Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team.

Published byAntony Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team."— Presentation transcript:

1 Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team

2 Session Agenda Microsoft TwC – and Security Framework Exchange 2003 Security enhancements Core O/S – what improves in Win 2003 Core Exchange security functionality Anti-virus, Anti-spam & content filtering Client Communications and OWA Exchange Security Architecture.

3 The No BS version of Trustworthy Computing Focused – Intensive - Ongoing effort NOT A MARKETING CAMPAIGN Extensive developer training and focus Improved test & attack tools, and dedicated security testing Architectural Review for all components and features – very strict feature triage criteria Cross-component functional and security analysis.

4 Microsoft’s SD3+C Model Secure by Design Secure by Default Secure in Deployment Communication Security aware features and architecture Reduce vulnerabilities in the code Exchange – OWA – IIS – Spam &AV – FE/BE Reduce attack surface area Features default off and with minimum privilege Exchange- STMP Relay – IIS – lower privilege srv Protect, Detect, Defend, Recover and Manage Process: How To’s, Guidance, MSA. ISA People: Training, Templates, Job Aids, Help MS.COM: MSRC, /Security, /TechNet PR: Proactive, Reactive Community building.

5 Windows 2003 Improvements Core OS is Radically more secure Reduced surface area (40% of NT4 lines code) IIS extensively hardened and improved Improvements in all areas IPsec failover RPC over HTTP NLB Wider Kerberos support AD improved with: Cross-forest trust and authentication Group usage and replication improved SID filtering on trusts and blocking There are tradeoffs to running Exchange 2003 on Windows 2000.

6 Core Exchange Security Improvements Many secure-by-default settings More restrictive permissions New transport features New Internet Connection Wizard simplifies SMTP configuration Cross-forest authentication support NOTE: 1 forest still = 1 Exchange organization

7 Core Exchange Security Secure by Default Relaying always off Default 10MB message limit for send, receive, and PF Deny logon ACE for Domain Users on Exchange 2003 servers POP3, IMAP4, NNTP off by default for new installs (not Upgrade) OMA off by default on all installs OWA password changes off by default

8 Core Exchange Security More Restrictive Permissions Services run as LocalService Tighter permissions on Exchange Domain Servers group May break ExMerge or other apps that use EDS group Fix for cluster reinstall permissions problem Installing add’l servers requires EFA at admin group, not org level No default top-level PF creation No longer granted when adding servers

9 Anti-Virus Improvements VS API 2.5 Improved support for scanners with all outbound messages guaranteed scan More MAPI properties exposed and status Can be used on store-less (FE) servers and gives ability to use anti-spam and AV together VS API 2.0-based scanners can’t run on store- less front-end servers

10 Anti-Spam Improvements Spam is a large problem Volume growing rapidly Volume – capacity – “noise” that must be scanned Several ways to deal with spam Offload to clients w/ client or 3 rd party software Server app that blocks on message heuristics Inbound relay protection and RBLs like ORDB.

11 Anti-Spam Improvements Exchange Perimeter Blocking Real-time DNS-based block or allow lists If DNS record for sender’s IP exists, block it Use third-party block lists or roll your own Safe list allows mail based on a match Bastions can invalidate these systems If bastion was last IP that relayed – DNS internal Place on edge – or use another system.

12 Anti-Spam Improvements Other Improvements Filter inbound mail by address or domain With blank senders or unresolvable addresses Turning this on may allow address enumeration attacks Drop the connection after 20 unresolvable attempts Outlook 2003 and OWA 2003 Block attachments, Strip scripts, and beacons Allow user to maintain Trusted and Junk Senders lists and can store on server.

13 Networking Security Securing the network transport between servers and clients critical Outlook Clients (OWA, 2003) can natively use encryption –RPC - SSL.

14 COMSEC Improvements RPC over HTTP Most places disallow raw RPC traffic to/from Internet Example: CommNet! Leads to “feature” of using VPNs or tunneling for Outlook to bypass firewalls  Heavy connection setup/teardown penalty ISA’s RPC publishing one popular alternative Still requires that RPC ports be opened.

