Exchange 2000 Security
advertisement
Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating Attacking The Exchange Application Secure Administration System Policies Malware OWA Known Vulnerabilities Other Fundamental Considerations IIS 5.0 Windows OS Network Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com What is not covered A lot! Connectors and Replication Internet POP3/SMTP clients like Outlook Express Backups Monitoring and status notifications PKI Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Security Policy Organizational security policies should be in place to guide daily actions. Never start configuring without having a “management supported” plan in place. Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Secure Network Diagram Internet Firewall: DENY ALL by default Incoming from Internet Allow Internet Firewall TCP port 25 (SMTP) TCP/UDP port 53 (DNS) SMTP forwarder/ TCP port 443 (HTTPS) content filter Outgoing Allow: Only established connections Front End Exchange/OWA DMZ Firewall: DENY ALL by default Incoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPC static port) TCP port 3268 (GC) Outgoing Allow: Only established connections Untrusted DMZ DMZ Firewall BackEnd Exchange Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Trusted Corporate LAN Hacking Exchange 2000 Why Hack Exchange? Learn host configuration information Learn of hidden Public Folders Glean User account names and email addresses Information Gathering Network port scan Server enumeration NetBIOS LDAP RPC User and configuration enumeration LDAP with Null session NetBIOS will Null session Pilfering shares Tracking logs Launching an attack Aiming for admin access Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Hacking Exchange 2000 LDAP exposes Users and Public Folders hidden from the Exchange Address Lists Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Port Scan XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339) D:\tools>fscan -p 1-65535 -z 128 exchange FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 22 00:50:30 2002 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 25/tcp 80/tcp 119/tcp 135/tcp 172.16.2.10 139/tcp 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 143/tcp 443/tcp 445/tcp 563/tcp 593/tcp 172.16.2.10 993/tcp 691/tcp Ask a Question Now! Click on the left portion of your screen. - SMTP - HTTP - NNTP - RPC/DCE endpoint mapper - NetBIOS session service - IMAP - HTTPS - Microsoft SMB/CIFS - NNTP/SSL - HTTP RPC endpoint mapper - SMTP/LSA 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 172.16.2.10 995/tcp 1048/tcp 1049/tcp 1053/tcp 1055/tcp 1089/tcp 1104/tcp 1107/tcp 1198/tcp 1200/tcp 1247/tcp 1249/tcp 3372/tcp 3389/tcp 172.16.2.10 4277/tcp - POP/SSL - MS Terminal Server Scan finished at Fri Feb 22 00:55:48 2002 Time taken: 65535 ports in 318.138 secs (206.00 ports/sec) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Port and Process Mappings Useful tools: FPORT.EXE (from www.foundstone.com) TLIST.EXE /S (from Windows 2000 installation CD \Support directory) Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com fport.exe FPort v1.31 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Securing the dot com world Pid Process Port Proto Path 1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 8 System -> 445 TCP 1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe 1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe 600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe 860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe 1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe 1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com tlist.exe /s 0 System Process 8 System 172 SMSS.EXE 200 CSRSS.EXE 224 WINLOGON.EXE 252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedS torage,seclogon,TrkWks,W32Time,Wmi 264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs 368 termsrv.exe Svcs: TermService 512 svchost.exe Svcs: RpcSs 540 SPOOLSV.EXE Svcs: Spooler 600 msdtc.exe Svcs: MSDTC 748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS 764 LLSSRV.EXE Svcs: LicenseService 808 regsvc.exe Svcs: RemoteRegistry 840 LOCATOR.EXE Svcs: RpcLocator 860 mstask.exe Svcs: Schedule 944 WinMgmt.exe Svcs: WinMgmt 1000 dfssvc.exe Svcs: Dfs 1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC 1044 MAD.EXE Svcs: MSExchangeSA 1076 mssearch.exe Svcs: MSSEARCH 1524 STORE.EXE Svcs: MSExchangeIS 1556 EMSMTA.EXE Svcs: MSExchangeMTA 2360 CSRSS.EXE Title: 2384 WINLOGON.EXE Title: NetDDE Agent 2464 rdpclip.exe Title: CB Monitor Window 2508 explorer.exe Title: Program Manager 2560 mshta.exe Title: Windows 2000 Configure Your Server 2580 svchost.exe Svcs: TapiSrv 2652 mdm.exe Title: OleMainThreadWndName 2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s 976 notepad.exe Title: fport - Notepad 768 TLIST.EXE Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Some Security related changes from 5.5 to 2000 SMTP relay disabled Rights to the Mailbox Admin is DENIED access to mailboxes (by default), but easily changed “Exchange Domain Servers” group full access %COMPUTERNAME%$ full access No more Service Account Your LSA Secrets are safe… Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Secure Administration – Lock it down Security Checklist: http://www.microsoft.com/technet/treeview/defau lt.asp?url=/technet/security/tools/w2ksvrcl.asp Disable unnecessary services and ports Enable Auditing Rename local Admin account and enable a strong password ACL and monitor critical Registry keys Watch event logs for failed login attempts Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Secure Administration - Roles Administrative Roles Exchange Administrator Exchange Full Administrator Exchange View Only Administrator XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054) http://support.microsoft.com/default.aspx?scid=kb;enus;Q262054 Delegation Wizard Use to add/edit Admin roles Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 The All-Powerful Exchange Domain Servers Group XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807) Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Secure Administration – Security Permissions Page Registry Hack To show the security tab in System Manager HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) XADM: Security Tab Not Available on All Objects in System Manager (Q259221) Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Securing File Shares Security of Shares Tracking Logs: %COMPUTERNAME%.log Contain user information such as email addresses and usernames. EVERYONE or Authenticated Users can read by default Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Secure Administration - TURN OFF WHAT YOU DON’T NEED Disable unnecessary services and protocols For both Exchange and Windows Do you need POP3? IMAP? HTTP? Do you need the Alerter service? Messenger? DHCP client? Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 System Policies System Policies Server policy Mailbox policy Public Folder policy Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Malware - Virus, trojan and worm protection Use SMTP content filter for Internet email Use a separate host or a firewall for SMTP relay Catch incoming/outgoing malware elsewhere, and relieve your Exchange server of the load Virus protection in the Information Store Well, some viruses originate within, so you still need protection. Several server based virus scanners will protect (i.e. MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield) Virus protection on the client Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange and Outlook Malware – Protection in Outlook Prevent scripts and Active content from running on your user’s workstations Set the Security Zone in Outlook to “Restricted Sites” – under Tools > Options > Security Keep up-to-date with latest MS Outlook and Internet Explorer patches and security hotfixes Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Outlook Web Access Installation and Design Considerations General OWA security Lock down IIS Security checklists http://www.microsoft.com/technet/treeview/default.asp?u rl=/technet/security/tools/tools.asp IISLock.exe Definitely use SSL Decide on Front-end vs. Back-end model Must read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2 KFrontBack.asp Front-End server Isolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC) Intranet Firewall between Front End and Back End Use STATIC RPC ports: http://support.microsoft.com/support/kb/articles/q224/1/96.asp Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Internet Firewall: Secure Network Diagram DENY ALL by default Internet Firewall Incoming from Internet Allow TCP port 25 (SMTP) SMTP forwarder/ TCP/UDP port 53 (DNS) content filter TCP port 443 (HTTPS) Outgoing Allow: Only established connections Front End Exchange/OWA DMZ Firewall: DENY ALL by default Incoming from DMZ Allow TCP/UDP port 53 TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP port 135 (endpoint mapper) TCP/UDP port 389 (LDAP) TCP port 445 (SMB/CIFS) TCP port 1025 (optional RPC static port) TCP port 3268 (GC) Outgoing Allow: Only established connections Untrusted DMZ DMZ Firewall BackEnd Exchange Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Trusted Corporate LAN Firewalls DENY everything. Only allow what you need! Internet firewall DMZ firewall DENY ALL incoming and outgoing Allow only what you need! For example: Incoming from Internet Allow: TCP port 443 (HTTPS) TCP port 25 (SMTP) TCP/UDP port 53 (DNS) Outgoing Allow: Only established connections Intranet Assign static RPC ports to the Exchange Server Ask a Question Now! Click on the left portion of your screen. DENY ALL incoming and outgoin Allow only what you need! For example: Incoming from DMZ Allow: TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP/UDP port 53 TCP/UDP port 389 (LDAP) TCP port 3268 (GC) TCP port 135 (endpoing mapper) TCP port 1025 (optional RPC static port) TCP port 445 (SMB/CIFS) Outgoing Allow: Only established connections Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Vulnerabilities * February 2002 * MS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions http://archives.neohapsis.com/archives/vendor/2002-q1/0023.html September 2001 MS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability August 2001 MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak July 2001 MS01-041 : Malformed RPC Request Can Cause Service Failure June 2001 MS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Script March 2001 MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 November 2000 MS00-088 : Exchange User Account Vulnerability Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com The Windows OS The FOUNDATION of Exchange Security is a pyramid Exchange security depends on the OS security Follow checklists and best practices available from www.microsoft.com/security as well as many third parties like SANS (www.sans.org) Ensure new OS and Exchange installs are hardened before placed into production Don’t let unnecessary services and software run! Keep up-to-date on latest MS Service Packs and security hotfixes Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com Exchange 2000 Additional Thoughts SMTP replication in clear text!!! Use IPSec with encryption parameters to protect this traffic Public Folders EVERYONE group can add new folders by default Event Sinks XCCC: Script Host Sink Is Not Registered on Exchange 2000 Server by Default (Q264995) http://www.outlookexchange.com/articles/glenscales/ wssevtar.asp by Glen Scales Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com References Exchange http://www.microsoft.com/exchange http://www.microsoft.com/security http://www.slipstick.com http://www.msexchange.org http://www.labmice.net IPSec http://www.securityfocus.com/infocus/1519 Ask a Question Now! Click on the left portion of your screen. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com The End Ask a Question Now! Securing Exchange 2000 Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com
