Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Exchange, IIS, and SQL Infrastructures

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Exchange, IIS, and SQL Infrastructures"— Presentation transcript:

1 Securing Exchange, IIS, and SQL Infrastructures
Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4th, 2003

2 Session Overview Microsoft Defence-in-depth Model
Strategic Multi-Product Defence Implementing End to End Exchange Security Implementing End to End IIS Security SQL Security

3 Defense-in-Depth MANAGEMENT
Perimeter Defences: Packet Filtering, Stateful Inspection of Packets, Intrusion Detection Network Defences: VLAN Access Control Lists, Internal Firewall, Auditing, Intrusion Detection Host Defences: Server Hardening, Host Intrusion Detection, IPSec Filtering, Auditing Application Defences: AV, Content Scanning, Layer 7 (URL) Switching Source, Secure IIS, Secure Exchange Data and Resources: Databases, Network Services and Applications, File Shares Data & Resources Application Defences Host Defences Network Defences Perimeter Defences Assume Prior Layers Fail MANAGEMENT

4 Strategic Defence Know what’s in your Datacenter Segment your Networks
Most attacks, worms, can be defeated by network protection – to buy time for patches Internal IDS to clean up client VLANs IPSec Policies to contain breakouts Plan your management -incident response Application Inspection internal firewalls

5 Strategic Defence Cont.
Reduce Attack Surface Disable unnecessary software and services Use MBSA – IISLockdown etc Use a third party vulnerability scanner Configure AD group policy and use role based security templates Restricted Groups Restricted Services Restricted Registry and File ACLs

6 The Total Trust Network
Modern networks are generally one large TCP/IP space segmented by firewalls to the Internet Trust is implicit in all organisation TCP/IP was not designed for security THIS HAS TO STOP – Network Segmentation is now critical

7 Secure Your Networking
Internet Redundant Routers First Tier Firewalls URL Filtering for OWA RPC Termination for Outlook ISA Firewalls NIC teams/2 switches VLAN Intrusion Detection Intrusion Detection Intrusion Detection VLAN Front-end VLAN DC + Infrastructure VLAN Backend Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do .

8 An Alternate DMZ Approach
A Flat DMZ Design to push intelligent inspection outwards ISA layer 7 switching (OWA) or RPC filtration (Outlook) No Firewalls between front-end and backend servers Front-end and backend servers authenticate clients IPSec if required between front-end and backend TCP 443: HTTPS Or TCP 443: HTTPS Internet TCP 80: HTTP Stateful Packet Filtering Firewall Application Filtering Firewall (ISA Server) Exchange Server

9 Exchange Specific Issues
Exchange Client Selection crucial Exchange Supporting Infrastructure Security Top 10 Action Points to secure Exchange

10 Selecting an Exchange Client
Experience Complexity Security POP3/IMAP4 via SSL with SMTP Basic Medium/ High Medium OWA via SSL with ISA Moderate Low Full VPN – L2TPw/IPSEC PPTPv2 High Secure RPC with ISA Medium/ Low

11 Security from Internet Clients
Every time you connect into a network you extend the security perimeter VPN and to a lesser extent RPC Publishing both require care at the client Harden your clients on the Internet or hackers will attack clients and ride the VPN Require RPC encryption for Outlook Client Based IDS systems

12 Internal Security Don’t assume Internet is the only threat
Assume internal people want to attack you – more than external people Defensive Tactics include: Client Network Segmentation Encryption of Client Traffic – e.g. require RPC Review of public folder/client permissions Third party – AV – IDS – Auditing Server Role – Security templates from Ops guide Extend the security scope to all infrastructure Exchange relies on: AD – DNS – SMTP Relay etc

13 Top 10 Ways to Get Exchange Secure
Implement the Security Operations Guides for Windows and Exchange Use MBSA to identify missing patches Implement IISLockdown based on role Secure Infrastructure Assets Use the EDSLock script to restrict groups .

14 Top 10 Ways To Get Exchange Secure
Get adequate antivirus protection for servers and desktops Use perimeter SMTP scanning Automate Patch Management Use SSL, IPsec, and MAPI encryption where appropriate Plan your response to an intrusion/worm before it happens

15 IIS Security Basics Turn it off where not required
Use IISLockdown tool – be aware of its impact on applications Use a layer 7 proxy like ISA Server Use W2K Security Operations templates and guides to lock down IIS by OU – and role