15 RPC over HTTP Windows 2003 can tunnel RPC over HTTP Uses TCP80 (Universal Firewall Bypass Protocol) Can also use TCP443 SSL – UFBP encrypted Full Outlook functionality New mail notification Public folders Free/Busy Synchronization Password changes Requires Windows 2003, Exchange 2003, Outlook 2003, Windows XP SP1+hotfix ISA adds value – terminate SSL and scan it – check HTTP syntax – OR use the native RPC filter and avoid the above system requirements.

16 RPC over HTTP mailbox access demo demo

17 COMSEC Improvements IPsec for clusters Clustered IPsec SAs don’t have 5-minute expiry Allows efficient use of IPsec between FE and clustered BE* Kerberos for MAPI connections Keeps less-secure NTLM data off the wire *And clustering now rocks.

18 OWA Security Improvements S/MIME access Privacy enhancement Attachment control Cookie-based authentication

19 OWA S/MIME S/MIME is a terrific technology Large Microsoft customers wanted to make it portable Basic problem of certificate/key access You don’t want your private key on the server Signing/decrypting with the server’s own keys is basically useless

20 OWA Security Improvements Privacy Enhancements Automatic stripping of web beacons HTML images aren’t automatically downloaded Redirector allows admin control over which links are accessible

21 OWA Security Improvements Cookie Authentication E2K-style authentication User logs in Credentials cached by browser As long as browser’s running, user can log in This is undesirable… No way to time out sessions No way to prevent toilet-seat attacks Solution: go back to the future

22 Cookie Authentication demo demo

23 OWA Security Improvements Cookie Authentication User logs in to logon form ASP on server requests authentication If it fails, user can’t log in If it succeeds, cookie sent to user browser OWA requests cookie for each page Server can expire cookie on demand Cookie has finite shelf life

24 Other Security Improvements Real-Time Collaboration security Client-server sessions can now use SSL Information Rights Management Goal is to let information creator control Lifetime of information What can be done with it Who can do it Examples Don’t allow this email to be forwarded Make this document expire on 1 January

25 Best Practices - Infrastructure Exchange Security is 50% Exchange – 50% Infrastructure – 50% Planning Defense in depth is key Layer 7 firewalls, encryption, authentication, and physical security, infrastructure like AD Don’t forget IDS – and its limitations Have a response plan – and a plan for the plan Secure Anything your Exchange relies on: DNS poisoning and spoofing Domain Controller DoS – and attacks Firewall and Router ACLs tightly controlled.

26 Best Practices - Thinking Think like a hacker What sensitive data exists, What’s it worth? How can I get to it, Will I get caught ? Operate securely – know what to do if: You have been hacked (if you know) Your server collapses (for any reason) A major virus or DoS is discovered Do –your colleagues know – think before it happens- can they recover ?.

27 Best Practices Content Stop spam Reduce it – the less there is coming in- the less your AV has to scan and process Kill authenticated relay and Guest account should be disabled Investigate spam-blockers and RBLs – Bastion relays can invalidate RBLs Secure your OWA Require SSL (mindful of impact on IDS) Terminate SSL and inspect before FE – pre- authenticate OWA with ISA FP1 Deploy S/MIME where appropriate.

28 Best Practices- Clients Secure your OWA Require SSL (mindful of impact on IDS) Terminate SSL and inspect before FE Pre-authenticate OWA with ISA FP1 Deploy S/MIME where appropriate Plan RPC/HTTP – assess the impacts of people using it OUT of your organisation Start transitioning away from legacy client protocols like POP if you can – the less to worry about the better..

29 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

30 Suggested Reading And Resources The tools you need to put technology to work! TITLEAvailable Microsoft® Exchange Server 2003 Administrator's Companion: 0-7356-1979-4 9/24/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

31 evaluations evaluations

32 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team."

Similar presentations

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Securing Exchange, IIS, and SQL Infrastructures

Securing Exchange, IIS, and SQL Infrastructures
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
MSG302 Deploying Exchange Server Overview Sasa Juratovic Consultant Microsoft Ltd.

MSG302 Deploying Exchange Server Overview Sasa Juratovic Consultant Microsoft Ltd.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
Implementing Exchange Server Security Ward Solutions.

Implementing Exchange Server Security Ward Solutions.
MSG328 Anti-Spam in Exchange2003 Max Ciccotosto Program Manager - Exchange Microsoft Corporation.

MSG328 Anti-Spam in Exchange2003 Max Ciccotosto Program Manager - Exchange Microsoft Corporation.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google