Messaging Security at MicrosoftMessaging Security at Microsoft

Eileen Brown Eileen Brown

eileenb@microsoft.comeileenb@microsoft.com

IT EvangelistIT EvangelistMicrosoft UKMicrosoft UK

http://blogs.msdn.com/eileen_brownhttp://blogs.msdn.com/eileen_brown

This session…This session…

Is about:Is about:

Securing the Exchange infrastructureSecuring the Exchange infrastructure…and how Microsoft IT does it…and how Microsoft IT does it

Exchange Exchange Security Security GuideGuidessExchange Server 2003 Security Hardening GuideExchange Server 2003 Security Hardening Guidehttp://www.microsoft.com/technet/prodtechnol/http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspxexchange/2003/library/exsecure.mspx

Securing Exchange CommunicationsSecuring Exchange Communicationshttp://www.microsoft.com/technet/security/guidance/secmod44.mspxhttp://www.microsoft.com/technet/security/guidance/secmod44.mspx

Is not about:Is not about:

Protecting individual messages and S/MIMEProtecting individual messages and S/MIMEhttp://www.microsoft.com/technet/itsolutions/msit/operations/trustmes.mspxhttp://www.microsoft.com/technet/itsolutions/msit/operations/trustmes.mspx

Working with Exchange Active Directory permissionsWorking with Exchange Active Directory permissions

Session Objectives & Key ConceptsSession Objectives & Key ConceptsSession Objectives: Session Objectives:

Provide a broad overview of operational security Provide a broad overview of operational security principles for Exchange servers as outlined in principles for Exchange servers as outlined in Exchange Security Operations guideExchange Security Operations guide

Show how these principles are applied by Microsoft ITShow how these principles are applied by Microsoft IT

Help you identify ways to improve messaging security Help you identify ways to improve messaging security in your environmentin your environment

Key Concepts:Key Concepts:

Achieving messaging security at multiple layersAchieving messaging security at multiple layers

Holistic approach to messaging securityHolistic approach to messaging security

AgendaAgenda

E-mail Hygiene –maintaining a secure messaging E-mail Hygiene –maintaining a secure messaging environmentenvironment

Hardening Exchange servers by roleHardening Exchange servers by role

Securing Exchange communicationsSecuring Exchange communications

QuestionsQuestions

E-mail Hygiene E-mail Hygiene

E-mail hygiene is more than just AV / ASE-mail hygiene is more than just AV / AS

Threats:Threats:

Virus infected e-mailVirus infected e-mail

UCE/spam e-mailUCE/spam e-mail

Denial of Service (DoS) attacksDenial of Service (DoS) attacks

Mail bombing/NDRsMail bombing/NDRs

Directory Harvesting Attacks (DHA)Directory Harvesting Attacks (DHA)

E-mail impersonation (spoofing)E-mail impersonation (spoofing)

Unauthorised e-mail submission and relayUnauthorised e-mail submission and relay

Is E-mail Hygiene Important?Is E-mail Hygiene Important?

Malicious and unsolicited e-mails - an annoyance Malicious and unsolicited e-mails - an annoyance to usersto users

Also a large hit to the infrastructureAlso a large hit to the infrastructure

One One dayday MS IT statistics (June 2004): MS IT statistics (June 2004):

……out of out of 25,000,000+25,000,000+ messages sent to messages sent to microsoft.commicrosoft.com

……less than less than 1,200,0001,200,000 were legitimate (less than were legitimate (less than 5%)5%)

The rest were filtered out before reaching user mailboxesThe rest were filtered out before reaching user mailboxes

How to implement such protection?How to implement such protection?

Multi-layered defence is the key!Multi-layered defence is the key!

