Presentation on theme: "Book Drawing Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session."— Presentation transcript:
1 Book DrawingMake sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session.
2 Security for Exchange: Assessment, Auditing, and Hardening Jim McBeeITCS Hawaii
3 Who is Jim McBee!!??Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!)Principal clientsUSPACOM J2USARPAC G6Author – Exchange Seven (Sybex)Contributor – Exchange and Outlook AdministratorBlogDirectory Update
4 This session’s coverage Introduction to me and the topicPresentation and demos – About 5 hoursBreak in the morning and afternoonLunchBook give away – Drop off your business card or write your name on a slip of paperTopics from today’s session comes from a small commercial consulting practice I run reviewing messaging securityQuestions and answersI’ll try to take questions as they come up as long as this does not slow us down too much.
5 Free eBook Tips and Tricks Guide To Secure Messaging eBook Good follow-up to this presentation
6 Audience AssumptionsYou have at least a few months experience running Exchange 5.5, 2000, or 2003.You have worked with Active DirectoryYou can install and configure a Windows 2000 / 2003 server
7 Presentations coverage Risks and threatsReducing exposureMessage hygieneOperations and accountabilityMessage content securityBest practices and checklists
8 Introduction to messaging security Some statistics for your bossGetting “reasonably secure”Defining the right balanceBelieving in evolution
9 Just the stats, ma’amViruses, worms, and Trojan horses are increasing complex and “blended”Malware includes viruses, worms, Trojan horses, phishing, and spyware scams53% of users in the U.S. say they trust less now because of spam, viruses, phishingBetween 50 and 80% of all traffic is now spamMalware estimated costs for 2004 between $169B and $204BCipherTrust reported 172,000 new “zombies” each day in May 2005323% rise in intellectual property theft/loss. 74% of these security breaches were from the inside.Of the external threats, the most common attack vectors are weak passwords, known vulnerabilities, and social engineeringMore?
10 Why are these statistics important? They affect the usage of the systemThey affect the level of trust that users place in the data in the systemFor most organizations, is “business critical”; data must be secure, available, and trustedReflect a need for continually evolving messaging system protectionProtect from inside and outside threats
11 Defining “Reasonably Secure” Are you doing your “due diligence”One attorney I recently heard speak defined “reasonably secure” as doing AT LEAST what everyone else is doingTaking in to consideration assets, risks, and threats and then defining procedures to mitigate each of these.Being realistic (and thorough) when defining risksData disclosure is realisticDenial of service is realisticAlien abduction is not as common
12 Striking a balance… Security should strike a balance between: Effective securityUsability / functionalityCostComplying with the law
13 Risk Management Put on your “MBA” hat and take off the “IT” hat Define and document the “process”Locating / defining assetsAssessing the risks to these assetsReviewing the threats that may make the risks a realityMitigating these risksFor our discussions in this session, we will limit the scope of this to just messaging
14 Process What process do you use to go through a risk assessment? Who is involved?Subject matter experts (IT department)Consultants / outside technical advisorsLegalSenior managementEncourage “outside the box thinking”Avoid “group think”Document everything about the process, the exchange of ideas, the discussions, disagreements, etc…Senior management must have visibilityRegarding regulatory compliance, corporate officers may often have fiscal or legal responsibility for IT security“Process” is going to become a way of life for Information Technology
15 What are your assets? Data / intellectual property Knowledge workers / productivityLost productivity = $$$Business reputationMail servers and network infrastructureBandwidthTo InternetTo customersTo usersService availability
16 What are the risks against to these assets Financial lossLaw suits / regulatory liabilitiesAccidental / intentional disclosure of intellectual propertyUsers with idle time or unable to work (lost productivity)Unable to meet commitments to customers and vendorsLost sales or opportunitiesDamage to reputation / community embarrassment
