messaging security at microsoft eileen brown [email protected] it evangelist microsoft uk
TRANSCRIPT
Messaging Security at MicrosoftMessaging Security at Microsoft
Eileen Brown Eileen Brown
[email protected]@microsoft.com
IT EvangelistIT EvangelistMicrosoft UKMicrosoft UK
http://blogs.msdn.com/eileen_brownhttp://blogs.msdn.com/eileen_brown
This session…This session…
Is about:Is about:
Securing the Exchange infrastructureSecuring the Exchange infrastructure…and how Microsoft IT does it…and how Microsoft IT does it
Exchange Exchange Security Security GuideGuidessExchange Server 2003 Security Hardening GuideExchange Server 2003 Security Hardening Guidehttp://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspxexchange/2003/library/exsecure.mspx
Securing Exchange CommunicationsSecuring Exchange Communicationshttp://www.microsoft.com/technet/security/guidance/secmod44.mspxhttp://www.microsoft.com/technet/security/guidance/secmod44.mspx
Is not about:Is not about:
Protecting individual messages and S/MIMEProtecting individual messages and S/MIMEhttp://www.microsoft.com/technet/itsolutions/msit/operations/trustmes.mspxhttp://www.microsoft.com/technet/itsolutions/msit/operations/trustmes.mspx
Working with Exchange Active Directory permissionsWorking with Exchange Active Directory permissions
Session Objectives & Key ConceptsSession Objectives & Key ConceptsSession Objectives: Session Objectives:
Provide a broad overview of operational security Provide a broad overview of operational security principles for Exchange servers as outlined in principles for Exchange servers as outlined in Exchange Security Operations guideExchange Security Operations guide
Show how these principles are applied by Microsoft ITShow how these principles are applied by Microsoft IT
Help you identify ways to improve messaging security Help you identify ways to improve messaging security in your environmentin your environment
Key Concepts:Key Concepts:
Achieving messaging security at multiple layersAchieving messaging security at multiple layers
Holistic approach to messaging securityHolistic approach to messaging security
AgendaAgenda
E-mail Hygiene –maintaining a secure messaging E-mail Hygiene –maintaining a secure messaging environmentenvironment
Hardening Exchange servers by roleHardening Exchange servers by role
Securing Exchange communicationsSecuring Exchange communications
QuestionsQuestions
E-mail Hygiene E-mail Hygiene
E-mail hygiene is more than just AV / ASE-mail hygiene is more than just AV / AS
Threats:Threats:
Virus infected e-mailVirus infected e-mail
UCE/spam e-mailUCE/spam e-mail
Denial of Service (DoS) attacksDenial of Service (DoS) attacks
Mail bombing/NDRsMail bombing/NDRs
Directory Harvesting Attacks (DHA)Directory Harvesting Attacks (DHA)
E-mail impersonation (spoofing)E-mail impersonation (spoofing)
Unauthorised e-mail submission and relayUnauthorised e-mail submission and relay
Is E-mail Hygiene Important?Is E-mail Hygiene Important?
Malicious and unsolicited e-mails - an annoyance Malicious and unsolicited e-mails - an annoyance to usersto users
Also a large hit to the infrastructureAlso a large hit to the infrastructure
One One dayday MS IT statistics (June 2004): MS IT statistics (June 2004):
……out of out of 25,000,000+25,000,000+ messages sent to messages sent to microsoft.commicrosoft.com
……less than less than 1,200,0001,200,000 were legitimate (less than were legitimate (less than 5%)5%)
The rest were filtered out before reaching user mailboxesThe rest were filtered out before reaching user mailboxes
How to implement such protection?How to implement such protection?
Multi-layered defence is the key!Multi-layered defence is the key!
E-mail Hygiene at MS ITE-mail Hygiene at MS ITLayered DefenceLayered Defence
Exchange 2003 Server is used as platformExchange 2003 Server is used as platform
Multiple protection layers:Multiple protection layers:
Connection filteringConnection filtering
Sender and recipient filteringSender and recipient filtering
Spam filteringSpam filtering
Attachment blockingAttachment blocking
Anti-virusAnti-virus
Exchange HUBs
MailboxServers
Exchange SMTP Gateways
Internet
Connection FilteringSender/Recipient
FilteringAnti-spam
`
Clients
Attachment blockingAnti-virusAnti-spam
Attachment filtering
Anti-virus
E-mail Hygiene at MS ITE-mail Hygiene at MS ITConnection/Sender/Recipient FilteringConnection/Sender/Recipient Filtering
Connection filteringConnection filteringBlocking by IP/subnetBlocking by IP/subnet
Exchange 2003 based RBL filteringExchange 2003 based RBL filtering
Subscribing to 3Subscribing to 3rdrd party RBL services party RBL services
Sender and Recipient FilteringSender and Recipient FilteringBuilt into Exchange 2003 – Global SettingBuilt into Exchange 2003 – Global Setting
Criteria basedCriteria based
Critical to fight mail bombing attacksCritical to fight mail bombing attacks
Filtering mail for Filtering mail for ?????? @microsoft.com recipients resulted in a @microsoft.com recipients resulted in a 10,000,000+ msg/day savings10,000,000+ msg/day savings
Should we filter messages from our own domain in Should we filter messages from our own domain in inboundinbound mail? mail?
