Presentation is loading. Please wait.

Presentation is loading. Please wait.

Book Drawing Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session.

Similar presentations

Presentation on theme: "Book Drawing Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session."— Presentation transcript:

1 Book Drawing Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session.

2 Security for Exchange: Assessment, Auditing, and Hardening
Jim McBee ITCS Hawaii

3 Who is Jim McBee!!?? Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) Principal clients USPACOM J2 USARPAC G6 Author – Exchange Seven (Sybex) Contributor – Exchange and Outlook Administrator Blog Directory Update

4 This session’s coverage
Introduction to me and the topic Presentation and demos – About 5 hours Break in the morning and afternoon Lunch Book give away – Drop off your business card or write your name on a slip of paper Topics from today’s session comes from a small commercial consulting practice I run reviewing messaging security Questions and answers I’ll try to take questions as they come up as long as this does not slow us down too much.

5 Free eBook Tips and Tricks Guide To Secure Messaging eBook
Good follow-up to this presentation

6 Audience Assumptions You have at least a few months experience running Exchange 5.5, 2000, or 2003. You have worked with Active Directory You can install and configure a Windows 2000 / 2003 server

7 Presentations coverage
Risks and threats Reducing exposure Message hygiene Operations and accountability Message content security Best practices and checklists

8 Introduction to messaging security
Some statistics for your boss Getting “reasonably secure” Defining the right balance Believing in evolution

9 Just the stats, ma’am Viruses, worms, and Trojan horses are increasing complex and “blended” Malware includes viruses, worms, Trojan horses, phishing, and spyware scams 53% of users in the U.S. say they trust less now because of spam, viruses, phishing Between 50 and 80% of all traffic is now spam Malware estimated costs for 2004 between $169B and $204B CipherTrust reported 172,000 new “zombies” each day in May 2005 323% rise in intellectual property theft/loss. 74% of these security breaches were from the inside. Of the external threats, the most common attack vectors are weak passwords, known vulnerabilities, and social engineering More?

10 Why are these statistics important?
They affect the usage of the system They affect the level of trust that users place in the data in the system For most organizations, is “business critical”; data must be secure, available, and trusted Reflect a need for continually evolving messaging system protection Protect from inside and outside threats

11 Defining “Reasonably Secure”
Are you doing your “due diligence” One attorney I recently heard speak defined “reasonably secure” as doing AT LEAST what everyone else is doing Taking in to consideration assets, risks, and threats and then defining procedures to mitigate each of these. Being realistic (and thorough) when defining risks Data disclosure is realistic Denial of service is realistic Alien abduction is not as common

12 Striking a balance… Security should strike a balance between:
Effective security Usability / functionality Cost Complying with the law

13 Risk Management Put on your “MBA” hat and take off the “IT” hat
Define and document the “process” Locating / defining assets Assessing the risks to these assets Reviewing the threats that may make the risks a reality Mitigating these risks For our discussions in this session, we will limit the scope of this to just messaging

14 Process What process do you use to go through a risk assessment?
Who is involved? Subject matter experts (IT department) Consultants / outside technical advisors Legal Senior management Encourage “outside the box thinking” Avoid “group think” Document everything about the process, the exchange of ideas, the discussions, disagreements, etc… Senior management must have visibility Regarding regulatory compliance, corporate officers may often have fiscal or legal responsibility for IT security “Process” is going to become a way of life for Information Technology

15 What are your assets? Data / intellectual property
Knowledge workers / productivity Lost productivity = $$$ Business reputation Mail servers and network infrastructure Bandwidth To Internet To customers To users Service availability

16 What are the risks against to these assets
Financial loss Law suits / regulatory liabilities Accidental / intentional disclosure of intellectual property Users with idle time or unable to work (lost productivity) Unable to meet commitments to customers and vendors Lost sales or opportunities Damage to reputation / community embarrassment

17 Predicting the “threats”
Accidental disclosure of intellectual property Intentional disclosure of intellectual property Denial-of-service (any interruption of messaging services) Hackers Sending malware or spam to YOUR customers Malware / Virus / Trojan Horses / Spyware / Phishing Misuse of the messaging system (passing around inappropriate content) which may result in company liability Data theft (via hacking, backup media theft, hard drive theft, impersonating a user)

18 Threats: What are the attack vectors that can be used against you?
Bad physical security / access control Vulnerable servers exposed to the Internet Directly exposed mailbox servers (port 25 or 80/443) open directly to server from the Internet. Weak DMZ security Poor message hygiene control Social engineering Careless users Malicious users Poor backup media handling procedures Excessive administrative procedures Single point of failure for inbound and outbound message handling