17 Predicting the “threats” Accidental disclosure of intellectual propertyIntentional disclosure of intellectual propertyDenial-of-service (any interruption of messaging services)HackersSending malware or spam to YOUR customersMalware / Virus / Trojan Horses / Spyware / PhishingMisuse of the messaging system (passing around inappropriate content) which may result in company liabilityData theft (via hacking, backup media theft, hard drive theft, impersonating a user)
18 Threats: What are the attack vectors that can be used against you? Bad physical security / access controlVulnerable servers exposed to the InternetDirectly exposed mailbox servers (port 25 or 80/443) open directly to server from the Internet.Weak DMZ securityPoor message hygiene controlSocial engineeringCareless usersMalicious usersPoor backup media handling proceduresExcessive administrative proceduresSingle point of failure for inbound and outbound message handling
19 Threats: Entry points for malware InboundUsers surfing the InternetUsers downloading from outside provider (via POP3/IMAP4/free web providers)Wireless network hackingVPN connections (home and laptop)Users bringing computers in from outside (personal laptops)Connections with business partnersRemovable media (USB drives, iPods, CD, DVD, floppy, PDA, cell phones)
20 Mitigation How do you mitigate all of this? That is what this session is all aboutTaking the necessary steps to provide “reasonable security”Firewalls / appliances / gateways / managed providersGood server management and configuration practicesFiltering out as much unwanted content before it reaches the mail serverAcceptable use policies and information security policiesApplying appropriate levels of content security
22 Physical security Law # 3 of the 10 Immutable Laws of Security “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore”Locked doors / access control system that records entry informationMandatory sign-in sheetsCameras
23 Backup media Tape media can be your Achilles heel Many stories of backup tapes being compromisedOften tapes are stored outside of the data centerConsider data encryption technologies for tape mediaStore in physically secure locationIf off-site, transport in locked containers
24 Operating system stability Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms.Apply applicable critical updates within 3 – 4 weeksApplicable? Does the fix affect your configuration?Don’t apply on the day they are releasedApply service packs within 1 to 2 monthsRead the SP “readme” firstUse ‘Microsoft Update’ or WSUSCheck for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to systemSufficient free disk space on all disk drives
25 Exchange updates Critical patches within 3 – 4 weeks of release Service packs within 1 to 2 months of releaseSome updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP)
26 A word about scheduled downtime Don’t sacrifice reliability for availabilityIf you don’t have downtime built-in to your operations, then how can you apply patches and updates?Plan for a scheduled outage once every 2 weeksSchedule these late at nightThese outages should not affect your “nines”You don’t have to use them if you don’t need them
27 Users 60 – 70% of all security breaches occur from within. (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad)Require an Acceptable Use PolicyMust have “bite”Must be enforceableMust be legalSeeRequire an IT Acceptable Use PolicyFor IT, require an IT AUP or Ethics Statement“Don’t read other people’s mail”Clearly define your information security policies
28 Quick Assessments - ExBPA Exchange Best Practices Analyzer
29 Quick Assessments - MSBA Microsoft Baseline Security Analyzer
30 Locking down servers Reduce a server’s attack surface Disabling unnecessary servicesStatically mapping RPC portsConfigure Exchange to accept only certain versions of MAPI clientsApply policies consistently with GPOsOpen SMTP relays?Apply IPSecMAC address filtering on hubs/switches
31 Disabling unnecessary services Install only Windows components necessary to run the serverPOP3 / IMAP4/NNTPMS Exchange EventsMS Exchange MTA StacksBrowserMessengerAlerterMS SearchTELNET
32 Statically map RPC ports Does not make security any tighter, but does let you easily identify the RPC traffic on your network.Exchange Server – KBActive Directory – KBAlso useful if you have a data center firewall or WAN-firewall
33 Restrict MAPI versions Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystemCreate REG_DWORD Disable MAPI ClientsPut in to data fieldSee KB andInstantDoc #26505Can help reduce the spread of viruses and worms by allowing only more recent versionsUse with caution!