6
E-mail Hygiene at MS ITE-mail Hygiene at MS ITRecipient LookupRecipient Lookup
NDR processing takes a significant amount of resourcesNDR processing takes a significant amount of resources
Recipient lookup validates recipients before accepting Recipient lookup validates recipients before accepting messagesmessages
C:\>C:\>teltelnetnet mailserver.domain.commailserver.domain.com 25 25
……
MAIL FROM:<>MAIL FROM:<>
250 2.1.0 <>....Sender OK250 2.1.0 <>....Sender OK
RCPT TO: <bogususer@RCPT TO: <[email protected]>>
550 5.1.1 User unknown550 5.1.1 User unknown
QUITQUIT
Result: No message payload is transmitted – savings in Result: No message payload is transmitted – savings in performanceperformance
But, what if I do But, what if I do RCPT TO: [email protected], RCPT TO: [email protected] TO: [email protected], RCPT TO: [email protected]...
E-mail Hygiene at MS ITE-mail Hygiene at MS ITRecipient LookupRecipient Lookup
Side effect: If carelessly implemented - possibility of Side effect: If carelessly implemented - possibility of rapid alias enumeration, a.k.a. Directory Harvest Attack rapid alias enumeration, a.k.a. Directory Harvest Attack (DHA)(DHA)
Test: About 20 minutes to harvest all valid 4 character aliases Test: About 20 minutes to harvest all valid 4 character aliases by brute force enumerationby brute force enumeration
Possible solution: Delay the 550 response for Possible solution: Delay the 550 response for nn seconds: seconds: slows down the attacker significantly. With 5 second slows down the attacker significantly. With 5 second delay it takes months to enumerate all 4 character alias delay it takes months to enumerate all 4 character alias combinationscombinations
For Exchange 2003: For Exchange 2003: http://support.microsoft.com/default.aspx?kbid=842851http://support.microsoft.com/default.aspx?kbid=842851
E-mail Hygiene at MS ITE-mail Hygiene at MS ITRestricted/Authenticated Distribution GroupsRestricted/Authenticated Distribution Groups
Distribution Groups (DG) may contain large number of recipients. A Distribution Groups (DG) may contain large number of recipients. A single malicious message to a DG impacts a large number of users.single malicious message to a DG impacts a large number of users.
Best Practice: Restrict large/sensitive internal DGsBest Practice: Restrict large/sensitive internal DGs
Protects from most spam attacks, but…Protects from most spam attacks, but… Much more secure!Much more secure!
E-mail Hygiene at MS ITE-mail Hygiene at MS ITProtecting Against SpoofingProtecting Against Spoofing
Root cause – anonymous SMTP mail submissionRoot cause – anonymous SMTP mail submissionMinimise anonymous SMTP access internallyMinimise anonymous SMTP access internallyFor Internet e-mail:For Internet e-mail:
Must support anonymous connectionsMust support anonymous connectionsAccept messages, but provide a visual indication to the userAccept messages, but provide a visual indication to the user
Message authentication status is carried between servers in the Message authentication status is carried between servers in the EXCH50 blobEXCH50 blob
Exchange Gateway setting
Result on Outlook Client
E-mail Hygiene at MS ITE-mail Hygiene at MS ITSpam FilteringSpam Filtering
Educating users about spamEducating users about spam
Guard your SMTP addressGuard your SMTP address
Fighting spam at multiple levelsFighting spam at multiple levelsGateway (filtering)Gateway (filtering)
Mailbox (move to Junkmail)Mailbox (move to Junkmail)
Client (move to Junkmail)Client (move to Junkmail)
MS IT uses the Intelligent Message Filter and MS IT uses the Intelligent Message Filter and Exchange 2003 SCL frameworkExchange 2003 SCL framework
http://www.microsoft.com/exchange/imfhttp://www.microsoft.com/exchange/imf
Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)
Deployed only on the front line Exchange 2003 Deployed only on the front line Exchange 2003 gatewaysgateways
Examines messages and gives each an SCL Examines messages and gives each an SCL value [0-9]value [0-9]
Two thresholds: Gateway and StoreTwo thresholds: Gateway and Store