19 Threats: Entry points for malware
Inbound Users surfing the Internet Users downloading from outside provider (via POP3/IMAP4/free web providers) Wireless network hacking VPN connections (home and laptop) Users bringing computers in from outside (personal laptops) Connections with business partners Removable media (USB drives, iPods, CD, DVD, floppy, PDA, cell phones)

20 Mitigation How do you mitigate all of this?
That is what this session is all about Taking the necessary steps to provide “reasonable security” Firewalls / appliances / gateways / managed providers Good server management and configuration practices Filtering out as much unwanted content before it reaches the mail server Acceptable use policies and information security policies Applying appropriate levels of content security

21 Vulnerabilities Improving physical security Backup media
Operating system Exchange updates Users Quick assessments

22 Physical security Law # 3 of the 10 Immutable Laws of Security
“If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” Locked doors / access control system that records entry information Mandatory sign-in sheets Cameras

23 Backup media Tape media can be your Achilles heel
Many stories of backup tapes being compromised Often tapes are stored outside of the data center Consider data encryption technologies for tape media Store in physically secure location If off-site, transport in locked containers

24 Operating system stability
Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. Apply applicable critical updates within 3 – 4 weeks Applicable? Does the fix affect your configuration? Don’t apply on the day they are released Apply service packs within 1 to 2 months Read the SP “readme” first Use ‘Microsoft Update’ or WSUS Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system Sufficient free disk space on all disk drives

25 Exchange updates Critical patches within 3 – 4 weeks of release
Service packs within 1 to 2 months of release Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP)

26 A word about scheduled downtime
Don’t sacrifice reliability for availability If you don’t have downtime built-in to your operations, then how can you apply patches and updates? Plan for a scheduled outage once every 2 weeks Schedule these late at night These outages should not affect your “nines” You don’t have to use them if you don’t need them

27 Users 60 – 70% of all security breaches occur from within.
(Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) Require an Acceptable Use Policy Must have “bite” Must be enforceable Must be legal See Require an IT Acceptable Use Policy For IT, require an IT AUP or Ethics Statement “Don’t read other people’s mail” Clearly define your information security policies

28 Quick Assessments - ExBPA
Exchange Best Practices Analyzer

29 Quick Assessments - MSBA
Microsoft Baseline Security Analyzer

30 Locking down servers Reduce a server’s attack surface
Disabling unnecessary services Statically mapping RPC ports Configure Exchange to accept only certain versions of MAPI clients Apply policies consistently with GPOs Open SMTP relays? Apply IPSec MAC address filtering on hubs/switches

31 Disabling unnecessary services
Install only Windows components necessary to run the server POP3 / IMAP4/NNTP MS Exchange Events MS Exchange MTA Stacks Browser Messenger Alerter MS Search TELNET

32 Statically map RPC ports
Does not make security any tighter, but does let you easily identify the RPC traffic on your network. Exchange Server – KB Active Directory – KB Also useful if you have a data center firewall or WAN-firewall

33 Restrict MAPI versions
Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem Create REG_DWORD Disable MAPI Clients Put in to data field See KB and InstantDoc #26505 Can help reduce the spread of viruses and worms by allowing only more recent versions Use with caution!

34 Group Policy Objects Use GPOs to deploy consistent settings Define
Auditing Security Password / lockout Services

35 Sample GPO This sample can be found at
It WILL probably break something! Expects W2K or later clients Test your policies gradually

36 Open SMTP Relay? No one needs an open SMTP relay
The spammers and worms WILL find you! Restrict relay to your own networks Require authentication for clients Exchange servers in your organization always authenticate

37 IPSec More than a reasonable measure
Allows IP-layer encryption and packet authentication Additional CPU overhead IPSec policies can get complex if you implement to a subset of workstations Prevents spoofing and man-in-the-middle attacks

38 MAC address filtering on hubs / switches
This is pretty extreme Do this if you are concerned about intruders getting physical access to your infrastructure Requires almost constant management for changes / adds / moves

39 Security at the perimeter
Focus is on “security” not “message hygiene” The Internet “path” to your mail servers Denial of service attacks Intercept inbound traffic in your DMZ Restrictions, restrictions, restrictions…

40 The path to your mail servers
Getting directly to mail servers is simple MX records define your inbound SMTP servers A or CNAME records point to your OWA, ActiveSync, POP3, or IMAP4 resources These records may reveal IP addresses that point DIRECTLY to your mailbox servers Your goal must be to reduce or eliminate this direct exposure