E-mail Hygiene at MS ITE-mail Hygiene at MS ITLayered DefenceLayered Defence

Exchange 2003 Server is used as platformExchange 2003 Server is used as platform

Multiple protection layers:Multiple protection layers:

Connection filteringConnection filtering

Sender and recipient filteringSender and recipient filtering

Spam filteringSpam filtering

Attachment blockingAttachment blocking

Anti-virusAnti-virus

Exchange HUBs

MailboxServers

Exchange SMTP Gateways

Internet

Connection FilteringSender/Recipient

FilteringAnti-spam

`

Clients

Attachment blockingAnti-virusAnti-spam

Attachment filtering

Anti-virus

E-mail Hygiene at MS ITE-mail Hygiene at MS ITConnection/Sender/Recipient FilteringConnection/Sender/Recipient Filtering

Connection filteringConnection filteringBlocking by IP/subnetBlocking by IP/subnet

Exchange 2003 based RBL filteringExchange 2003 based RBL filtering

Subscribing to 3Subscribing to 3rdrd party RBL services party RBL services

Sender and Recipient FilteringSender and Recipient FilteringBuilt into Exchange 2003 – Global SettingBuilt into Exchange 2003 – Global Setting

Criteria basedCriteria based

Critical to fight mail bombing attacksCritical to fight mail bombing attacks

Filtering mail for Filtering mail for ?????? @microsoft.com recipients resulted in a @microsoft.com recipients resulted in a 10,000,000+ msg/day savings10,000,000+ msg/day savings

Should we filter messages from our own domain in Should we filter messages from our own domain in inboundinbound mail? mail?

6

E-mail Hygiene at MS ITE-mail Hygiene at MS ITRecipient LookupRecipient Lookup

NDR processing takes a significant amount of resourcesNDR processing takes a significant amount of resources

Recipient lookup validates recipients before accepting Recipient lookup validates recipients before accepting messagesmessages

C:\>C:\>teltelnetnet mailserver.domain.commailserver.domain.com 25 25

……

MAIL FROM:<>MAIL FROM:<>

250 2.1.0 <>....Sender OK250 2.1.0 <>....Sender OK

RCPT TO: <bogususer@RCPT TO: <bogususer@domain.comdomain.com>>

550 5.1.1 User unknown550 5.1.1 User unknown

QUITQUIT

Result: No message payload is transmitted – savings in Result: No message payload is transmitted – savings in performanceperformance

But, what if I do But, what if I do RCPT TO: alias1@domain.com, RCPT TO: alias2@domain.com...RCPT TO: alias1@domain.com, RCPT TO: alias2@domain.com...

E-mail Hygiene at MS ITE-mail Hygiene at MS ITRecipient LookupRecipient Lookup

Side effect: If carelessly implemented - possibility of Side effect: If carelessly implemented - possibility of rapid alias enumeration, a.k.a. Directory Harvest Attack rapid alias enumeration, a.k.a. Directory Harvest Attack (DHA)(DHA)

Test: About 20 minutes to harvest all valid 4 character aliases Test: About 20 minutes to harvest all valid 4 character aliases by brute force enumerationby brute force enumeration

Possible solution: Delay the 550 response for Possible solution: Delay the 550 response for nn seconds: seconds: slows down the attacker significantly. With 5 second slows down the attacker significantly. With 5 second delay it takes months to enumerate all 4 character alias delay it takes months to enumerate all 4 character alias combinationscombinations

For Exchange 2003: For Exchange 2003: http://support.microsoft.com/default.aspx?kbid=842851http://support.microsoft.com/default.aspx?kbid=842851

E-mail Hygiene at MS ITE-mail Hygiene at MS ITRestricted/Authenticated Distribution GroupsRestricted/Authenticated Distribution Groups

Distribution Groups (DG) may contain large number of recipients. A Distribution Groups (DG) may contain large number of recipients. A single malicious message to a DG impacts a large number of users.single malicious message to a DG impacts a large number of users.

Best Practice: Restrict large/sensitive internal DGsBest Practice: Restrict large/sensitive internal DGs

Protects from most spam attacks, but…Protects from most spam attacks, but… Much more secure!Much more secure!