CN=UCE Content Filter, CN=Message Delivery, CN=UCE Content Filter, CN=Message Delivery, CN=Global Settings, CN=CN=Global Settings, CN=ORG_NameORG_Name, , CN=Microsoft Exchange, CN=Services, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=contoso, DC=comCN=Configuration, DC=contoso, DC=com
msExchUceBlockThresholdmsExchUceBlockThreshold
msExchUceStoreActionThresholdmsExchUceStoreActionThreshold
Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)
Messages with high SCL values are filtered at Messages with high SCL values are filtered at gatewaygateway
Aggressive gateway threshold settings – higher Aggressive gateway threshold settings – higher filtering rate at the gatewayfiltering rate at the gateway
Reduces impact to users and infrastructure Reduces impact to users and infrastructure
SCL store level spam filteringSCL store level spam filtering
Assigned SCL rating persists with the messageAssigned SCL rating persists with the messageSCL > SCL > msExchUceStoreActionThreshold msExchUceStoreActionThreshold value, then value, then JunkmailJunkmail
Exposing SCL in Outlook Exposing SCL in Outlook http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspxhttp://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx
Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)
Key infrastructure design points:Key infrastructure design points:IMF is positioned before anti-virus scanningIMF is positioned before anti-virus scanningAll SMTP transport behind IMF must beAll SMTP transport behind IMF must be
Authenticated Authenticated Support EXCH50 blob propagationSupport EXCH50 blob propagation
MessageEnvelope
EXCH50 Blobwith SCL rating
Message bodyRFC 2822
Internet
Exchange 2003Mailbox Server
Exchange 2003SMTP Gateway
+IMF
Third Party SMTP Server
SCL
SCL
E-mail Hygiene at MS ITE-mail Hygiene at MS ITE-mail Anti-virusE-mail Anti-virus
10,000 - 500,000 e-mail viruses per day are stopped by the 10,000 - 500,000 e-mail viruses per day are stopped by the MS IT gatewaysMS IT gateways
Best practice - scanning at multiple layersBest practice - scanning at multiple layers
Possible optionsPossible optionsGatewayGateway
Information StoreInformation Store
ClientClient
The key to success: consistent enforcement of AV policiesThe key to success: consistent enforcement of AV policies
MS IT focus: E2K3 Gateway and Client scanningMS IT focus: E2K3 Gateway and Client scanning
On gateways: the AV solution is integrated with Exchange on On gateways: the AV solution is integrated with Exchange on the transport levelthe transport level
E-mail Hygiene at MS ITE-mail Hygiene at MS ITAttachment BlockingAttachment Blocking
Mitigates the risks for new/unknownMitigates the risks for new/unknowne-mail virusese-mail viruses
Enforced at two levels: client and gatewayEnforced at two levels: client and gateway
Client: Outlook 2003 attachment blocking (QClient: Outlook 2003 attachment blocking (Q829982829982))
Gateway: Gateway:
Executable attachment stripping for all inbound mailExecutable attachment stripping for all inbound mail
Occurs prior to virus scanning – performance winsOccurs prior to virus scanning – performance wins
Securing the ClientsSecuring the Clients
Many out of the box security featuresMany out of the box security features
Kerberos authentication for Outlook 2003Kerberos authentication for Outlook 2003
Attachment blocking for Outlook/Outlook Web AccessAttachment blocking for Outlook/Outlook Web Access
Web beacon blockingWeb beacon blocking
Junk mail filtering Junk mail filtering
Additional client securityAdditional client security
Limit the client base to only those requiredLimit the client base to only those required
Proactively block outdated/vulnerable clients from Proactively block outdated/vulnerable clients from accessing the Exchange store (Qaccessing the Exchange store (Q288894288894))
Hardening Exchange ServersHardening Exchange Servers
Hardening the Operating SystemHardening the Operating System
Also see Windows Server 2003 Security Guide Also see Windows Server 2003 Security Guide ((http://go.microsoft.com/fwlink/?LinkId=21638http://go.microsoft.com/fwlink/?LinkId=21638) )
Hardening Exchange PlatformHardening Exchange Platform
Hardening WindowsHardening Windows
Security group membershipSecurity group membership
Who has administrator privileges on the Exchange Who has administrator privileges on the Exchange server?server?