41 Denial-of-service and e-mail
Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. Directory harvesting and tarpits

42 An ugly trend: Virus writers, spammers, and ‘bots / zombies

43 Directory harvesting / dictionary spamming
Directory harvesting tries to find valid SMTP addresses using dictionary or random strings Dictionary spamming sends to a dictionary full of common names This can overwhelm a mail server Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) A tarpit slows them down See KB Recommended for Internet facing SMTP virtual servers Only one address in this list was valid, probably the “index patient”

44 Prevent direct access to mailbox servers
Don’t allow direct access to mail server resources Inbound SMTP mail through an SMTP relay Can be an “appliance”, Windows, or UNIX system Can act as part of your messaging hygiene system. More on this later Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy ISA Server IronPort Whale Communications Prevents direct exposure for mailbox servers, front-ends, and bridgeheads

45 Use SMTP Relays and ISA Server proxies

46 Remote Outlook client options
Some remote users are just going to have to have Outlook Don’t open RPC ports directly to Exchange for remote Outlook clients Use VPN Use RPC application layer filter on firewall Use RPC over HTTPS instead

47 Restrictions, restrictions, restrictions
Mailbox Message size Recipients per message Automatic responses Internet facing SMTP virtual servers Distribution list usage Monitor disk space usage and set alerts Users are going to hate you for this! 

48 Mailbox Limits A necessary evil
Adjust based on you organization’s needs Don’t limit users if they have a job to do Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail

49 Exchange reports on closed mailboxes
Monitoring for event ID 8528 can help you determine if mailboxes are filling up

50 Message Size / Recipient Limits
Default inbound and outbound message sizes is 10MB. Usually adequate for most organizations This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user.

51 Inbound limits from Internet
Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead If this SMTP VS is used for internal message traffic, it may hurt public folder replication

52 Outbound limits to the Internet
Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server)

53 Automatic Responses Defaults do not allow automatic responses
This may have been changed You can override this by creating additional Internet Message Formats for specific domains Considered risky due to “social engineering” risks

54 Distribution list security
Prevent abuse of your distribution lists Limit maximum message size Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) Limit who can send to the list internally

55 Monitor disk space and set alerts
Common cause of downtime Built-in monitoring tools can alert you to possible problems Additional monitoring tools can automate disk usage and provide trend analysis and usage reports

56 Monitoring usage from a script
Exchange MVP Glen Scales wrote a really nice script to report store usage and trends

57 Restricting maximum store size
Exchange 2003 SP2 allows maximum store size to be set When a store exceeds that size, it is dismounted Use with great care! You can still cause your users downtime with this feature.

58 Outlook Web Access security
Implement a reverse proxy Enable Forms Based Authentication Session timeouts Use SSL Train users to logout and close browser window URLScan

59 Put the front-end in the DMZ???
Conventional thinking says put front-end server in the DMZ. This requires many ports to be opened to internal network.

60 Reverse proxy for OWA Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened.

61 Reverse proxy for OWA More information
Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology Protecting Exchange Servers by Don Jones Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek

62 Enable Forms Based Authentication
Enable on the front-end servers Implements timeouts Public = 15 minutes Private = 24 hours Customizable Allows customizable logon page

63 Forms Based Authentication

64 Always use SSL from a trusted authority
Very bad to get users in the habit of ignoring security alerts Many sources for low-cost, trusted SSL certificates GoDaddy – InstantSSL –

65 Basic authentication passwords are very easy to intercept
Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== Run it through any Base64 decoding program and you get: namerica/arand:$culliRulz Domain name: namerica; User: arand; password: $culliRulz Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded!

66 Should you use URLScan? Not necessary if using a reverse proxy that performs HTTP application layer inspection URLScan can cause some messages to be un-openable with OWA If the subject line has the .. ./ \ % & characters See KB for more information

67 Mobile device security
Mobile devices often have sensitive data on them. Implement Windows Mobile 2005 FP (available from the device vendor) Use Exchange 2003 SP2 mobile device security features Remote Wipe feature available

68 User education Train users to Always use HTTPS
Always close the browser window when finished with OWA Be on the lookup for suspect kiosks or Internet cafes

69 Administrative Security
Practice principle of “least permission” Properly delegate roles Windows versus Exchange permissions ExMerge permissions

70 Delegating Exchange roles
Mailbox admins (create/delete/modify mail attributes = Exchange View Only Administrator Manage stores, move mailboxes, manage connectors, etc… = Exchange Administrator Modify permissions = Exchange Full Administrator