34 Group Policy Objects Use GPOs to deploy consistent settings Define AuditingSecurityPassword / lockoutServices
35 Sample GPO This sample can be found at It WILL probably break something!Expects W2K or later clientsTest your policies gradually
36 Open SMTP Relay? No one needs an open SMTP relay The spammers and worms WILL find you!Restrict relay to your own networksRequire authentication for clientsExchange servers in your organization always authenticate
37 IPSec More than a reasonable measure Allows IP-layer encryption and packet authenticationAdditional CPU overheadIPSec policies can get complex if you implement to a subset of workstationsPrevents spoofing and man-in-the-middle attacks
38 MAC address filtering on hubs / switches This is pretty extremeDo this if you are concerned about intruders getting physical access to your infrastructureRequires almost constant management for changes / adds / moves
39 Security at the perimeter Focus is on “security” not “message hygiene”The Internet “path” to your mail serversDenial of service attacksIntercept inbound traffic in your DMZRestrictions, restrictions, restrictions…
40 The path to your mail servers Getting directly to mail servers is simpleMX records define your inbound SMTP serversA or CNAME records point to your OWA, ActiveSync, POP3, or IMAP4 resourcesThese records may reveal IP addresses that point DIRECTLY to your mailbox serversYour goal must be to reduce or eliminate this direct exposure
41 Denial-of-service and e-mail Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs.Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail.DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc..Directory harvesting and tarpits
42 An ugly trend: Virus writers, spammers, and ‘bots / zombies
43 Directory harvesting / dictionary spamming Directory harvesting tries to find valid SMTP addresses using dictionary or random stringsDictionary spamming sends to a dictionary full of common namesThis can overwhelm a mail serverRecipient filtering rejects mail going to unknown senders (rather than your NDR mailbox)A tarpit slows them downSee KBRecommended for Internet facing SMTP virtual serversOnly one address in this list was valid, probably the “index patient”
44 Prevent direct access to mailbox servers Don’t allow direct access to mail server resourcesInbound SMTP mail through an SMTP relayCan be an “appliance”, Windows, or UNIX systemCan act as part of your messaging hygiene system.More on this laterInbound OWA / RPC over HTTP / ActiveSync through a reverse proxyISA ServerIronPortWhale CommunicationsPrevents direct exposure for mailbox servers, front-ends, and bridgeheads
46 Remote Outlook client options Some remote users are just going to have to have OutlookDon’t open RPC ports directly to Exchange for remote Outlook clientsUse VPNUse RPC application layer filter on firewallUse RPC over HTTPS instead
47 Restrictions, restrictions, restrictions MailboxMessage sizeRecipients per messageAutomatic responsesInternet facing SMTP virtual serversDistribution list usageMonitor disk space usage and set alertsUsers are going to hate you for this!
48 Mailbox Limits A necessary evil Adjust based on you organization’s needsDon’t limit users if they have a job to doMost important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail
49 Exchange reports on closed mailboxes Monitoring for event ID 8528 can help you determine if mailboxes are filling up
50 Message Size / Recipient Limits Default inbound and outbound message sizes is 10MB.Usually adequate for most organizationsThis is the MAXIMUM for users. It can be overridden to a smaller amount, but not largerMaximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user.
51 Inbound limits from Internet Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the InternetWill apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgeheadIf this SMTP VS is used for internal message traffic, it may hurt public folder replication
52 Outbound limits to the Internet Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server)
53 Automatic Responses Defaults do not allow automatic responses This may have been changedYou can override this by creating additional Internet Message Formats for specific domainsConsidered risky due to “social engineering” risks
54 Distribution list security Prevent abuse of your distribution listsLimit maximum message sizeLimit to authenticated users only (prevents someone on Internet from using the group’s SMTP address)Limit who can send to the list internally
55 Monitor disk space and set alerts Common cause of downtimeBuilt-in monitoring tools can alert you to possible problemsAdditional monitoring tools can automate disk usage and provide trend analysis and usage reports
56 Monitoring usage from a script Exchange MVP Glen Scales wrote a really nice script to report store usage and trends
57 Restricting maximum store size Exchange 2003 SP2 allows maximum store size to be setWhen a store exceeds that size, it is dismountedUse with great care! You can still cause your users downtime with this feature.
58 Outlook Web Access security Implement a reverse proxyEnable Forms Based AuthenticationSession timeoutsUse SSLTrain users to logout and close browser windowURLScan
59 Put the front-end in the DMZ??? Conventional thinking says put front-end server in the DMZ. This requires many ports to be opened to internal network.
60 Reverse proxy for OWAPlace front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened.
61 Reverse proxy for OWA More information Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End TopologyProtecting Exchange Servers by Don JonesProtecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom ShinderA Reverse Proxy Is A Proxy By Any Other Name by Art Stricek
62 Enable Forms Based Authentication Enable on the front-end serversImplements timeoutsPublic = 15 minutesPrivate = 24 hoursCustomizableAllows customizable logon page
64 Always use SSL from a trusted authority Very bad to get users in the habit of ignoring security alertsMany sources for low-cost, trusted SSL certificatesGoDaddy –InstantSSL –
65 Basic authentication passwords are very easy to intercept Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication.Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg==Run it through any Base64 decoding program and you get: namerica/arand:$culliRulzDomain name: namerica; User: arand; password: $culliRulzScary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded!