User rights on Exchange serversUser rights on Exchange servers
Exchange 2003 denies regular domain users the “Allow Exchange 2003 denies regular domain users the “Allow log on locally” rightslog on locally” rights
File and share level permissionsFile and share level permissions
Who can access the Exchange tracking logs share?Who can access the Exchange tracking logs share?
Windows servicesWindows services
Do I need the “Wireless configuration” service on Do I need the “Wireless configuration” service on Exchange?Exchange?
Hardening WindowsHardening Windows
Internet Information Server (IIS)Internet Information Server (IIS)Should I have Should I have /scripts/scripts and and /IISAdmin/IISAdmin directories directories on Exchange?on Exchange?
IIS Lockdown for IIS versions prior to 6.0 IIS Lockdown for IIS versions prior to 6.0 (KB(KB309508)309508)
File level anti-virus File level anti-virus
If misconfigured, will cause database If misconfigured, will cause database corruption (KBcorruption (KB823166823166 & KB328841) & KB328841)
Consistency is the key!Consistency is the key!but how to achieve it across all Exchange servers in the but how to achieve it across all Exchange servers in the ORG?ORG?
Windows Group Policies (GPO) can helpWindows Group Policies (GPO) can help
Hardening Windows PlatformHardening Windows PlatformUsing Windows Group PoliciesUsing Windows Group Policies
““Role based” approachRole based” approach
Active Directory Organisational Units are used to group servers Active Directory Organisational Units are used to group servers by roleby role
Redmond
IT Services
Messaging
Front End Servers
Gateway Servers
Mailbox Servers
Proxy
RAS
Front End Policy
Gateway Policy
Mailbox Policy
Messaging Policy
Infrastructure Policies
Domain Level Policies
New Exchange servers automatically receive security settings according to their roleNew Exchange servers automatically receive security settings according to their role
Hardening ExchangeHardening Exchange
Exchange 2003 “Secure by default” examplesExchange 2003 “Secure by default” examples
Legacy protocols (POP3/IMAP4) are disabledLegacy protocols (POP3/IMAP4) are disabled
OMA is disabledOMA is disabled
OWA password changes are offOWA password changes are off
Kerberos authentication between OWA FE and BEKerberos authentication between OWA FE and BE
Anonymous SMTP relaying is offAnonymous SMTP relaying is off
Top Level Public Folders are locked downTop Level Public Folders are locked down
10MB message limits10MB message limits
Tightened permissionsTightened permissions
Watch for upgrade scenarios!Watch for upgrade scenarios!
Existing settings are often not changedExisting settings are often not changed
Hardening Exchange by RoleHardening Exchange by RoleExchange Front End Servers at MS ITExchange Front End Servers at MS IT
OWA, OMA, EAS, RPC/HTTPs on a single consolidated OWA, OMA, EAS, RPC/HTTPs on a single consolidated platform (Exchange 2003)platform (Exchange 2003)
Reduced attack surfaceReduced attack surface
POP3/IMAP4/SMTP are disabledPOP3/IMAP4/SMTP are disabled
Information Store is removedInformation Store is removed
Forms based authentication and session timeouts for OWAForms based authentication and session timeouts for OWA
Reduced infrastructure exposure for RPC/HTTPsReduced infrastructure exposure for RPC/HTTPs
Leverage Exchange 2003 SP1 RPC/HTTP enhancementsLeverage Exchange 2003 SP1 RPC/HTTP enhancements
No DC exposure for RPC/HTTPsNo DC exposure for RPC/HTTPs
Only ports 6001, 6002 and 6004 of the Back End are allowedOnly ports 6001, 6002 and 6004 of the Back End are allowed
SSL enforced between the client and FE server at all stagesSSL enforced between the client and FE server at all stages
Kerberos authentication between Front End and Back EndKerberos authentication between Front End and Back End
Hardening Exchange by RoleHardening Exchange by RoleExchange Gateway Servers at MS ITExchange Gateway Servers at MS IT
No anonymous SMTP relaying, even internallyNo anonymous SMTP relaying, even internally
No SMTP authentication is exposed to the InternetNo SMTP authentication is exposed to the Internet
Prevents password guessingPrevents password guessing
Secure authenticationSecure authenticationfor internal connectionsfor internal connections
If anonymous is enabled If anonymous is enabled “Send As” check can’t be enforced“Send As” check can’t be enforced
Explicit maximum message sizeExplicit maximum message sizeand DSNs on SMTP Virtual Serversand DSNs on SMTP Virtual Servers
220 microsoft.com ESMTP Server220 microsoft.com ESMTP Server
ehloehlo
250-maila.microsoft.com Hello [207.46.125.18]250-maila.microsoft.com Hello [207.46.125.18]
250-TURN250-TURN
250-SIZE 10485760250-SIZE 10485760
250-DSN250-DSN
Prevents remote servers from transmitting large messages
Securing Exchange CommunicationsSecuring Exchange Communications
What do you want to secure?What do you want to secure?
