Understanding Security andExchange Server 2007
Harold [email protected]/haroldwong
Agenda
Messaging security Antivirus Anti-spam
Security enhancements with ISA Server 2006
Securing messages in transit
Security Threats to E-Mail
The most common way for viruses to enter an organization is through e-mail
“…antivirus experts at SoftScan said that 89.5 per cent of all viruses scanned were classified as phishing malware”
- Clement James, “Virus Levels Soar in August,” IT News.com.au, September 5, 2006
Spam volume continues to trend upward over time
“Spammers now generate an estimated 55 billion messages per day... A year ago that number was 30billion..”
- Robert McMillian, “Spam’s New Image,” CIO.com, August 15, 2006
Phishing scams have become more sophisticated and successful in a short period of time
Choices for Exchange Message Filtering Exchange Hosted Filtering
Anti-spam and antivirus protection in the cloud SLA backed e-mail security performance
Exchange Server 2007 Edge Transport server role Anti-spam and antivirus protection in the perimeter Features customized and controlled on-premise
Antivirus Filtering
Anti-spam Filtering
Comprehensive Antivirus, Anti-Spam ProtectionChoice: Hosted e-mail security
Choices for Network Edge Protection Internet-based services protect against spam and viruses
before they penetrate the network Comprehensive Enterprise-class Hosted Services for E-mail
Security and Management Service for e-mail security with performance backed by SLAs
Simplify E-mail Administration Offloading e-mail security allows IT to focus on other initiatives
Firewall
Mailbox ServerHub Transport Server Client Access Server
SMTPInternet
+
On-Premise Software
Features of Exchange Hosted Services
Active Protection
Protection against the latest threats before they reach your network
Manage regulatory compliance requirements
Provide e-mail that’s always available
Enterprise-ClassReliability
Global network of tier-one data centers that meet security audit standards
Service availability and performance backed by SLAs
Dedicated expertise and 24/7 network monitoring
Simplified E-mail Administration
Dedicate IT resources to other projects
Activate services quickly with no additional equipment or software
Integrate with your existing e-mail infrastructure
Exchange Hosted FilteringAnti-spam, Antivirus, Content and Policy Enforcement, Disaster Recovery
Only requires a simple MX record change
Performance and uptime SLA
Active multi-layer spam and virus protection
Multi-engine virus filtering (Symantec, Trend Micro, Kaspersky Labs, Sophos)
Flexible policy filter to enforce any e-mail-use rules
E-mail queuing helps ensure mail is never lost
Full e-mail encryption No public and private key managementGateway, policy-based e-mail encryption
Uninterrupted e-mail accessibilityRapid recovery from unplanned disasters and network outagesThirty-day rolling historical e-mail store
E-mail retention for help with compliance and e-discoveryCustomized report generation for help demonstrating complianceFully indexed, searchable archive
Real-time threat prevention featuresMulti-layer anti-spam and antivirusCustomized content and policy enforcement
Protection with Hosted Services
Comprehensive Antivirus, Anti-Spam ProtectionChoice: On-premise protection
Choices for Network Edge Protection On-premise software protects against spam and viruses before
they penetrate the network Local Control of Data
Antivirus, anti-spam and security policies can be customized to meet the needs of the organization
Built-in Protection Protection for your data and your network that can expand as
the organization grows
Firewall
SMTPInternet
+
On-Premise Software
Mailbox Server
Hub Transport Server
Client Access Server
Edge Transport Server
The Edge Transport Server Role Consistent Exchange management experience Perimeter deployment Not joined to Active Directory (AD)
Limited AD information transferred securely from the Hub Transport server
Utilizes information from AD for recipient filtering High availability for SMTP Secure SMTP configuration
Address rewriting Relay control Smarthost Transport Layer Security (TLS)
Features Unique to Edge Transport
Recipient Filtering based on AD information
Outlook Safe Lists propagated to Edge
Administrator managed spam quarantine
Highly Available Messaging With Exchange Server 2007 Poison message detection
SMTP back-pressure
ESE backed queues
Exchange 2007 Antivirus SupportNative Scanning Infrastructure
Multiple third-party antivirus vendors support Exchange Server 2007 Symantec Trend Micro Kasperksy Lab GFI Software McAfee