66 Should you use URLScan?Not necessary if using a reverse proxy that performs HTTP application layer inspectionURLScan can cause some messages to be un-openable with OWAIf the subject line has the .. ./ \ % & charactersSee KB for more information
67 Mobile device security Mobile devices often have sensitive data on them.Implement Windows Mobile 2005 FP (available from the device vendor)Use Exchange 2003 SP2 mobile device security featuresRemote Wipe feature available
68 User education Train users to Always use HTTPS Always close the browser window when finished with OWABe on the lookup for suspect kiosks or Internet cafes
69 Administrative Security Practice principle of “least permission”Properly delegate rolesWindows versus Exchange permissionsExMerge permissions
70 Delegating Exchange roles Mailbox admins (create/delete/modify mail attributes = Exchange View Only AdministratorManage stores, move mailboxes, manage connectors, etc… = Exchange AdministratorModify permissions = Exchange Full Administrator
71 Exchange permissions versus Windows permissions Delegating Exchange roles does not necessarily give you the Windows permissions necessaryStart / stop services = Power User / AdministratorLogon to console = AdministratorRestart server = Administrator / Power userManage SMTP Queues = AdministratorCannot be changedPossible problem updating addressesSee
72 ExMerge Permissions Very handy tool Requires MORE than Exchange Full Administrator accessCreate security group: Exchange Full Mailbox AccessDelegate Exchange View Only Administrator permissions to this groupModify permissions on Security property page, assign Receive AsSee KBCreate an ExMerge user and put that user in the Exchange Full Mailbox Access groupSecure access to the ExMerge user accountEnsure that ExMerge user is neither a member of Domain Admins or Enterprise Admins
73 Daily Operations Verify successful backups Check available disk space Review event logsCheck antivirus software and updatesCheck SMTP queuesThe more you know about normal operations, the more quickly you will recognize variances and react to them.
74 Thing that make you go hummmm…. When monitoring and reviewing your event logs, look for events that you cannot explain or did not expect.Look for anything that is outside of the normal boundaries of operation.Consider also the time of day that some things happen, such as restarts when no one is around or backups running off schedule
75 Security related events… Is this person supposed to be viewing this mailbox?This might be perfectly legitimate, but it should raise questions.
76 Security related events… A mailbox store was mounted.Was this scheduled / expected?Thanks to tools like PowerControls or Quests Recovery Manager, I just need your EDB/STM file to do evil.
77 Security related events… Hey! Who is running a backup in the middle of the day??!!
78 Security related events… Look for unexpected system restartsThis may indicate someone is messing with the hardware
79 Accountability and Auditing Logging is usually one of those things you don’t know you need until you need it.Caution: Increasing logging/auditing increases overheadEvent Log SizesDiagnostics LoggingMessage tracking logsProtocol logsProtecting tracking and protocol logsAuditing configuration changes to Exchange
80 Windows Event Logs Sizes: Overwrite as needed Set manually or via GPO Application – KBSecurity – 49152KBSystem – 49152KBSeeOverwrite as neededSet manually or via GPOFind some tool to archive these and keep
81 Windows Auditing These events are audited to the Windows Security log More auditing = more overheadApply to local security policy or via GPO
82 Diagnostics Logging: Store System Minimum level of logging is sufficient for informational events
83 Diagnostics logging: Mailbox store Minimum level of logging is sufficient for informational events
84 Message tracking logs Helpful in diagnosing problems You don’t know you need these until you need themMay contain sensitive information, so protect themAutomatically purged
85 HTTP protocol logging Enabled via IIS Admin Use W3C log formatEnabled on front-end servers used by OWAWill include ActiveSync and OMA trafficThese logs do not automatically deleteFor a script see
86 SMTP protocol logging Enabled in ESM on SMTP virtual server Use W3C log formatEnable on bridgeheads that accept mail from outside of the organizationUseful for troubleshooting and security purposesThese logs do not automatically deleteFor a script see
87 Auditing changes to Exchange configuration Most Exchange configuration is stored in the Active DirectoryRequires “Audit Directory Service Access” policy enabledEnable “Write” auditing on Exchange organization (via ADSIEdit)Events are logged to Security logs on domain controllers
88 Resulting events Event reports object and attribute that is changed Not necessarily easy to read unless you know what the attributes are for.Here I changed the inbound message size
90 What did I do to deserve this? Message hygiene collectively refers to spam, virus, and phishing detection and filteringBy some estimates, 50 – 80% of all inbound mail is spam!Some estimates are that users spend 30 – 45 minutes PER DAY sorting through unwantedThere may be some liability involved in spam or phishing schemesUser sues their employer because they were offended! Or phished!