E-mail Hygiene at MS ITE-mail Hygiene at MS ITProtecting Against SpoofingProtecting Against Spoofing

Root cause – anonymous SMTP mail submissionRoot cause – anonymous SMTP mail submissionMinimise anonymous SMTP access internallyMinimise anonymous SMTP access internallyFor Internet e-mail:For Internet e-mail:

Must support anonymous connectionsMust support anonymous connectionsAccept messages, but provide a visual indication to the userAccept messages, but provide a visual indication to the user

Message authentication status is carried between servers in the Message authentication status is carried between servers in the EXCH50 blobEXCH50 blob

Exchange Gateway setting

Result on Outlook Client

E-mail Hygiene at MS ITE-mail Hygiene at MS ITSpam FilteringSpam Filtering

Educating users about spamEducating users about spam

Guard your SMTP addressGuard your SMTP address

Fighting spam at multiple levelsFighting spam at multiple levelsGateway (filtering)Gateway (filtering)

Mailbox (move to Junkmail)Mailbox (move to Junkmail)

Client (move to Junkmail)Client (move to Junkmail)

MS IT uses the Intelligent Message Filter and MS IT uses the Intelligent Message Filter and Exchange 2003 SCL frameworkExchange 2003 SCL framework

http://www.microsoft.com/exchange/imfhttp://www.microsoft.com/exchange/imf

Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)

Deployed only on the front line Exchange 2003 Deployed only on the front line Exchange 2003 gatewaysgateways

Examines messages and gives each an SCL Examines messages and gives each an SCL value [0-9]value [0-9]

Two thresholds: Gateway and StoreTwo thresholds: Gateway and Store

CN=UCE Content Filter, CN=Message Delivery, CN=UCE Content Filter, CN=Message Delivery, CN=Global Settings, CN=CN=Global Settings, CN=ORG_NameORG_Name, , CN=Microsoft Exchange, CN=Services, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=contoso, DC=comCN=Configuration, DC=contoso, DC=com

msExchUceBlockThresholdmsExchUceBlockThreshold

msExchUceStoreActionThresholdmsExchUceStoreActionThreshold

Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)

Messages with high SCL values are filtered at Messages with high SCL values are filtered at gatewaygateway

Aggressive gateway threshold settings – higher Aggressive gateway threshold settings – higher filtering rate at the gatewayfiltering rate at the gateway

Reduces impact to users and infrastructure Reduces impact to users and infrastructure

SCL store level spam filteringSCL store level spam filtering

Assigned SCL rating persists with the messageAssigned SCL rating persists with the messageSCL > SCL > msExchUceStoreActionThreshold msExchUceStoreActionThreshold value, then value, then JunkmailJunkmail

Exposing SCL in Outlook Exposing SCL in Outlook http://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspxhttp://blogs.msdn.com/exchange/archive/2004/05/26/142607.aspx

Email Hygiene at MS ITEmail Hygiene at MS ITIntelligent Message Filter (IMF)Intelligent Message Filter (IMF)

Key infrastructure design points:Key infrastructure design points:IMF is positioned before anti-virus scanningIMF is positioned before anti-virus scanningAll SMTP transport behind IMF must beAll SMTP transport behind IMF must be

Authenticated Authenticated Support EXCH50 blob propagationSupport EXCH50 blob propagation

MessageEnvelope

EXCH50 Blobwith SCL rating

Message bodyRFC 2822

Internet

Exchange 2003Mailbox Server

Exchange 2003SMTP Gateway

+IMF

Third Party SMTP Server

SCL

SCL

E-mail Hygiene at MS ITE-mail Hygiene at MS ITE-mail Anti-virusE-mail Anti-virus

10,000 - 500,000 e-mail viruses per day are stopped by the 10,000 - 500,000 e-mail viruses per day are stopped by the MS IT gatewaysMS IT gateways

Best practice - scanning at multiple layersBest practice - scanning at multiple layers

Possible optionsPossible optionsGatewayGateway

Information StoreInformation Store

ClientClient

The key to success: consistent enforcement of AV policiesThe key to success: consistent enforcement of AV policies