VSAPI to enable scanning messages in the store Antivirus Stamp to minimize unnecessary rescanning
Example of an Antivirus Stamp:X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;infoVSKing: AV vendor name (8 characters)5: Vendor version (32-bit unsigned integer)0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer)Info: Optional Virus info (128 byte string)
Forefront Security for Exchange Server Antivirus Features
Forefront server security solutions help businesses protecttheir messaging servers against viruses and worms
Multiple scan engines at multiple layers throughout the corporate infrastructure provide maximum protection against e-mail and collaboration threats
Advanced Advanced ProtectionProtection
Tight integration with Microsoft Exchange, Windows-based SMTP, SharePoint and Live Communications Servers maximizes availability and management control
Availability Availability & Control& Control
Ensures organizations can eliminate inappropriate language and dangerous attachments from internal and external communications
Secure Secure ContentContent
Anti-spamFeature
Exchange 2003 RTM
Exchange 2003 SP1
Exchange 2003 SP2
Exchange 2007RTM
IP Allow And Deny Lists Yes Yes Yes Yes
IP DNS Block Lists Yes Yes Yes Yes
Recipient Filtering Yes Yes Yes Yes
Sender Filtering Yes Yes Yes Yes
Content Filtering (Smartscreen) Yes Yes Yes
Content Filter Updates (Smartscreen) Bi-weekly Daily
Sender ID Yes Yes
IP Safe Lists (aka Bonded Sender) Yes
Outlook Postmark Validation Yes
Protocol Analysis Data Gathering Yes
Protocol Analysis Sender Reputation Yes
Open Proxy Validation Yes
Dynamic Spam Data Update Service Yes
Per User/OU Spam Settings Yes
Admin Quarantine Yes
Automatic DNS block lists Yes
Anti-spam Feature Comparison by Exchange Release
How Spam is Filtered
Connection filteringReal Time Block Lists Global accept / deny and exception lists
SMTP Filtering LayerSender and Recipient FilteringSender IDSMTP Command Tar-pitting
Content FilteringOutlook Safe List AggregationAnti-Spam/Anti-Phishing SCL Per-user/OU Spam preferencesInternational Domain SupportOutlook Postmark ValidationQuarantine and Spam Reporting
Incoming Internet
Outlook Mailbox
Inbox
Junk E-mail
1 Connection Filtering
3 Content Filtering
2 Sender & Recipient Filtering
1
2
3
1
3
2
Robust Anti-Spam Reporting Performance counters Exchange Management Shell data feeds Microsoft Operations Manager graphical displays
Forefront Security for Exchange ServerUpdates: Anti-Spam
Continuous stream of spam and virus filter updates Published on the Microsoft Update (MU)
infrastructure No administrator intervention required to keep
Edge filters fresh Windows Server Update Service supported
Updates include Daily IMF content filter updates Multiple intra-day IP reputation updates Multiple intra-day spam signatures
Security enhancements withInternet Security and Acceleration Server 2006
Securing Exchange Server 2007 with ISA Server 2006
External Web
ServerIntranet Web Server
Exchange
Active
Directory SharePoint
Administrator
DMZ
User
Internet
ISA 2006
Appliance
HEAD
QUARTERS
Internal
Network
Integrated Security
Improved idle-based time-outs for session mgmt
NE
W
Smartcards & one-time password support
NE
W
Customized logon forms for most devices & apps
NE
W
LDAP authentication for Active Directory
NE
W
Authentication delegation (NTLM, Kerberos)
NE
W
Efficient Management
Web publishing load balancing
NE
W
Exchange & SharePoint publishing tools
NE
W
Enhanced certificate administration
NE
W
Fast, Secure Access
Single sign-on for multiple resource access
NE
W
Automatic translation of embedded internal links
NE
W
Enhancing Exchange Server 2007 Security
DMZ Ready Exchange Server 2007 CAS must be in DMZ and must be domain member
Lower security and higher TCO
Pre-authentication NoneExternal packets from unknown source reach the servers
Feature Without ISA With ISA Server
Only ISA Server in DMZCan operate in Workgroup (auth via
LDAP / RADIUS)
OWAOutlook/RPC/HTTPMobile / ActiveSync (Mobile with Cert)
Authentication strength
Single factor (username+password)3rd party solutions (SecureId)
Two factor (credentials + certificate/OTP)
SecureID
Access to links(from OWA & from Outlook)
SharePoint documents (ReadOnly)SharePoint Document library (ReadOnly)No access to other web applicationsUNC
Full access to all SharePoint capabilities (documents, document libraries, calendar, admin etc)
Access to other web applicationsUNC (same)
Content / traffic inspection
Load balancing an array of OWA
None (Forefront inspects only SMTP) Yes (HTTP)
NLB (IP based only) or external LB device for cookie based LB
