption based entirely on public / private keys is impractical Too much CPU usage when using such large keys Diffie-Hellman proposed combining the strengths of the two systems ● Most modern encryption systems use some type of “secret key” exchange including S/MIME, SSL, IPSec, EFS, ERM, etc…
Combining symmetric and asymmetric encryption to protect data 2) A random “secret” key is generated 3) Data is encrypted with “secret” key 4) “Secret” key is encrypted with recipients public key and placed in a “lockbox” 5) Encrypted data and lockbox is sent to the recipient 1) Recipient’s certificate (and public key) is retrieved 6) Recipient uses private key to open lockbox and get the “secret key” 7) Recipient uses “secret key” to decrypt data
Digital signatures are similar 1) A hashing function (SHA-1 or MD5) is calculated using the binary data 2) The hash is encrypted using the sender’s private key 5) Recipient performs their own hash of the binary data 4) Recipient decrypts encrypted hash value using sender’s public key 3) The data, the encrypted hash, and the sender’s certificate are sent to the recipient 6) Recipient compares the sender’s hash with the one they calculated
S/MIME Mature technology ● Non-repudiation ● Verifiable message integrity ● Verifiable message origin ● Encrypted / protected ● Protects content “at rest” and in transit Can be difficult to deploy for large organizations Certificate needs to be trusted Free S/MIME certs from More information: ●
Enterprise Rights Management Assists in information security policy enforcement Content rights may include forwarding, review, modification, copying, or printing Content can be audited, expired or superseded Application and operating system must support rights management Any type of binary content can be protected including , documents, spreadsheets, web pages, etc… More information ●
Rights Account Certificate (RAC), signed with RMS Server Public key -User Private Key, Encrypted with the machine public key -User Public Key Client Computer(s) RMS Server (single-server configuration) 2. Install RMS Client Software 1. Install RMS-enabled application(s) RMS Client Activates Machine -Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key) Protects user-specific machine private key with DPAPI 4. User authenticates Certification: Check user SID against AD Generate User Key Pair RMS Key Flow Detail: Client “Bootstrapping” Request Client Licensor Certificate RAC Validate RAC Generate “Client” Key Pair Client Licensor Certificate (CLC), signed with RMS Server Public key -CLC Private key, encrypted with the RAC public key -CLC Public key and copy of SLC User can publish online or consume User can publish offline Authentication credentials 3. User uses RMS for the first time
“Publisher” / Sender RMS Server “Consumer” / Recipient RMS Key Flow Detail: Offline Publishing & Consumption Application and RMS client 1.Generate AES key and encrypt content 2.Encrypt AES key with the public key of the client’s CLC (for “owner” license) 3.Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC) 4.Create “Publishing License” (PL), sign with CLC private key and append to encrypted content (Assuming recipient has RMS Client and RAC) Saves content (e.g. Word doc) Recipient user opens content Application and RMS Client 1.Inspect PL for RMS Service url. 2.Send “Use License Request “ (PL + RAC) to licensing server specified by url. RMS Server 1.Validates recipient RAC 2.Inspects PL for rights 3.Validates user in AD 4.Un-encrypts content key & re- encrypts it with recipient RAC’s public key 5.Returns encrypted content key in use license RMS Client uses RAC private key (unavailable to user) to unencrypt the content key Application renders the file and enforces the rights encrypted content 2 encrypted AES keys rights information url of RMS server Publishing License encrypted content 2 encrypted AES keys rights information url of RMS server Publishing License
Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro a Rights Info w/ addresses Content Key Encrypted with the server’s public key Publishing License The Content of the File (Text, Pictures, metadata, etc) End User Licenses Content Key (big random number) Rights for a particular user Encrypted with the user’s public key Created when file is protected Only added to the file after server licenses a user to open it Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key Encrypted with the server’s public key Encrypted with the user’s public key NOTE: Outlook EULs are stored in the local user profile directory
Application support for ERM Application must support ERM system Office 2003 Professional application supported
S/MIME versus ERM S/MIME provides only authenticity and protection No control for the disposition of the contents Applies only to and message content Content owner loses control once message is sent Does not prevent user from forwarding content once it is in their possession
The Problem with Traditional Access Control Technologies Access Control List / File Encryption No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not ongoing information usage Traditional solutions control initial access Clear-text content
Best practices Block outbound SMTP except from authorized hosts ● Be a good ‘net citizen Never web surf from a server console Don’t install client software on server Operators and administrators should not have mailboxes Separate admin rights from your regular user account Grant administrative permissions to groups, not individual users
Best practices Block inbound SMTP if using a managed provider ● Only accept mail from the provider Protect protocol and message tracking logs ● Some sensitive information may be disseminated from those logs Review your event logs Keep PLENTY of free disk space available? ● At least enough to mount one database in an RSG
Checklists Assessing the situation Exchange Servers Message hygiene Outside the perimeter
Assessment Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the. Determine what is documented: ● Document servers, roles, network infrastructure, and dependencies Get an accurate count of active mailboxes ● If inactive, then why? ● Disable inactive accounts then delete!