User data in transitUser data in transit
User credentialsUser credentials
System data in transitSystem data in transit
What do you want to secure against?What do you want to secure against?
External threatsExternal threats
Internal threatsInternal threats
Securing AuthenticationSecuring AuthenticationUse Windows Integrated authenticationUse Windows Integrated authentication
Proactively disable insecure (Basic) authentication throughout the messaging Proactively disable insecure (Basic) authentication throughout the messaging infrastructure wherever possibleinfrastructure wherever possible
ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:"(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:
1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated
If Basic authentication is required, use transport level security (SSL/TLS, IPSEC)If Basic authentication is required, use transport level security (SSL/TLS, IPSEC)
C:\>base64>> decode TEFCXGpvZWRvdzpUb3RhMTF5JGVjdXJI
DOMAIN\joedoe:Tota11y$ecuredecode succeeded
Securing Mobile Messaging Securing Mobile Messaging CommunicationsCommunications
Reduced exposure – Exchange FE servers are in Reduced exposure – Exchange FE servers are in CorpNet rather than in the DMZCorpNet rather than in the DMZ
ISA 2004 used to protect Exchange FE servers – SSL ISA 2004 used to protect Exchange FE servers – SSL bridging modebridging mode
Certificate on the FE server must be trusted and Certificate on the FE server must be trusted and “verifiable” by ISA“verifiable” by ISA
DMZDMZInternetInternet Corporate networkCorporate network
ISA ServerActive
Directory
Mailbox Server
Exchange 2003 FE(OWA, OMA, EAS, RPC/HTTPs)
ClientsSSLSSL Kerberos
Using IPSEC for ExchangeUsing IPSEC for Exchange
IPSEC was essential to secure Exchange 2000 FE-to-BE IPSEC was essential to secure Exchange 2000 FE-to-BE OWA transactions in MS IT environmentOWA transactions in MS IT environment
IPSEC policies exampleIPSEC policies example
Exchange FE: Exchange FE: memeany; TCP anyany; TCP any80; Encrypt 80; Encrypt (Kerberos)(Kerberos)
Exchange BE: Exchange BE: Respond onlyRespond only
You can be really creative with IPSEC if “block on fail” is neededYou can be really creative with IPSEC if “block on fail” is needed
Use GPO to apply IPSEC policies by server roleUse GPO to apply IPSEC policies by server role
Exchange 2003 FE-to-BE uses Kerberos authenticationExchange 2003 FE-to-BE uses Kerberos authentication
User credentials are encrypted by defaultUser credentials are encrypted by default
IPSEC is still possible to protect data traveling between FE and BE, IPSEC is still possible to protect data traveling between FE and BE, but beware of data exposure at the next hop (SMTP)but beware of data exposure at the next hop (SMTP)
Using SSL/TLSUsing SSL/TLSDoes SSL/TLS provide security?Does SSL/TLS provide security?
Best Practices:Best Practices:
Use certificates trusted by communicating partiesUse certificates trusted by communicating parties
Ensure that clients/servers perform full certificate validation (trust Ensure that clients/servers perform full certificate validation (trust chain, common name, expiration, etc)chain, common name, expiration, etc)
When enabling SSL, don’t permit non SSL connectionsWhen enabling SSL, don’t permit non SSL connections
A B
C
DNS Request
Spoofed DNS
ResponseSSL
ConclusionConclusion
Top things to rememberTop things to rememberStay up-to-date with software and patch versions at all levelsStay up-to-date with software and patch versions at all levels
Establish layered e-mail hygiene defencesEstablish layered e-mail hygiene defences
Enforce e-mail security at multiple levelsEnforce e-mail security at multiple levels
Secure Exchange servers by roleSecure Exchange servers by role
Consistently enforce OS security settings (for example, through Consistently enforce OS security settings (for example, through Group Policies)Group Policies)
Do periodic audits to ensure that security levels are maintainedDo periodic audits to ensure that security levels are maintained
Be cognisant of security in upgrade scenariosBe cognisant of security in upgrade scenarios
Use only secure authentication methods and enforce SSL/TLS Use only secure authentication methods and enforce SSL/TLS or IPSEC where neededor IPSEC where needed
© 2004 Microsoft Corporation. All rights reserved. This presentation is for © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.