71 Exchange permissions versus Windows permissions
Delegating Exchange roles does not necessarily give you the Windows permissions necessary Start / stop services = Power User / Administrator Logon to console = Administrator Restart server = Administrator / Power user Manage SMTP Queues = Administrator Cannot be changed Possible problem updating addresses See

72 ExMerge Permissions Very handy tool
Requires MORE than Exchange Full Administrator access Create security group: Exchange Full Mailbox Access Delegate Exchange View Only Administrator permissions to this group Modify permissions on Security property page, assign Receive As See KB Create an ExMerge user and put that user in the Exchange Full Mailbox Access group Secure access to the ExMerge user account Ensure that ExMerge user is neither a member of Domain Admins or Enterprise Admins

73 Daily Operations Verify successful backups Check available disk space
Review event logs Check antivirus software and updates Check SMTP queues The more you know about normal operations, the more quickly you will recognize variances and react to them.

74 Thing that make you go hummmm….
When monitoring and reviewing your event logs, look for events that you cannot explain or did not expect. Look for anything that is outside of the normal boundaries of operation. Consider also the time of day that some things happen, such as restarts when no one is around or backups running off schedule

75 Security related events…
Is this person supposed to be viewing this mailbox? This might be perfectly legitimate, but it should raise questions.

76 Security related events…
A mailbox store was mounted. Was this scheduled / expected? Thanks to tools like PowerControls or Quests Recovery Manager, I just need your EDB/STM file to do evil.

77 Security related events…
Hey! Who is running a backup in the middle of the day??!!

78 Security related events…
Look for unexpected system restarts This may indicate someone is messing with the hardware

79 Accountability and Auditing
Logging is usually one of those things you don’t know you need until you need it. Caution: Increasing logging/auditing increases overhead Event Log Sizes Diagnostics Logging Message tracking logs Protocol logs Protecting tracking and protocol logs Auditing configuration changes to Exchange

80 Windows Event Logs Sizes: Overwrite as needed Set manually or via GPO
Application – KB Security – 49152KB System – 49152KB See Overwrite as needed Set manually or via GPO Find some tool to archive these and keep

81 Windows Auditing These events are audited to the Windows Security log
More auditing = more overhead Apply to local security policy or via GPO

82 Diagnostics Logging: Store System
Minimum level of logging is sufficient for informational events

83 Diagnostics logging: Mailbox store
Minimum level of logging is sufficient for informational events

84 Message tracking logs Helpful in diagnosing problems
You don’t know you need these until you need them May contain sensitive information, so protect them Automatically purged

85 HTTP protocol logging Enabled via IIS Admin
Use W3C log format Enabled on front-end servers used by OWA Will include ActiveSync and OMA traffic These logs do not automatically delete For a script see

86 SMTP protocol logging Enabled in ESM on SMTP virtual server
Use W3C log format Enable on bridgeheads that accept mail from outside of the organization Useful for troubleshooting and security purposes These logs do not automatically delete For a script see

87 Auditing changes to Exchange configuration
Most Exchange configuration is stored in the Active Directory Requires “Audit Directory Service Access” policy enabled Enable “Write” auditing on Exchange organization (via ADSIEdit) Events are logged to Security logs on domain controllers

88 Resulting events Event reports object and attribute that is changed
Not necessarily easy to read unless you know what the attributes are for. Here I changed the inbound message size

89 Message hygiene Multi-layer protection Hygiene basics
Content inspection Blocked content Virus detection Spam detection Managed providers

90 What did I do to deserve this?
Message hygiene collectively refers to spam, virus, and phishing detection and filtering By some estimates, 50 – 80% of all inbound mail is spam! Some estimates are that users spend 30 – 45 minutes PER DAY sorting through unwanted There may be some liability involved in spam or phishing schemes User sues their employer because they were offended! Or phished!

91 You think you have problems!
One small business About 20 active mailboxes 90% inbound spam rate 18,000 messages in a 24 hour period of time Over 50MB worth of disk space to store Nearly 65MB worth of Internet bandwidth consumed Out of this, 20 viruses/worms were detected

92 You think you have problems!

93 Multi-layer protection
Employ multiple technologies Intercept inbound mail at different points Use differing scanning and detection technologies Keep as much Malware as possible AWAY from the mailboxes and users

94 Multi-layer protection

95 Multi-layer protection to the extreme
One organization took the multiple layers to the extreme The need for this system evolved over 5 years Rather than replacing one gateway with a more feature-rich product, they just kept adding more