16 Legacy Firewalls and Data Attacks
Internal Network Normal Firewall – Checks Rules - OK Internal Web Server Internal Exchange Server Virus Author Internet Internet Virus or attack inside data passes Overflow Attacker Reverse Proxy Used to accelerate the performance of your web site. Instead of your Web server responding to every requests of Internet clients, the ISA Server will respond with cached content if available. How ISA Reverse Cache works: Joe clicks on the a url for in his web browser The Internet via DNS servers will interpret the URL name and forward the request to the Servers that respond to “ The ISA Server is impersonating the Web Server and responds to requests for web content for Since the ISA Server does not have the content cached locally, it will forward the request to the Web Server and then return the content to the user. This content is now cached locally so that the next request for the same content will be served from the ISA Server, rather than the Web Server. Normal Firewalls only check rules like source , destination and port – NOT DATA ITSELF Data passes through firewall unchecked and hits internal IIS box essentially intact – attacks pass through

17 Countering Application Level Attacks
Internal Network Internal Web Server Internal Exchange Server ISA Checks Data inside traffic Virus Author Internet Internet Virus or attack inside data is blocked – alert is raised ISA Filters Overflow Attacker Reverse Proxy Used to accelerate the performance of your web site. Instead of your Web server responding to every requests of Internet clients, the ISA Server will respond with cached content if available. How ISA Reverse Cache works: Joe clicks on the a url for in his web browser The Internet via DNS servers will interpret the URL name and forward the request to the Servers that respond to “ The ISA Server is impersonating the Web Server and responds to requests for web content for Since the ISA Server does not have the content cached locally, it will forward the request to the Web Server and then return the content to the user. This content is now cached locally so that the next request for the same content will be served from the ISA Server, rather than the Web Server. Security devices evolve to inspect data Application Filters that know what to look for: Web – Stop Overflows – check syntax of commands Intrusion Detection – scans for patterns of attack Force Internal Traffic to be Inspected by Internal Firewalls

18 ISA Server and IIS URLScan – syntax and http level checking of acceptable verbs – URLs, and characters Layer 7 URL blocking – EG mail.corp.com/exchange OK – mail.corp.com/£$%^^^£$” - Dropped HTTPS Termination – inspection and re-encryption – inspect the un-inspectable Defeats all known URL based overflows – itself is not susceptible as it has no IIS SMTP Scanner for IIS SMTP mail

19 SQL Server Security Understand the application
Don’t let all machines talk to SQL – SEGMENT YOUR LAN Usually application servers talk to DB – not clients directly Know where MSDE is installed – include in your management plan Replace MSDE with managed SQL servers where possible

20 SQL and Slammer Bug should have never been there !!!
Patches should be made easier and faster to deploy However……. Infrastructure defences could have prevented slammer: VLAN off SQL – nothing to infect Internal Firewalls – block ports to slammer External Firewalls – DMZ machines sending without being asked – should only reply App inspecting filters – FW blocks traffic IDS – recognises and sends RST – alerts admin

21 Understand Issues and Mitigate
SQL in mixed mode has no lockout Can be brute forced so use Windows auth. SQL runs as local admin by default SA will have equivalent to machine admin Thus don’t run it on DC SQL and MSDE listen on known ports So change them where you can SA can go across multiple databases Plan your security model carefully Multiple instances give true account isolation

22 SQL Powered Applications
Look at application end-to-end From client to app server to db Encrypt all network transports Avoid dependence only on client side validation – have SQL check the data as well/instead Client authentication – how does it get data to and from SQL Injection – always pass data to stored procedures – never queries

23

Download ppt "Securing Exchange, IIS, and SQL Infrastructures"

Similar presentations

Securing Network – Wireless – and Connected Infrastructures

Securing Network – Wireless – and Connected Infrastructures
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
SEC 470 Using ISA Server for Application Layer Firewalling Frederico Baumhardt Senior Consultant – Infrastructure and Security Microsoft UK.

SEC 470 Using ISA Server for Application Layer Firewalling Frederico Baumhardt Senior Consultant – Infrastructure and Security Microsoft UK.
SEC 318 Guerilla Security – Securing Exchange 2000 and 2003 Infrastructures Fred Baumhardt and Rab Thynne Senior and Partner Strategy Consultant Microsoft.

SEC 318 Guerilla Security – Securing Exchange 2000 and 2003 Infrastructures Fred Baumhardt and Rab Thynne Senior and Partner Strategy Consultant Microsoft.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Implementing Exchange Server Security Ward Solutions.

Implementing Exchange Server Security Ward Solutions.
Sec 311 Securing SharePoint Infrastructure and Technologies Fred Baumhardt Sandeep Modhvadia Microsoft UK – Technology Services.

Sec 311 Securing SharePoint Infrastructure and Technologies Fred Baumhardt Sandeep Modhvadia Microsoft UK – Technology Services.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.

Similar presentations

Ads by Google