Sec 306

Security in Exchange 2003 and Beyond

Fred Baumhardt

Infrastructure Team

Technology Services Group – Microsoft UK

Sasa Juratovic

Messaging Team

Session Agenda

Microsoft TwC – and Security Framework

Exchange 2003 Security enhancementsCore O/S – what improves in Win 2003

Core Exchange security functionality

Anti-virus, Anti-spam & content filtering

Client Communications and OWA

Exchange Security Architecture

..

The No BS version of Trustworthy Computing

Focused – Intensive - Ongoing effort

NOT A MARKETING CAMPAIGNExtensive developer training and focus

Improved test & attack tools, and dedicated security testing

Architectural Review for all components and features – very strict feature triage criteria

Cross-component functional and security analysis

..

Microsoft’s SD3+C Model

Secure by DesignSecure by Design

Secure by DefaultSecure by Default

Secure in Secure in DeploymentDeployment

CommunicationCommunication

Security aware features and architectureSecurity aware features and architectureReduce vulnerabilities in the codeReduce vulnerabilities in the codeExchange – OWA – IIS – Spam &AV – FE/BE Exchange – OWA – IIS – Spam &AV – FE/BE

Reduce attack surface areaReduce attack surface areaFeatures default off and with minimum privilegeFeatures default off and with minimum privilegeExchange- STMP Relay – IIS – lower privilege srvExchange- STMP Relay – IIS – lower privilege srv

Protect, Detect, Defend, Recover and ManageProtect, Detect, Defend, Recover and ManageProcess: How To’s, Guidance, MSA. ISAProcess: How To’s, Guidance, MSA. ISAPeople: Training, Templates, Job Aids, HelpPeople: Training, Templates, Job Aids, Help

MS.COM: MSRC, /Security, /TechNetMS.COM: MSRC, /Security, /TechNetPR: Proactive, ReactivePR: Proactive, ReactiveCommunity buildingCommunity building

..

Windows 2003 ImprovementsCore OS is Radically more secure

Reduced surface area (40% of NT4 lines code)

IIS extensively hardened and improved

Improvements in all areasIPsec failover RPC over HTTP

NLB Wider Kerberos support

AD improved with:Cross-forest trust and authentication

Group usage and replication improved

SID filtering on trusts and blocking

There are tradeoffs to running Exchange 2003 on Windows 2000

..

Core Exchange Security Improvements

Many secure-by-default settings

More restrictive permissions

New transport featuresNew Internet Connection Wizard simplifies SMTP configuration

Cross-forest authentication supportNOTE: 1 forest still = 1 Exchange organization

Core Exchange SecuritySecure by Default

Relaying always offDefault 10MB message limit for send, receive, and PFDeny logon ACE for Domain Users on Exchange 2003 serversPOP3, IMAP4, NNTP off by default for new installs (not Upgrade)OMA off by default on all installsOWA password changes off by default

Core Exchange SecurityMore Restrictive Permissions

Services run as LocalServiceTighter permissions on Exchange Domain Servers group

May break ExMerge or other apps that use EDS group

Fix for cluster reinstall permissions problemInstalling add’l servers requires EFA at admin group, not org levelNo default top-level PF creation

No longer granted when adding servers

Anti-Virus Improvements

VS API 2.5Improved support for scanners with all outbound messages guaranteed scan

More MAPI properties exposed and status

Can be used on store-less (FE) servers and gives ability to use anti-spam and AV together

VS API 2.0-based scanners can’t run on store-less front-end servers

Anti-Spam Improvements

Spam is a large problemVolume growing rapidly

Volume – capacity – “noise” that must be scanned

Several ways to deal with spamOffload to clients w/ client or 3rd party software

Server app that blocks on message heuristics

Inbound relay protection and RBLs like ORDB

..

Anti-Spam ImprovementsExchange Perimeter Blocking

Real-time DNS-based block or allow listsIf DNS record for sender’s IP exists, block it

Use third-party block lists or roll your own

Safe list allows mail based on a match

Bastions can invalidate these systemsIf bastion was last IP that relayed – DNS internal

Place on edge – or use another system

..

Anti-Spam ImprovementsOther ImprovementsFilter inbound mail by address or domain

With blank senders or unresolvable addressesTurning this on may allow address enumeration attacks

Drop the connection after 20 unresolvable attempts

Outlook 2003 and OWA 2003Block attachments, Strip scripts, and beacons

Allow user to maintain Trusted and Junk Senders lists and can store on server

..