96 Multi-layer protection to the extreme

97 Hygiene system basics We are seeing a convergence of tools and technologies Buying a simple SMTP virus scanning is hard, most include anti-spam technologies Higher-end and specialized systems also include more advanced content inspection

98 Content inspection Industry often refers to spam and virus detection and “content inspection” I refer to more specialized systems Implement “dictionary scanning” to block inbound or outbound messages Look for messages that may violate Acceptable Use Policy Naughty words, pictures, jokes Prevent sensitive data from being disclosed In the U.S. the HIPAA law “requires” this Vendors include: Tumbleweed and Clearswift

99 Content inspection vendors
Evaluate a couple of different systems to make sure the product meets your needs. CipherTrust IronMail Tumbleweed MailGate Clearswift MIMEsweeper Symantec Brightmail Aladdin eSafe Barracuda Spam Firewall Sendmail Sentrion Security Appliance Mail Frontier Enterprise Protection NetIQ MailMarshall

100 Blocked content Define a policy that allows you to block unwanted content Hostile content Multi-media files ZIP files Most antivirus software lets you do this Very common with most IT organizations Blocked list should be published to your users

101 Virus Detection Virus detection / scanning is pretty common knowledge, but very important Viruses are evolving quickly Sometimes 20 – 30 new variants of existing viruses come out daily “Virus” is often used when describing worms or Trojans. Most “viruses” today are really worms or blended threats Virus writers are continually looking for new system and user exploits You should update signatures between 6 and 12 times per day

102 Virus detection Methodologies Generic / signature based detection
Heuristic filters Examining content for certain types of expected behavior Traffic analysis Analyzing large volumes of traffic for similarities Behavioral analysis Executing suspected content in a “virtual” environment

103 SMTP scanning systems Generic, can front-end any mail system
Usually located in the DMZ Usually combines antivirus and anti-spam functions

104 Antivirus scanning at the Exchange server
Requires Exchange-aware virus software E2K3 uses AVAPI 2.5 Can scan using AVAPI (when message hits the information store) or as message traverses SMTP Should server have a file-based scanner? If you do this, ensure that it NEVER scans the EDB, STM, CHK, and LOG files. Also should skip the \windows\system32\inetsrv folder and the SMTP queues folders. If running Exchange 2000, also never scan the M:\ drive See KB : Overview of Exchange Server 2003 and antivirus software

105 Exchange / AVAPI Software
Microsoft Forefront Security for Exchange Formerly Sybari Antigen for Exchange Trend ScanMail for Microsoft Exchange 2003 Symantec Mail Security for Microsoft Exchange Sophos PureMessage for Microsoft Exchange F-Secure Anti-Virus for Microsoft Exchange GFI MailSecurity for Exchange F-Prot Antivirus for Exchange Norman Virus Control (NVC) for Exchange McAfee GroupShield® for Microsoft Exchange BitDefender for MS Exchange 2003

106 Client-side scanning With all this protection on the mail servers, do you still need client-scanners? Absolutely. More than one attack vector for viruses. Users may download from HTML web mail or remote POP3 accounts

107 Spam detection / prevention
Technologies White listing Servers are verified against of known, good senders Appliance / service provider Black listing Inbound mail is checked against a database of blocked senders or mail servers Real-time block lists or real-time black hole lists Gray listing Inbound mail is temporarily rejected and assumes that valid senders will retry while spammer will not. Exchange does not implement See Authenticated sender Yahoo! Domain Keys Sender ID These technologies are usually used in conjunction with message inspection

108 White listing Sendio appliance Xwall SpamAssassin
Spam Arrest (service provider)

109 Real-time Block Lists SMTP server that accepts inbound connections checks the IP address against the RBL Connection can be rejected (in the case of Exchange) Inbound message can be tagged for further examination by spam detection software Many of these list providers This can reduce inbound spam by 40 – 50% Can reject valid inbound mail

110 RBL providers Spamhaus ABUSEAT CBL
ORDBs SpamCop Pretty aggressive SORBS RBL check Check to see if a host is on an RBL

111 Configuring an RBL Configure the DNS suffix
Custom message for rejected messages

112 Sender ID Industry effort to give SMTP servers ability to validate sending SMTP server to see if it is authorized to send mail for the sender of the message Two parts to the technology Your domain needs SPF records for authorized SMTP servers Your SMTP servers lookup mail for inbound messages and validate that the sending server is authorized to send on behalf of that user

113 Create DNS SPF records Microsoft provides web-driven wizard

114 Configure Exchange to use Sender ID
Exchange 2003 SP2 and hot fix Define internal mail servers Enable on SMTP virtual servers that accept mail from the Internet