IP and Cookie based LB are part of ISA
Pre-Authentication Basics
Supports proxy of Outlook Anywhere (RPC/HTTP), Outlook Web Access, and Exchange ActiveSync
Ensure no un-authenticated HTTP traffic reaches the intranet
Pre-authentication is done by a reverse proxy in the perimeter network
Numerous authentication choices
Client AccessClient AccessServerServer
FirewallFirewall
ISA 2006ISA 2006
FirewallFirewall
HTTPSHTTPS
MailboxMailboxServerServer
ActiveActiveDirectoryDirectory
Confidential Messaging Features in Exchange 2007 Client Features Client to Server Server to Server Server to Perimeter Perimeter to Perimeter
ClientsClients
Internal NetworkInternal Network
Perimeter Perimeter NetworkNetwork
InternetInternet Perimeter Perimeter NetworkNetwork
Security and Exchange Server 2007
Exchange Server 2007 provides improved security out of the box
Message filtering is enhanced with Forefront Security for Exchange Server Exchange Hosted Filtering
ISA Server 2006 helps provide secure client access
Appendix
April 12, 2023
Security Environment
Need for filtering Viruses Spam Phishing
Need for security Compliance Confidentiality
Enterprise Topology
Enterprise NetworkEnterprise NetworkOtherSMTP
Servers
Routing Hygiene Routing Policy
INTERNET
ApplicationsOWA
ProtocolsActiveSync, POP,
IMAP, RPC / HTTP …
ProgrammabilityWeb services,
Web parts Mailbox
Public Folders
Voice Messaging
Fax
PBX or
VoIP
EdgeTransport
HubTransport
Client Access
Mailbox
Unified Messaging
EdgeSync Overview
Edge Server Features depend on data in Active Directory
Edge Servers MUST operate in perimeter networks
EdgeSync Publishes outbound to Edge Servers Subscribes an Edge Server to an AD Site Configures Security and Routing
The New Edge Transport Server RoleFeature Rich Perimeter E-mail Defense
Industry-leading anti-spam technology
Comprehensive antivirus protection with Microsoft Forefront Security for Exchange Server
Consistent Administration EdgeSync allows management alongside AD connected
servers Local administration through the Exchange Management
Console or the Exchange Management Shell
EdgeSync Published Data
Recipient SMTP Addresses Used to reject mail at the edge destined to non-existent
addresses Includes primaries / contacts / proxies Addresses are one-way hashed to protect from exposure
Outlook Safe Senders Users safe sender lists Applied per recipient
(one persons safe sender is not another’s) A message from a safe sender to a recipient will bypass
anti-spam content Does NOT bypass IP blocklists
Subscribing Edge Servers
A “Subscription” is created on the Edge box
The Subscription is imported on a HUB Server In the Site with best network connectivity to the perimeter
network The HUB will provision certificates to secure Edge to BH
connection Routing is configured
On an hourly schedule, the Hub Server publishes recipient data to Edge Server Data is hashed to prevent leakage
Forefront Security for Exchange Server 2007Incremental background scanning
Periodic scanning of the store with updated signatures provides another layer of security
Incremental Background Scanning combines security and performance considerations
Various background scanning options Scan all messages Scan only messages delivered in the past
1, 2, 3, 4, 5, 7, 30 days Scan only messages with attachments Scan only messages that have never been scanned before
AntivirusAntivirus stamp
X-header protected by the Header Firewall AV vendors stamp scan result and consult stamps
generated upstream to decide if to skip AV scanning on current server
Example:X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;info VSKing: AV vendor name (8 characters) 5: Vendor version (32-bit unsigned integer) 0 (VIRSCAN_NO_VIRUS): Virus status
(32-bit unsigned integer) Info: Optional Virus info (128 byte string)
Managing Exchange Anti-spam
Configuration Setting Actions for SCL levels Setting Remote Edge Server Lists Per-recipient/OU anti-spam configuration Ability to configure exceptions/bypassed recipients
Diagnostics and monitoring Spam Stamp Intuitive UI part of ESM for most common tasks Events, alerts, reporting via MOM ExBPA tool will help IT Pros keep up with best
practices
Configuring SCL thresholds
Set Actions based on the SCL level assigned to a message
Thresholds can be set on a per-recipient basis
Spam Quarantine
Messages over a set SCL are delivered to a Spam Quarantine Store Exchange 2007 mailbox
Send Again and Search Delivered as NDRs, allowing “send again” functionality Quarantine Viewed/Searched with Outlook / OWA Message is placed in the original format in the mail stream.
