sec 306 security in exchange 2003 and beyond fred baumhardt infrastructure team technology services...
TRANSCRIPT
![Page 1: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/1.jpg)
Sec 306
Security in Exchange 2003 and Beyond
Fred Baumhardt
Infrastructure Team
Technology Services Group – Microsoft UK
Sasa Juratovic
Messaging Team
![Page 2: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/2.jpg)
Session Agenda
Microsoft TwC – and Security Framework
Exchange 2003 Security enhancementsCore O/S – what improves in Win 2003
Core Exchange security functionality
Anti-virus, Anti-spam & content filtering
Client Communications and OWA
Exchange Security Architecture
..
![Page 3: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/3.jpg)
The No BS version of Trustworthy Computing
Focused – Intensive - Ongoing effort
NOT A MARKETING CAMPAIGNExtensive developer training and focus
Improved test & attack tools, and dedicated security testing
Architectural Review for all components and features – very strict feature triage criteria
Cross-component functional and security analysis
..
![Page 4: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/4.jpg)
Microsoft’s SD3+C Model
Secure by DesignSecure by Design
Secure by DefaultSecure by Default
Secure in Secure in DeploymentDeployment
CommunicationCommunication
Security aware features and architectureSecurity aware features and architectureReduce vulnerabilities in the codeReduce vulnerabilities in the codeExchange – OWA – IIS – Spam &AV – FE/BE Exchange – OWA – IIS – Spam &AV – FE/BE
Reduce attack surface areaReduce attack surface areaFeatures default off and with minimum privilegeFeatures default off and with minimum privilegeExchange- STMP Relay – IIS – lower privilege srvExchange- STMP Relay – IIS – lower privilege srv
Protect, Detect, Defend, Recover and ManageProtect, Detect, Defend, Recover and ManageProcess: How To’s, Guidance, MSA. ISAProcess: How To’s, Guidance, MSA. ISAPeople: Training, Templates, Job Aids, HelpPeople: Training, Templates, Job Aids, Help
MS.COM: MSRC, /Security, /TechNetMS.COM: MSRC, /Security, /TechNetPR: Proactive, ReactivePR: Proactive, ReactiveCommunity buildingCommunity building
..
![Page 5: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/5.jpg)
Windows 2003 ImprovementsCore OS is Radically more secure
Reduced surface area (40% of NT4 lines code)
IIS extensively hardened and improved
Improvements in all areasIPsec failover RPC over HTTP
NLB Wider Kerberos support
AD improved with:Cross-forest trust and authentication
Group usage and replication improved
SID filtering on trusts and blocking
There are tradeoffs to running Exchange 2003 on Windows 2000
..
![Page 6: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/6.jpg)
Core Exchange Security Improvements
Many secure-by-default settings
More restrictive permissions
New transport featuresNew Internet Connection Wizard simplifies SMTP configuration
Cross-forest authentication supportNOTE: 1 forest still = 1 Exchange organization
![Page 7: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/7.jpg)
Core Exchange SecuritySecure by Default
Relaying always offDefault 10MB message limit for send, receive, and PFDeny logon ACE for Domain Users on Exchange 2003 serversPOP3, IMAP4, NNTP off by default for new installs (not Upgrade)OMA off by default on all installsOWA password changes off by default
![Page 8: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/8.jpg)
Core Exchange SecurityMore Restrictive Permissions
Services run as LocalServiceTighter permissions on Exchange Domain Servers group
May break ExMerge or other apps that use EDS group
Fix for cluster reinstall permissions problemInstalling add’l servers requires EFA at admin group, not org levelNo default top-level PF creation
No longer granted when adding servers
![Page 9: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/9.jpg)
Anti-Virus Improvements
VS API 2.5Improved support for scanners with all outbound messages guaranteed scan
More MAPI properties exposed and status
Can be used on store-less (FE) servers and gives ability to use anti-spam and AV together
VS API 2.0-based scanners can’t run on store-less front-end servers
![Page 10: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/10.jpg)
Anti-Spam Improvements
Spam is a large problemVolume growing rapidly
Volume – capacity – “noise” that must be scanned
Several ways to deal with spamOffload to clients w/ client or 3rd party software
Server app that blocks on message heuristics
Inbound relay protection and RBLs like ORDB
..
![Page 11: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/11.jpg)
Anti-Spam ImprovementsExchange Perimeter Blocking
Real-time DNS-based block or allow listsIf DNS record for sender’s IP exists, block it
Use third-party block lists or roll your own
Safe list allows mail based on a match
Bastions can invalidate these systemsIf bastion was last IP that relayed – DNS internal
Place on edge – or use another system
..
![Page 12: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/12.jpg)
Anti-Spam ImprovementsOther ImprovementsFilter inbound mail by address or domain
With blank senders or unresolvable addressesTurning this on may allow address enumeration attacks
Drop the connection after 20 unresolvable attempts
Outlook 2003 and OWA 2003Block attachments, Strip scripts, and beacons
Allow user to maintain Trusted and Junk Senders lists and can store on server
..
![Page 13: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/13.jpg)
Networking Security
Securing the network transport between servers and clients critical
Outlook Clients (OWA, 2003) can natively use encryption –RPC - SSL
..