115 Sender ID analysis on one SMTP server
79% of the inbound connections had no DNS SPF records

116 Using the Intelligent Message Filter
Pretty darned good for a free tool Only needs to be enabled on SMTP VS that are exposed to the Internet Reject / Archive / Delete / No Action

117 IMF customization Automatic filter updates
See KB Released bi-weekly Implementing “custom weighting” Define words that NEVER mean spam or ALWAYS mean spam See Henrik Walther’s article at Viewing the IMF Archive

118 Effectiveness of RBLs and Recipient Filtering
Remember the organization with so much spam? Here is what 2 RBLs and Recipient Filtering did for them In 5 days, inbound SMTP connections 53% rejected by RBLs 35% rejected by “Filter Recipients Who Are Not In The Directory”

119 Leaving the IMF with the rest
The balance of the messages were handled by the IMF 50% of messages ranked SCL of “6” or above

120 Managed providers

121 Using managed providers
Organization directs MX records to managed provider’s servers Managed provider… Has better scalability and redundancy Immediate response to day zero threats Keeps malware and unwanted content from reaching your perimeter Reduce hardware and software required by organization as well as reducing complexity and IT resources required Allows organization to only accept inbound SMTP from the provider Unwanted content never makes it to the network in the first place Reduces threat spam and virus/worm ‘bots Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection

122 Managed providers Exchange Hosted Services MessageLabs Postini
Formerly Microsoft FrontBridge MessageLabs Postini OWN ExchangeDefender Blue Ridge InternetWorks Anti-Spam Solutions CyberTrust Managed Firewall Service Symantec Managed Virus Protection Service

123 Content protection PKI and encryption basics S/MIME
Enterprise Rights Management S/MIME and ERM are complimentary technologies

124 Symmetric encryption Symmetric (a.k.a “secret”) key encryption
Same key encrypts that decrypts The “secret” key is easily compromised Algorithm examples include DES, 3DES, CAST, AES, RC2, Blowfish, IDEA Original Data Cipher Text Original Data

125 Asymmetric encryption
Public and private key pair Uses two VERY large prime numbers (2^1024 and higher) Computationally difficult to calculate the relationship between the two numbers Encrypting large amounts of data is very processor and time intensive Recipient’s private key Recipient’s public key Original Data Cipher Text Original Data

126 Encryption based entirely on public / private keys is impractical
Too much CPU usage when using such large keys Diffie-Hellman proposed combining the strengths of the two systems Most modern encryption systems use some type of “secret key” exchange including S/MIME, SSL, IPSec, EFS, ERM, etc…

127 Combining symmetric and asymmetric encryption to protect data
1) Recipient’s certificate (and public key) is retrieved 2) A random “secret” key is generated 3) Data is encrypted with “secret” key 4) “Secret” key is encrypted with recipients public key and placed in a “lockbox” 5) Encrypted data and lockbox is sent to the recipient 6) Recipient uses private key to open lockbox and get the “secret key” 7) Recipient uses “secret key” to decrypt data

128 Digital signatures are similar
1) A hashing function (SHA-1 or MD5) is calculated using the binary data 2) The hash is encrypted using the sender’s private key 3) The data, the encrypted hash, and the sender’s certificate are sent to the recipient 4) Recipient decrypts encrypted hash value using sender’s public key 5) Recipient performs their own hash of the binary data 6) Recipient compares the sender’s hash with the one they calculated

129 S/MIME Mature technology
Non-repudiation Verifiable message integrity Verifiable message origin Encrypted / protected Protects content “at rest” and in transit Can be difficult to deploy for large organizations Certificate needs to be trusted Free S/MIME certs from More information:

130 Enterprise Rights Management
Assists in information security policy enforcement Content rights may include forwarding, review, modification, copying, or printing Content can be audited, expired or superseded Application and operating system must support rights management Any type of binary content can be protected including , documents, spreadsheets, web pages, etc… More information

