Implementing Exchange Server Security
advertisement
Implementing Exchange Server Security Ward Solutions Session Prerequisites Hands-on experience with Microsoft Windows Server 2003 Working knowledge of Microsoft Exchange Server 2003 Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP Working knowledge of networking, including TCP/IP, DNS, and IIS Basic understanding of PKI concepts and technologies Level 300 Session Overview Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail Implementing Exchange Server Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail Exchange Server 2003 Security Overview Secure by design Secure by default Support for Sender, Recipient and Connection filtering, including Block List services Secure by default User logon on server disabled Messaging limits configuration of 10MB Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/ security_E2k3.mspx Exchange Server Deployment Scenarios General deployment FE/BE deployment Front-end Exchange server Back-end Exchange servers Exchange server ISA Server integrated ISA server Internet Exchange server Hosted Exchange Exchange Server Client Scenarios Exchange Server 2003 client scenarios include the following: General client access: Microsoft Outlook Mobile client access: Outlook Web Access Outlook Mobile Access Exchange Server ActiveSync Configuration and Security Update Recommendations for Exchange Server Component Operating system and software Configuration Microsoft Windows Server 2003 with the latest security updates Exchange Server 2003 with Service Pack 1 (or higher) Microsoft Exchange Intelligent Message Filter Browser Internet Explorer 6 with the latest security updates Security update management Microsoft Baseline Security Analyzer Implementing a Defense-in-Depth Approach to Exchange Server Security Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data Application Host Internal network Strong passwords, ACLs, backup and restore strategy Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Network segments, NIDS Perimeter Firewalls, boarder routers, VPNs with quarantine procedures Physical security Guards, locks, tracking devices Policies, procedures, and awareness Security policies, procedures, and education Securing Exchange Server Services and Messaging Protocols Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail Securing Exchange Servers: What Are the Challenges? Challenges to securing an Exchange server include: Maintaining the security of the underlying Windows infrastructure Maintaining baseline security hardening practices Understanding security options for various deployment scenarios Hardening the Messaging Environment To harden your Exchange messaging environment, deploy the following: Environment Configuration Server environment Domain, Domain Controller, and Member Server Baseline Policy templates Windows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638 Messaging environment Exchange Domain Controller Baseline Policy template Exchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/ exchange/2003/library/exsecure.mspx Hardening Back-End Exchange Servers Tasks for hardening back-end Exchange servers include: Hardening services Hardening file access control lists (ACLs) Changing privilege rights Enabling additional services (optional) Apply the Exchange 2003 Backend.inf security template to your back-end servers Hardening Front-End Exchange Servers Tasks for hardening front-end Exchange servers include: Hardening services Hardening file access control lists (ACLs) Enabling additional services (optional) Running URLScan (optional but recommended) Dismounting the mailbox store and deleting the public folder store (optional but recommended) Apply the Exchange 2003 Frontend.inf security template to your front-end servers Understanding SMTP Relaying SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns Relaying may be necessary when: Accepting mail for another organization Supporting clients that use POP3 or IMAP4 Supporting applications that generate SMTP mail Prevent open relays by: Allowing only authenticated computers to relay Restricting relaying to specific computers or users Using an SMTP connector to relay mail to particular domains Demonstration 1: Securing and Testing SMTP Relaying Securing SMTP relaying and testing for open relays Securing SMTP Communication Between Mail Servers To secure SMTP communication between servers: 1 Install and configure an X.509 certificate on the SMTP server Enable and configure TLS encryption for inbound mail 2 3 Enable and configure TLS encryption for outbound mail to specific domains Securing Exchange Servers: Best Practices Limit Exchange Server functionality to clients that are strictly required Remain current with the latest updates for both Exchange Server 2003 and the operating system Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic Use SSL/TLS and forms-based authentication for Outlook Web Access