![Page 14: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/14.jpg)
COMSEC ImprovementsRPC over HTTP
Most places disallow raw RPC traffic to/from Internet
Example: CommNet!
Leads to “feature” of using VPNs or tunneling for Outlook to bypass firewalls Heavy connection setup/teardown penalty
ISA’s RPC publishing one popular alternative
Still requires that RPC ports be opened..
![Page 15: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/15.jpg)
RPC over HTTP
Windows 2003 can tunnel RPC over HTTPUses TCP80 (Universal Firewall Bypass Protocol) Can also use TCP443 SSL – UFBP encrypted Full Outlook functionality
New mail notification Public folders Free/Busy
Synchronization Password changes
Requires Windows 2003, Exchange 2003, Outlook 2003, Windows XP SP1+hotfix
ISA adds value – terminate SSL and scan it – check HTTP syntax – OR use the native RPC filter and avoid the above system requirements
..
![Page 16: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/16.jpg)
RPC over HTTP RPC over HTTP mailbox accessmailbox access
demodemo
![Page 17: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/17.jpg)
COMSEC Improvements
IPsec for clustersClustered IPsec SAs don’t have 5-minute expiry
Allows efficient use of IPsec between FE and clustered BE*
Kerberos for MAPI connectionsKeeps less-secure NTLM data off the wire
*And clustering now *And clustering now rocksrocks..
![Page 18: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/18.jpg)
OWA Security Improvements
S/MIME access
Privacy enhancement
Attachment control
Cookie-based authentication
![Page 19: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/19.jpg)
OWA S/MIME
S/MIME is a terrific technology
Large Microsoft customers wanted to make it portable
Basic problem of certificate/key accessYou don’t want your private key on the server
Signing/decrypting with the server’s own keys is basically useless
![Page 20: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/20.jpg)
OWA Security ImprovementsPrivacy Enhancements
Automatic stripping of web beacons
HTML images aren’t automatically downloaded
Redirector allows admin control over which links are accessible
![Page 21: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/21.jpg)
OWA Security ImprovementsCookie Authentication
E2K-style authenticationUser logs in
Credentials cached by browser
As long as browser’s running, user can log in
This is undesirable…No way to time out sessions
No way to prevent toilet-seat attacks
Solution: go back to the future
![Page 22: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/22.jpg)
Cookie AuthenticationCookie Authentication
demodemo
![Page 23: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/23.jpg)
OWA Security ImprovementsCookie Authentication
User logs in to logon form
ASP on server requests authenticationIf it fails, user can’t log in
If it succeeds, cookie sent to user browser
OWA requests cookie for each pageServer can expire cookie on demand
Cookie has finite shelf life
![Page 24: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/24.jpg)
Other Security Improvements
Real-Time Collaboration securityClient-server sessions can now use SSL
Information Rights ManagementGoal is to let information creator control
Lifetime of informationWhat can be done with itWho can do it
ExamplesDon’t allow this email to be forwardedMake this document expire on 1 January
![Page 25: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/25.jpg)
Best Practices - Infrastructure
Exchange Security is 50% Exchange – 50% Infrastructure – 50% Planning
Defense in depth is keyLayer 7 firewalls, encryption, authentication, and physical security, infrastructure like ADDon’t forget IDS – and its limitationsHave a response plan – and a plan for the plan
Secure Anything your Exchange relies on:DNS poisoning and spoofingDomain Controller DoS – and attacksFirewall and Router ACLs tightly controlled
..
![Page 26: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/26.jpg)
Best Practices - Thinking
Think like a hacker What sensitive data exists, What’s it worth?
How can I get to it, Will I get caught ?
Operate securely – know what to do if:You have been hacked (if you know)
Your server collapses (for any reason)
A major virus or DoS is discovered
Do –your colleagues know – think before it happens- can they recover ?
..
![Page 27: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/27.jpg)
Best Practices Content
Stop spamReduce it – the less there is coming in- the less your AV has to scan and processKill authenticated relay and Guest account should be disabledInvestigate spam-blockers and RBLs – Bastion relays can invalidate RBLs
Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE – pre-authenticate OWA with ISA FP1
Deploy S/MIME where appropriate..
![Page 28: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/28.jpg)
Best Practices- Clients
Secure your OWARequire SSL (mindful of impact on IDS)Terminate SSL and inspect before FE Pre-authenticate OWA with ISA FP1
Deploy S/MIME where appropriatePlan RPC/HTTP – assess the impacts of people using it OUT of your organisationStart transitioning away from legacy client protocols like POP if you can – the less to worry about the better.
..
![Page 29: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/29.jpg)
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
![Page 30: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/30.jpg)
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion:Administrator's Companion:0-7356-1979-40-7356-1979-4
9/24/039/24/03
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
![Page 31: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/31.jpg)
evaluationsevaluations
![Page 32: Sec 306 Security in Exchange 2003 and Beyond Fred Baumhardt Infrastructure Team Technology Services Group – Microsoft UK Sasa Juratovic Messaging Team](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649f155503460f94c2b632/html5/thumbnails/32.jpg)
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.