131 (single-server configuration)
RMS Key Flow Detail: Client “Bootstrapping” RMS Server (single-server configuration) Client Computer(s) 1. Install RMS-enabled application(s) 2. Install RMS Client Software 3. User uses RMS for the first time RMS Client Activates Machine -Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key) Protects user-specific machine private key with DPAPI 4. User authenticates Authentication credentials Certification: Check user SID against AD Generate User Key Pair User can publish online or consume Talking points: Click 1: installing RMS enabled applications. Applications like Microsoft Office 2003 Professional and Internet Explorer have become “RMS enabled” by using the RMS client and server infrastructure to create rights protection functionality. Click 2: RMS Client installation For the client machine to be trusted, it first must have the RMS client installed, Click 3: TRUSTED MACHINE: Machine Activation Then, the client will go through a process called machine activation. During this process a machine key pair and machine certificate, including the machine public key, are generated. These credentials are generated individually for each RMS user on a machine and protected using DPAPI. This process happens automatically the first time a user uses RMS, is transparent to the user and does not require the user to have administrative permissions Click 4: Trusted User: User enrollment/certification Once the machine is trusted, the user becomes trusted by obtaining a Rights Management Account Certificate (RAC). Once the user authenticates via Windows authentication, their corresponding SID in Active Directory, RMS generates a public/private key pair which it stores in the SQL configuration database and then uses to create the RAC. The private key of the user’s RAC is encrypted with the public key of the machine certificate, so that the only way the user can participate in the trusted RMS environment is via the RMS client on a trusted machine. The process of obtaining a RAC is transparent to the authenticated user Click 5: offline publishing license The second certificate obtained in this initial, behind-the-scenes provisioning is the Client Licensor Certificate. The private key for this certificate is encrypted with the Public key of the RAC. This certificate is used to enable the user to ‘publish’ RMS-protected information while not connected to an RMS server, such as on an airplane. Rights Account Certificate (RAC), signed with RMS Server Public key -User Private Key, Encrypted with the machine public key -User Public Key Request Client Licensor Certificate RAC Validate RAC Generate “Client” Key Pair Client Licensor Certificate (CLC), signed with RMS Server Public key -CLC Private key, encrypted with the RAC public key -CLC Public key and copy of SLC User can publish offline

132 RMS Key Flow Detail: Offline Publishing & Consumption
2 encrypted AES keys rights information url of RMS server Publishing License 2 encrypted AES keys rights information url of RMS server Publishing License encrypted content encrypted content (Assuming recipient has RMS Client and RAC) “Publisher” / Sender “Consumer” / Recipient Saves content (e.g. Word doc) Recipient user opens content Application and RMS client Generate AES key and encrypt content Encrypt AES key with the public key of the client’s CLC (for “owner” license) Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC) Create “Publishing License” (PL), sign with CLC private key and append to encrypted content Application and RMS Client Inspect PL for RMS Service url. Send “Use License Request “ (PL + RAC) to licensing server specified by url. RMS Client uses RAC private key (unavailable to user) to unencrypt the content key Application renders the file and enforces the rights RMS Server Validates recipient RAC Inspects PL for rights Validates user in AD Un-encrypts content key & re-encrypts it with recipient RAC’s public key Returns encrypted content key in use license RMS Server

133 Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro
NOTE: Outlook EULs are stored in the local user profile directory a Created when file is protected Only added to the file after server licenses a user to open it Publishing License End User Licenses Content Key Rights for a particular user Encrypted with the server’s public key Encrypted with the user’s public key Rights Info w/ addresses Content Key (big random number) Encrypted with the server’s public key The Content of the File (Text, Pictures, metadata, etc) Encrypted with the user’s public key This is a schematic of how Office 2003 packages rights-protected information, policy, keys and licensing information into one protected package. Office 2003 rights-protected files that enable HTML clients to view will also have an HTML (.rmh) copy of the file contents in this compound document. Other rights-enabled applications could store the publishing and use licenses with the content in this manner, or alternatively in a license store. Use licenses (EUL) are generally stored in Office documents or user profile directory Outlook ( or attachment) EULs are stored in the user profile directory %userprofile%\Local Settings\Application Data\Microsoft\DRM\ Word, Excel, and Powerpoint EULs are stored, by default, in the files/documents themselves If file is marked as read-only (in file properties), the EUL will be stored in the profile directory If file permissions specify read rights only for the user/group, EUL will be discarded and user will have to obtain a new one each time they open the file Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key

134 Application support for ERM
Application must support ERM system Office 2003 Professional application supported

135 S/MIME versus ERM S/MIME provides only authenticity and protection
No control for the disposition of the contents Applies only to and message content Content owner loses control once message is sent Does not prevent user from forwarding content once it is in their possession