Quarantine is admin managed, no end-user view OWA/Outlook junk folder is for end users
Monitoring Antispam Activity
Performance counters Messages Per SCL level Total Messages sent to Quarantine, Deleted, Rejected Aggregated in Exchange 2007 Server MOM
Reports Hit Rate for Block Lists Top spam sender domain, top spam sending IP Top targeted domain/recipient
Connection Filtering
IP allow lists, IP deny lists Block or allow connections before accepting message
content Supports public deny and allow list providers Overrides all other spam features Received Chain Analysis - Can be configured to operate
behind mail relays Requires message headers be accepted
Microsoft IP Reputation Service Sender Reputation built from Hotmail Data Distributed via Microsoft Updates Packages
Internet Sender Authentication
Sender ID and DKIM (formerly Domain Keys) detect spoofing
Detecting spoofing helps detect spam and phishing
Sender ID and DKIM provide internet scale authentication for business-to-consumer messaging
Sender Id
Identify forged mail from Sender Id compliant domains Identifies likely sender with Purported Responsible
Address (PRA) algorithm Queries Domain Name Servers (DNS) for the Sender Id
record, which returns the list of acceptable outbound mail servers IP Addresses
Checks incoming IP against acceptable list Mail from other IPs considered a fail
Admins may configure to Reject message Tag and Pass - Contributes to Content Filtering Score
Protocol Filtering
Recipient filtering EdgeSync maintains the recipient list on the
Edge server Multi-forest deployments require that addresses
be synched to forest to which Edge servers are “subscribed”
Protocol analysis Learns locally from the connections and messages that are
seen on the specific server Builds server local reputation and blocking targeted spam
attacks. Based on average spam rating, open proxy checks,
protocol anomalies
Intelligent Message Filter v3.0
Machine learning Generates a Spam Confidence Level (SCL) value based
on Message Characteristics Authenticated domain reputation
Very good and very bad domains Catch spammers that use Sender Id
Spam signatures block specific spam campaigns. Effective against minispam
Outlook E-mail postmark validation Aka Presolved Puzzle Validation Increase deliverability of Outlook email
Intelligent Message Filter v3.0
Anti-phishing Most critical phishing attacks/complaints aggregated
from Hotmail and a number of 3rd party reputation services leveraged on Edge (via MU)
Phishing Confidence Level stamped on Edge, is used by OWA/Outlook 2007 to drive Junk Folder user experience
Links are disabled Content is “flattened”
Custom weight lists good and “naughty” words Affect the score set by the filter Used rarely for tuning
Client authenticating to ISA Forms Based Authentication:
username and password Two-factor authentication:
certificates or SecurID One-Time-Passwords
HTTP standards: Basic, NTLM, Negotiate
Authentication providers AD (Windows) when ISA is
a domain member AD (LDAP) when ISA is not
a domain member RADIUS – limited support
for groups RADIUS for One-Time-
Passwords RSA SecurID (w/ Authentication
Manager)
ISA 2006 Pre-Authentication
Mobile Mobile ClientClient
Web Web ClientClient
User DirectoryUser Directory
ISA 2006 ISA 2006 ArrayArray
Web ServerWeb Server
1
2
3
FBASecurIDClient CertificateBasicNTLMNegotiate
BasicNTLMNegotiateSecurIDKCD
AD (Windows)AD (LDAP)RADIUS ServerSecurID Server
ISA authenticating to Web
Server (eg. OWA, EAS) Basic/NTLM/Negotiate SecurID Kerberos Constrained
Delegation
Single Sign On No need for additional
sign-on to Web server Published web sites must
share DNS suffix and be published through the same ISA array
Client must support cookies
ISA 2006 Pre-Authentication (Contd.)
Mobile Mobile ClientClient
Web Web ClientClient
User DirectoryUser Directory
ISA 2006 ISA 2006 ArrayArray
Web ServerWeb Server
1
2
3
FBASecurIDClient CertificateBasicNTLMNegotiate
BasicNTLMNegotiateSecurIDKCD
AD (Windows)AD (LDAP)RADIUS ServerSecurID Server