Maintaining Security on Exchange Server Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail Maintaining Security on Exchange Server: What Are the Challenges? Challenges to maintaining security on an Exchange server include: Keeping up with the latest security updates Keeping up with recommended best practices Understanding the impact of configuring the various options within Exchange Server Maintaining documentation on configuration and security settings Analyzing Exchange Server 2003 Using MBSA MBSA checks for issues related to the following: Known Windows and Internet Explorer security issues Missing security updates Weak account passwords Internet Information Services (IIS) security issues SQL Server security issues Exchange Server security issues Validating Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options Judge the general health of a system Help troubleshoot specific problems Demonstration 2: Analyzing Configuration Settings on Exchange Server 2003 Analyze Exchange Server using MBSA and the ExBPA Tool Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution: Design a defense-in-depth approach Implement an antivirus scanner that supports AVAPI 2.5 Prevent file-based scanning on Exchange Server folders Configuring Exchange to Protect Against Unwanted E-Mail Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail Preparing for and Installing IMF - what is Spam? Unsolicited Commercial E-mail More than 50% of email traffic Costly use of resources IT Personnel Potentially offensive Phishing Preparing for and Installing IMF Microsoft’s Anti-UCE Strategy Innovative Technologies Industry Self-Regulation and Cooperation Working with Governments`` What Are the Exchange Options for Limiting Unwanted E-Mail? Options to limit unwanted e-mail include: Recipient filtering Sender filtering Connection filtering Microsoft Exchange Intelligent Message Filter Preparing for and Installing IMF Accept/ Deny Lists 3rd ptyBlock Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store Preparing for and Installing IMF - Exchange 2003 Anti Spam Strategy Feature Filter Point Accept/Deny Lists SMTP Session Block Lists SMTP Session Exchange Sender Filter SMTP Gateway Recipient Filtering SMTP Gateway Intelligent Message Filter Gateway/User Mailbox Resource Cost Configuring Filtering by Recipient Address Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory Configuring Filtering by Sender Address or Domain Sender filtering blocks mail from specified senders or domains Implementing Real-Time Block List Support Using Connection Filtering Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider Demonstration 3: Implementing Real-Time Block List Support Configure Real-Time Block List Support Overview of Exchange Intelligent Message Filter Exchange Intelligent Message Filter is an addon product to help companies reduce the amount of unsolicited commercial e-mail received by users Preparing for and Installing IMF Intelligent Message Filtering Utilizes Smart Screen Machine Learning Applied at the gateway Marks message with Spam Confidence Level (SCL) rating Utilized throughout the mail stream Scans headers, body of message and other attributes. Hotmail and MSN Outlook 2003 – Junk Folder 3rd Party products Deploying the Intelligent Message Filter Exchange Gateway Servers Internet Firewall Exchange Intranet Servers Intelligent Message Filter Intelligent Message Filter handles e-mail based upon two thresholds: Gateway blocking configuration Store junk e-mail configuration Smart Screen Technology Gateway Server Smart Screen Algorithm 3rd Party Mailbox Store Server Tools Client How the Intelligent Message Filter Works with Exchange and Outlook Exchange Server 2003 Gateway Server Connection filtering Internet Exchange Server 2003 Back-end Store threshold User Spam mailbox Recipient filtering Yes No Sender filtering Intelligent Message Filter (Gateway Threshold) Safe sender Y Inbox Blocked sender N Y Junk N Inbox Managing IMF Archived Messages Using the Archive Manager Archive Manager C# tool released with source on GotDotNet http://workspaces.gotdotnet.com/imfarchive Supports the following features: Tree view of the Archive directory of messages View of RFC2822 decoded headers and raw message Resubmission of message to pickup directory Deletion of messages Forwarding of message as attachment to third-party address Demonstration 4: Implementing Exchange Intelligent Message Filter Implement and configure Intelligent Message Filter Session Summary Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements Implement the appropriate base and incremental security templates to fully secure Exchange Server Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Find additional e-learning clinics https://www.microsoftelearning.com/security Get additional security information on Exchange Server 2003: http://www.microsoft.com/technet/prodtechnol/exchange/ 2003/library/default.mspx Questions and Answers