136 The Problem with Traditional Access Control Technologies
Traditional solutions control initial access Clear-text content Authorized Users Yes Information Leakage No We sometimes describe RMS by contrasting it against some existing access control technologies, such as ACLs or file encryption. This schematic shows a network resource on the left, protected by an access control list and/or encrypted using simple encryption, and a group of people inside the network who are allowed to access that resource, as well as groups who are not <click> …but what happens when those authorized users actually take possession of the information to which they are allowed? At this point, the information is generally on their computer, and in clear text. <click>…this means they are free to propagate the information either intentionally or accidentally, to unauthorized individuals either inside or outside the organization. This is information leakage, and this is exactly the problem RMS addresses that traditional access control solutions do not So another way we can frame the problem is that traditional access control solutions control initial access, but not ongoing usage of information RMS addresses not only access, but also ongoing usage of information, by providing persistent protection that travels with the information no matter where it goes Access Control List / File Encryption Unauthorized Users Unauthorized Users Firewall Perimeter …but not ongoing information usage

137 Best practices Block outbound SMTP except from authorized hosts
Be a good ‘net citizen Never web surf from a server console Don’t install client software on server Operators and administrators should not have mailboxes Separate admin rights from your regular user account Grant administrative permissions to groups, not individual users

138 Best practices Block inbound SMTP if using a managed provider
Only accept mail from the provider Protect protocol and message tracking logs Some sensitive information may be disseminated from those logs Review your event logs Keep PLENTY of free disk space available? At least enough to mount one database in an RSG

139 Checklists Assessing the situation Exchange Servers Message hygiene
Outside the perimeter

140 Assessment Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the. Determine what is documented: Document servers, roles, network infrastructure, and dependencies Get an accurate count of active mailboxes If inactive, then why? Disable inactive accounts then delete!

141 Inactive accounts Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute Write script Use “Additional Account Info” from ALTools

142 Assessments: Environment
Interview: Backup schedule / procedures / rotation / media storage Client software and versions in use Client antivirus / anti-spyware procedures Remote access procedures Administrators that are approved to manage Exchange Disaster recovery / business continuance plan What is the perception of the “spam problem?”

143 Assessment: Starting point
Run ExBPA against entire organization Run ExchDump Run MSBA against each server Exchange servers Domain controllers

144 Assessment: Servers Free disk space
Should be enough to mount an RSG Disk configuration / fault tolerance Memory / page file usage / available RAM DNS configuration Event logs sizes / archival procedures BOOT.INI check (using /3GB and /USERVA=3030 if applicable) Additional services running? Dedicated Exchange server role? How often do you update servers with fixes and patches? Check for vendor’s hardware management software and versions How many users/groups are members of the local Administrators and Power Users group? Is the local Guest disabled? Examine local policies for weaknesses Are messaging system limits being imposed?

145 Assessment: Exchange Review Exchange Full Administrator and Exchange Administrator role delegation Domain controllers / Global catalog servers in use Are limits being imposed? Message sizes Mailbox sizes Distribution list usage Are PSTs in use? Primary delivery mechanism? Archival mechanism? Mailbox store sizes Largest mailbox users Confirm backups and online maintenance is running Exchange database and transaction log placement on disks Is circular logging enabled? If so, get explanation as to why. Are automatic responses allowed?

146 Assessment: Logs Review Application logs Review System logs
Review HTTP and SMTP protocol logs

147 Assessment: Message hygiene
How recent is the A/V software? How often are signatures updated? Is there a file-based scanner on the server and if so, does it exclude Exchange files? Does inbound SMTP system use RBLs? Recipient filtering?

148 Assessment: Outside the perimeter
Examine your DNS records Are there invalid A and MX records Do you have SPF records? Are they correct? Do IP addresses used for outbound SMTP have PTR records? Do Internet clients have direct access to Exchange servers? TELNET to “A” records provided by SMTP What ports are open through your firewall to your internal network? Perform port scans against “A” records for SMTP and for OWA Get permission to run a port scan! Are their any protocols that are not requiring SSL? POP3, IMAP4, OWA, ActiveSync, OMA

149 Securing the DMZ What is in the DMZ?
Front-end servers? SMTP servers? Proxy servers? Reduce the number of ports open between DMZ and internal network (ideally only 25 and 443)

150 Whew! I’m exhausted!

151 Drawing for book giveaway
Did you get your business card to me?

152 Questions? Thanks for attending!

153 More information… Tips and Tricks for Secure Messaging eBook by Jim McBee My blog (Mostly Exchange) Paul Robichaux’s Exchange Security blog Paul Robichaux’s Secure Messaging with Microsoft Exchange Server 2003 book (Microsoft Press, 2004) Exchange 2003 Support Home Page Slipstick Systems

Download ppt "Book Drawing Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session."

Similar presentations

Ads by Google