91 You think you have problems! One small businessAbout 20 active mailboxes90% inbound spam rate18,000 messages in a 24 hour period of timeOver 50MB worth of disk space to storeNearly 65MB worth of Internet bandwidth consumedOut of this, 20 viruses/worms were detected
93 Multi-layer protection Employ multiple technologiesIntercept inbound mail at different pointsUse differing scanning and detection technologiesKeep as much Malware as possible AWAY from the mailboxes and users
95 Multi-layer protection to the extreme One organization took the multiple layers to the extremeThe need for this system evolved over 5 yearsRather than replacing one gateway with a more feature-rich product, they just kept adding more
97 Hygiene system basicsWe are seeing a convergence of tools and technologiesBuying a simple SMTP virus scanning is hard, most include anti-spam technologiesHigher-end and specialized systems also include more advanced content inspection
98 Content inspectionIndustry often refers to spam and virus detection and “content inspection”I refer to more specialized systemsImplement “dictionary scanning” to block inbound or outbound messagesLook for messages that may violate Acceptable Use PolicyNaughty words, pictures, jokesPrevent sensitive data from being disclosedIn the U.S. the HIPAA law “requires” thisVendors include: Tumbleweed and Clearswift
99 Content inspection vendors Evaluate a couple of different systems to make sure the product meets your needs.CipherTrust IronMailTumbleweed MailGateClearswift MIMEsweeperSymantec BrightmailAladdin eSafeBarracuda Spam FirewallSendmail Sentrion Security ApplianceMail Frontier Enterprise ProtectionNetIQ MailMarshall
100 Blocked contentDefine a policy that allows you to block unwanted contentHostile contentMulti-media filesZIP filesMost antivirus software lets you do thisVery common with most IT organizationsBlocked list should be published to your users
101 Virus DetectionVirus detection / scanning is pretty common knowledge, but very importantViruses are evolving quicklySometimes 20 – 30 new variants of existing viruses come out daily“Virus” is often used when describing worms or Trojans. Most “viruses” today are really worms or blended threatsVirus writers are continually looking for new system and user exploitsYou should update signatures between 6 and 12 times per day
102 Virus detection Methodologies Generic / signature based detection Heuristic filtersExamining content for certain types of expected behaviorTraffic analysisAnalyzing large volumes of traffic for similaritiesBehavioral analysisExecuting suspected content in a “virtual” environment
103 SMTP scanning systems Generic, can front-end any mail system Usually located in the DMZUsually combines antivirus and anti-spam functions
104 Antivirus scanning at the Exchange server Requires Exchange-aware virus softwareE2K3 uses AVAPI 2.5Can scan using AVAPI (when message hits the information store) or as message traverses SMTPShould server have a file-based scanner?If you do this, ensure that it NEVER scans the EDB, STM, CHK, and LOG files. Also should skip the \windows\system32\inetsrv folder and the SMTP queues folders. If running Exchange 2000, also never scan the M:\ driveSee KB : Overview of Exchange Server 2003 and antivirus software
105 Exchange / AVAPI Software Microsoft Forefront Security for ExchangeFormerly Sybari Antigen for ExchangeTrend ScanMail for Microsoft Exchange 2003Symantec Mail Security for Microsoft ExchangeSophos PureMessage for Microsoft ExchangeF-Secure Anti-Virus for Microsoft ExchangeGFI MailSecurity for ExchangeF-Prot Antivirus for ExchangeNorman Virus Control (NVC) for ExchangeMcAfee GroupShield® for Microsoft ExchangeBitDefender for MS Exchange 2003
106 Client-side scanningWith all this protection on the mail servers, do you still need client-scanners?Absolutely. More than one attack vector for viruses.Users may download from HTML web mail or remote POP3 accounts
107 Spam detection / prevention TechnologiesWhite listingServers are verified against of known, good sendersAppliance / service providerBlack listingInbound mail is checked against a database of blocked senders or mail serversReal-time block lists or real-time black hole listsGray listingInbound mail is temporarily rejected and assumes that valid senders will retry while spammer will not.Exchange does not implementSeeAuthenticated senderYahoo! Domain KeysSender IDThese technologies are usually used in conjunction with message inspection
109 Real-time Block ListsSMTP server that accepts inbound connections checks the IP address against the RBLConnection can be rejected (in the case of Exchange)Inbound message can be tagged for further examination by spam detection softwareMany of these list providersThis can reduce inbound spam by 40 – 50%Can reject valid inbound mail
110 RBL providers Spamhaus www.spamhaus.org ABUSEAT CBL cbl.abuseat.org ORDBsSpamCopPretty aggressiveSORBSRBL checkCheck to see if a host is on an RBL
111 Configuring an RBL Configure the DNS suffix Custom message for rejected messages
112 Sender IDIndustry effort to give SMTP servers ability to validate sending SMTP server to see if it is authorized to send mail for the sender of the messageTwo parts to the technologyYour domain needs SPF records for authorized SMTP serversYour SMTP servers lookup mail for inbound messages and validate that the sending server is authorized to send on behalf of that user