Inactive accounts Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute Write script Use “Additional Account Info” from ALTools ●
Assessments: Environment Interview: ● Backup schedule / procedures / rotation / media storage ● Client software and versions in use ● Client antivirus / anti-spyware procedures ● Remote access procedures ● Administrators that are approved to manage Exchange ● Disaster recovery / business continuance plan ● What is the perception of the “spam problem?”
Assessment: Starting point Run ExBPA against entire organization Run ExchDump Run MSBA against each server ● Exchange servers ● Domain controllers
Assessment: Servers Free disk space ● Should be enough to mount an RSG Disk configuration / fault tolerance Memory / page file usage / available RAM DNS configuration Event logs sizes / archival procedures BOOT.INI check (using /3GB and /USERVA=3030 if applicable) Additional services running? Dedicated Exchange server role? How often do you update servers with fixes and patches? ● Check for vendor’s hardware management software and versions How many users/groups are members of the local Administrators and Power Users group? Is the local Guest disabled? Examine local policies for weaknesses Are messaging system limits being imposed?
Assessment: Exchange Review Exchange Full Administrator and Exchange Administrator role delegation Domain controllers / Global catalog servers in use Are limits being imposed? ● Message sizes ● Mailbox sizes ● Distribution list usage Are PSTs in use? ● Primary delivery mechanism? ● Archival mechanism? Mailbox store sizes Largest mailbox users Confirm backups and online maintenance is running Exchange database and transaction log placement on disks Is circular logging enabled? If so, get explanation as to why. Are automatic responses allowed?
Assessment: Logs Review Application logs Review System logs Review HTTP and SMTP protocol logs
Assessment: Message hygiene How recent is the A/V software? How often are signatures updated? Is there a file-based scanner on the server and if so, does it exclude Exchange files? Does inbound SMTP system use RBLs? Recipient filtering?
Assessment: Outside the perimeter Examine your DNS records ● Are there invalid A and MX records ● Do you have SPF records? Are they correct? ● Do IP addresses used for outbound SMTP have PTR records? Do Internet clients have direct access to Exchange servers? ● TELNET to “A” records provided by SMTP What ports are open through your firewall to your internal network? ● Perform port scans against “A” records for SMTP and for OWA ● Get permission to run a port scan! Are their any protocols that are not requiring SSL? ● POP3, IMAP4, OWA, ActiveSync, OMA
Securing the DMZ What is in the DMZ? ● Front-end servers? ● SMTP servers? ● Proxy servers? Reduce the number of ports open between DMZ and internal network (ideally only 25 and 443)
Whew! I’m exhausted!
Drawing for book giveaway Did you get your business card to me?
Questions? Thanks for attending!
More information… Tips and Tricks for Secure Messaging eBook by Jim McBee ● My blog (Mostly Exchange) ● Paul Robichaux’s Exchange Security blog ● Paul Robichaux’s Secure Messaging with Microsoft Exchange Server 2003 book (Microsoft Press, 2004) Exchange 2003 Support Home Page ● Slipstick Systems ●