Networking Security

Securing the network transport between servers and clients critical

Outlook Clients (OWA, 2003) can natively use encryption –RPC - SSL

..

COMSEC ImprovementsRPC over HTTP

Most places disallow raw RPC traffic to/from Internet

Example: CommNet!

Leads to “feature” of using VPNs or tunneling for Outlook to bypass firewalls Heavy connection setup/teardown penalty

ISA’s RPC publishing one popular alternative

Still requires that RPC ports be opened..

RPC over HTTP

Windows 2003 can tunnel RPC over HTTPUses TCP80 (Universal Firewall Bypass Protocol) Can also use TCP443 SSL – UFBP encrypted Full Outlook functionality

New mail notification Public folders Free/Busy

Synchronization Password changes

Requires Windows 2003, Exchange 2003, Outlook 2003, Windows XP SP1+hotfix

ISA adds value – terminate SSL and scan it – check HTTP syntax – OR use the native RPC filter and avoid the above system requirements

..

RPC over HTTP RPC over HTTP mailbox accessmailbox access

demodemo

COMSEC Improvements

IPsec for clustersClustered IPsec SAs don’t have 5-minute expiry

Allows efficient use of IPsec between FE and clustered BE*

Kerberos for MAPI connectionsKeeps less-secure NTLM data off the wire

*And clustering now *And clustering now rocksrocks..

OWA Security Improvements

S/MIME access

Privacy enhancement

Attachment control

Cookie-based authentication

OWA S/MIME

S/MIME is a terrific technology

Large Microsoft customers wanted to make it portable

Basic problem of certificate/key accessYou don’t want your private key on the server

Signing/decrypting with the server’s own keys is basically useless

OWA Security ImprovementsPrivacy Enhancements

Automatic stripping of web beacons

HTML images aren’t automatically downloaded

Redirector allows admin control over which links are accessible

OWA Security ImprovementsCookie Authentication

E2K-style authenticationUser logs in

Credentials cached by browser

As long as browser’s running, user can log in

This is undesirable…No way to time out sessions

No way to prevent toilet-seat attacks

Solution: go back to the future

Cookie AuthenticationCookie Authentication

demodemo

OWA Security ImprovementsCookie Authentication

User logs in to logon form

ASP on server requests authenticationIf it fails, user can’t log in

If it succeeds, cookie sent to user browser

OWA requests cookie for each pageServer can expire cookie on demand

Cookie has finite shelf life

Other Security Improvements

Real-Time Collaboration securityClient-server sessions can now use SSL

Information Rights ManagementGoal is to let information creator control

Lifetime of informationWhat can be done with itWho can do it

ExamplesDon’t allow this email to be forwardedMake this document expire on 1 January

Best Practices - Infrastructure

Exchange Security is 50% Exchange – 50% Infrastructure – 50% Planning

Defense in depth is keyLayer 7 firewalls, encryption, authentication, and physical security, infrastructure like ADDon’t forget IDS – and its limitationsHave a response plan – and a plan for the plan

Secure Anything your Exchange relies on:DNS poisoning and spoofingDomain Controller DoS – and attacksFirewall and Router ACLs tightly controlled

..

Best Practices - Thinking

Think like a hacker What sensitive data exists, What’s it worth?

How can I get to it, Will I get caught ?

Operate securely – know what to do if:You have been hacked (if you know)

Your server collapses (for any reason)

A major virus or DoS is discovered

Do –your colleagues know – think before it happens- can they recover ?

..

Best Practices Content

Stop spamReduce it – the less there is coming in- the less your AV has to scan and processKill authenticated relay and Guest account should be disabledInvestigate spam-blockers and RBLs – Bastion relays can invalidate RBLs

Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE – pre-authenticate OWA with ISA FP1

Deploy S/MIME where appropriate..

Best Practices- Clients

Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE Pre-authenticate OWA with ISA FP1

Deploy S/MIME where appropriatePlan RPC/HTTP – assess the impacts of people using it OUT of your organisationStart transitioning away from legacy client protocols like POP if you can – the less to worry about the better.

..

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion:Administrator's Companion:0-7356-1979-40-7356-1979-4

9/24/039/24/03

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.