113 Create DNS SPF records Microsoft provides web-driven wizard
114 Configure Exchange to use Sender ID Exchange 2003 SP2 and hot fixDefine internal mail serversEnable on SMTP virtual servers that accept mail from the Internet
115 Sender ID analysis on one SMTP server 79% of the inbound connections had no DNS SPF records
116 Using the Intelligent Message Filter Pretty darned good for a free toolOnly needs to be enabled on SMTP VS that are exposed to the InternetReject / Archive / Delete / No Action
117 IMF customization Automatic filter updates See KBReleased bi-weeklyImplementing “custom weighting”Define words that NEVER mean spam or ALWAYS mean spamSee Henrik Walther’s article atViewing the IMF Archive
118 Effectiveness of RBLs and Recipient Filtering Remember the organization with so much spam?Here is what 2 RBLs and Recipient Filtering did for themIn 5 days, inbound SMTP connections53% rejected by RBLs35% rejected by “Filter Recipients Who Are Not In The Directory”
119 Leaving the IMF with the rest The balance of the messages were handled by the IMF50% of messages ranked SCL of “6” or above
121 Using managed providers Organization directs MX records to managed provider’s serversManaged provider…Has better scalability and redundancyImmediate response to day zero threatsKeeps malware and unwanted content from reaching your perimeterReduce hardware and software required by organization as well as reducing complexity and IT resources requiredAllows organization to only accept inbound SMTP from the providerUnwanted content never makes it to the network in the first placeReduces threat spam and virus/worm ‘botsProviders such as FrontBridge can provide regulatory compliance features such as archiving and content inspection
123 Content protection PKI and encryption basics S/MIME Enterprise Rights ManagementS/MIME and ERM are complimentary technologies
124 Symmetric encryption Symmetric (a.k.a “secret”) key encryption Same key encrypts that decryptsThe “secret” key is easily compromisedAlgorithm examples include DES, 3DES, CAST, AES, RC2, Blowfish, IDEAOriginal DataCipher TextOriginal Data
125 Asymmetric encryption Public and private key pairUses two VERY large prime numbers (2^1024 and higher)Computationally difficult to calculate the relationship between the two numbersEncrypting large amounts of data is very processor and time intensiveRecipient’s private keyRecipient’s public keyOriginal DataCipher TextOriginal Data
126 Encryption based entirely on public / private keys is impractical Too much CPU usage when using such large keysDiffie-Hellman proposed combining the strengths of the two systemsMost modern encryption systems use some type of “secret key” exchange including S/MIME, SSL, IPSec, EFS, ERM, etc…
127 Combining symmetric and asymmetric encryption to protect data 1) Recipient’s certificate (and public key) is retrieved2) A random “secret” key is generated3) Data is encrypted with “secret” key4) “Secret” key is encrypted with recipients public key and placed in a “lockbox”5) Encrypted data and lockbox is sent to the recipient6) Recipient uses private key to open lockbox and get the “secret key”7) Recipient uses “secret key” to decrypt data
128 Digital signatures are similar 1) A hashing function (SHA-1 or MD5) is calculated using the binary data2) The hash is encrypted using the sender’s private key3) The data, the encrypted hash, and the sender’s certificate are sent to the recipient4) Recipient decrypts encrypted hash value using sender’s public key5) Recipient performs their own hash of the binary data6) Recipient compares the sender’s hash with the one they calculated
129 S/MIME Mature technology Non-repudiationVerifiable message integrityVerifiable message originEncrypted / protectedProtects content “at rest” and in transitCan be difficult to deploy for large organizationsCertificate needs to be trustedFree S/MIME certs fromMore information:
130 Enterprise Rights Management Assists in information security policy enforcementContent rights may include forwarding, review, modification, copying, or printingContent can be audited, expired or supersededApplication and operating system must support rights managementAny type of binary content can be protected including , documents, spreadsheets, web pages, etc…More information
131 (single-server configuration) RMS Key Flow Detail: Client “Bootstrapping”RMS Server(single-server configuration)Client Computer(s)1. Install RMS-enabled application(s)2. Install RMS Client Software3. User uses RMS for the first timeRMS Client Activates Machine-Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key)Protects user-specific machine private key with DPAPI4. User authenticatesAuthentication credentialsCertification:Check user SID against ADGenerate User Key PairUser can publish online or consumeTalking points: Click 1: installing RMS enabled applications. Applications like Microsoft Office 2003 Professional and Internet Explorer have become “RMS enabled” by using the RMS client and server infrastructure to create rights protection functionality.Click 2: RMS Client installationFor the client machine to be trusted, it first must have the RMS client installed,Click 3: TRUSTED MACHINE: Machine ActivationThen, the client will go through a process called machine activation. During this process a machine key pair and machine certificate, including the machine public key, are generated. These credentials are generated individually for each RMS user on a machine and protected using DPAPI. This process happens automatically the first time a user uses RMS, is transparent to the user and does not require the user to have administrative permissionsClick 4: Trusted User: User enrollment/certificationOnce the machine is trusted, the user becomes trusted by obtaining a Rights Management Account Certificate (RAC). Once the user authenticates via Windows authentication, their corresponding SID in Active Directory, RMS generates a public/private key pair which it stores in the SQL configuration database and then uses to create the RAC. The private key of the user’s RAC is encrypted with the public key of the machine certificate, so that the only way the user can participate in the trusted RMS environment is via the RMS client on a trusted machine. The process of obtaining a RAC is transparent to the authenticated userClick 5: offline publishing licenseThe second certificate obtained in this initial, behind-the-scenes provisioning is the Client Licensor Certificate. The private key for this certificate is encrypted with the Public key of the RAC. This certificate is used to enable the user to ‘publish’ RMS-protected information while not connected to an RMS server, such as on an airplane.Rights Account Certificate (RAC), signed with RMS Server Public key-User Private Key, Encrypted with the machine public key-User Public KeyRequest Client Licensor CertificateRACValidate RACGenerate “Client” Key PairClient Licensor Certificate (CLC), signed with RMS Server Public key-CLC Private key, encrypted with the RAC public key-CLC Public key and copy of SLCUser can publish offline
132 RMS Key Flow Detail: Offline Publishing & Consumption 2 encrypted AES keysrights informationurl of RMS serverPublishing License2 encrypted AES keysrights informationurl of RMS serverPublishing Licenseencrypted contentencrypted content(Assuming recipient has RMS Client and RAC)“Publisher” / Sender“Consumer” / RecipientSaves content (e.g. Word doc)Recipient user opens contentApplication and RMS clientGenerate AES key and encrypt contentEncrypt AES key with the public key of the client’s CLC (for “owner” license)Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC)Create “Publishing License” (PL), sign with CLC private key and append to encrypted contentApplication and RMS ClientInspect PL for RMS Service url.Send “Use License Request “ (PL + RAC) to licensing server specified by url.RMS Client uses RAC private key (unavailable to user) to unencrypt the content keyApplication renders the file and enforces the rightsRMS ServerValidates recipient RACInspects PL for rightsValidates user in ADUn-encrypts content key & re-encrypts it with recipient RAC’s public keyReturns encrypted content key in use licenseRMS Server
133 Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro NOTE: Outlook EULs are stored in the local user profile directoryaCreated when file is protectedOnly added to the file after server licenses a user to open itPublishing LicenseEnd User LicensesContent KeyRights for aparticular userEncrypted with the server’s public keyEncrypted with the user’s public keyRights Info w/ addressesContent Key(big random number)Encrypted with the server’s public keyThe Content of the File(Text, Pictures, metadata, etc)Encrypted with the user’s public keyThis is a schematic of how Office 2003 packages rights-protected information, policy, keys and licensing information into one protected package.Office 2003 rights-protected files that enable HTML clients to view will also have an HTML (.rmh) copy of the file contents in this compound document.Other rights-enabled applications could store the publishing and use licenses with the content in this manner, or alternatively in a license store.Use licenses (EUL) are generally stored in Office documents or user profile directoryOutlook ( or attachment) EULs are stored in the user profile directory%userprofile%\Local Settings\Application Data\Microsoft\DRM\Word, Excel, and Powerpoint EULs are stored, by default, in the files/documents themselvesIf file is marked as read-only (in file properties), the EUL will be stored in the profile directoryIf file permissions specify read rights only for the user/group, EUL will be discarded and user will have to obtain a new one each time they open the fileEncrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key
134 Application support for ERM Application must support ERM systemOffice 2003 Professional application supported
135 S/MIME versus ERM S/MIME provides only authenticity and protection No control for the disposition of the contentsApplies only to and message contentContent owner loses control once message is sentDoes not prevent user from forwarding content once it is in their possession
136 The Problem with Traditional Access Control Technologies Traditional solutions control initial accessClear-text contentAuthorized UsersYesInformation LeakageNoWe sometimes describe RMS by contrasting it against some existing access control technologies, such as ACLs or file encryption.This schematic shows a network resource on the left, protected by an access control list and/or encrypted using simple encryption, and a group of people inside the network who are allowed to access that resource, as well as groups who are not<click> …but what happens when those authorized users actually take possession of the information to which they are allowed? At this point, the information is generally on their computer, and in clear text.<click>…this means they are free to propagate the information either intentionally or accidentally, to unauthorized individuals either inside or outside the organization. This is information leakage, and this is exactly the problem RMS addresses that traditional access control solutions do notSo another way we can frame the problem is that traditional access control solutions control initial access, but not ongoing usage of informationRMS addresses not only access, but also ongoing usage of information, by providing persistent protection that travels with the information no matter where it goesAccess ControlList / File EncryptionUnauthorized UsersUnauthorized UsersFirewall Perimeter…but not ongoing information usage
137 Best practices Block outbound SMTP except from authorized hosts Be a good ‘net citizenNever web surf from a server consoleDon’t install client software on serverOperators and administrators should not have mailboxesSeparate admin rights from your regular user accountGrant administrative permissions to groups, not individual users
138 Best practices Block inbound SMTP if using a managed provider Only accept mail from the providerProtect protocol and message tracking logsSome sensitive information may be disseminated from those logsReview your event logsKeep PLENTY of free disk space available?At least enough to mount one database in an RSG
139 Checklists Assessing the situation Exchange Servers Message hygiene Outside the perimeter
140 AssessmentAssessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the.Determine what is documented:Document servers, roles, network infrastructure, and dependenciesGet an accurate count of active mailboxesIf inactive, then why?Disable inactive accounts then delete!
141 Inactive accountsWindows 2003 in 2003 forest functional mode will replicate “last logon” attributeWrite scriptUse “Additional Account Info” from ALTools
142 Assessments: Environment Interview:Backup schedule / procedures / rotation / media storageClient software and versions in useClient antivirus / anti-spyware proceduresRemote access proceduresAdministrators that are approved to manage ExchangeDisaster recovery / business continuance planWhat is the perception of the “spam problem?”
143 Assessment: Starting point Run ExBPA against entire organizationRun ExchDumpRun MSBA against each serverExchange serversDomain controllers
144 Assessment: Servers Free disk space Should be enough to mount an RSGDisk configuration / fault toleranceMemory / page file usage / available RAMDNS configurationEvent logs sizes / archival proceduresBOOT.INI check (using /3GB and /USERVA=3030 if applicable)Additional services running? Dedicated Exchange server role?How often do you update servers with fixes and patches?Check for vendor’s hardware management software and versionsHow many users/groups are members of the local Administrators and Power Users group?Is the local Guest disabled?Examine local policies for weaknessesAre messaging system limits being imposed?
145 Assessment: ExchangeReview Exchange Full Administrator and Exchange Administrator role delegationDomain controllers / Global catalog servers in useAre limits being imposed?Message sizesMailbox sizesDistribution list usageAre PSTs in use?Primary delivery mechanism?Archival mechanism?Mailbox store sizesLargest mailbox usersConfirm backups and online maintenance is runningExchange database and transaction log placement on disksIs circular logging enabled? If so, get explanation as to why.Are automatic responses allowed?
146 Assessment: Logs Review Application logs Review System logs Review HTTP and SMTP protocol logs
147 Assessment: Message hygiene How recent is the A/V software?How often are signatures updated?Is there a file-based scanner on the server and if so, does it exclude Exchange files?Does inbound SMTP system use RBLs? Recipient filtering?
148 Assessment: Outside the perimeter Examine your DNS recordsAre there invalid A and MX recordsDo you have SPF records? Are they correct?Do IP addresses used for outbound SMTP have PTR records?Do Internet clients have direct access to Exchange servers?TELNET to “A” records provided by SMTPWhat ports are open through your firewall to your internal network?Perform port scans against “A” records for SMTP and for OWAGet permission to run a port scan!Are their any protocols that are not requiring SSL?POP3, IMAP4, OWA, ActiveSync, OMA
149 Securing the DMZ What is in the DMZ? Front-end servers?SMTP servers?Proxy servers?Reduce the number of ports open between DMZ and internal network (ideally only 25 and 443)
153 More information…Tips and Tricks for Secure Messaging eBook by Jim McBeeMy blog (Mostly Exchange)Paul Robichaux’s Exchange Security blogPaul Robichaux’s Secure Messaging with Microsoft Exchange Server 2003 book (Microsoft Press, 2004)Exchange 2003 Support Home PageSlipstick Systems