MS IT focus: E2K3 Gateway and Client scanningMS IT focus: E2K3 Gateway and Client scanning

On gateways: the AV solution is integrated with Exchange on On gateways: the AV solution is integrated with Exchange on the transport levelthe transport level

E-mail Hygiene at MS ITE-mail Hygiene at MS ITAttachment BlockingAttachment Blocking

Mitigates the risks for new/unknownMitigates the risks for new/unknowne-mail virusese-mail viruses

Enforced at two levels: client and gatewayEnforced at two levels: client and gateway

Client: Outlook 2003 attachment blocking (QClient: Outlook 2003 attachment blocking (Q829982829982))

Gateway: Gateway:

Executable attachment stripping for all inbound mailExecutable attachment stripping for all inbound mail

Occurs prior to virus scanning – performance winsOccurs prior to virus scanning – performance wins

Securing the ClientsSecuring the Clients

Many out of the box security featuresMany out of the box security features

Kerberos authentication for Outlook 2003Kerberos authentication for Outlook 2003

Attachment blocking for Outlook/Outlook Web AccessAttachment blocking for Outlook/Outlook Web Access

Web beacon blockingWeb beacon blocking

Junk mail filtering Junk mail filtering

Additional client securityAdditional client security

Limit the client base to only those requiredLimit the client base to only those required

Proactively block outdated/vulnerable clients from Proactively block outdated/vulnerable clients from accessing the Exchange store (Qaccessing the Exchange store (Q288894288894))

Hardening Exchange ServersHardening Exchange Servers

Hardening the Operating SystemHardening the Operating System

Also see Windows Server 2003 Security Guide Also see Windows Server 2003 Security Guide ((http://go.microsoft.com/fwlink/?LinkId=21638http://go.microsoft.com/fwlink/?LinkId=21638) )

Hardening Exchange PlatformHardening Exchange Platform

Hardening WindowsHardening Windows

Security group membershipSecurity group membership

Who has administrator privileges on the Exchange Who has administrator privileges on the Exchange server?server?

User rights on Exchange serversUser rights on Exchange servers

Exchange 2003 denies regular domain users the “Allow Exchange 2003 denies regular domain users the “Allow log on locally” rightslog on locally” rights

File and share level permissionsFile and share level permissions

Who can access the Exchange tracking logs share?Who can access the Exchange tracking logs share?

Windows servicesWindows services

Do I need the “Wireless configuration” service on Do I need the “Wireless configuration” service on Exchange?Exchange?

Hardening WindowsHardening Windows

Internet Information Server (IIS)Internet Information Server (IIS)Should I have Should I have /scripts/scripts and and /IISAdmin/IISAdmin directories directories on Exchange?on Exchange?

IIS Lockdown for IIS versions prior to 6.0 IIS Lockdown for IIS versions prior to 6.0 (KB(KB309508)309508)

File level anti-virus File level anti-virus

If misconfigured, will cause database If misconfigured, will cause database corruption (KBcorruption (KB823166823166 & KB328841) & KB328841)

Consistency is the key!Consistency is the key!but how to achieve it across all Exchange servers in the but how to achieve it across all Exchange servers in the ORG?ORG?

Windows Group Policies (GPO) can helpWindows Group Policies (GPO) can help

Hardening Windows PlatformHardening Windows PlatformUsing Windows Group PoliciesUsing Windows Group Policies

““Role based” approachRole based” approach

Active Directory Organisational Units are used to group servers Active Directory Organisational Units are used to group servers by roleby role

Redmond

IT Services

Messaging

Front End Servers

Gateway Servers

Mailbox Servers

Proxy

Print

RAS

Front End Policy

Gateway Policy

Mailbox Policy

Messaging Policy

Infrastructure Policies

Domain Level Policies

New Exchange servers automatically receive security settings according to their roleNew Exchange servers automatically receive security settings according to their role

Hardening ExchangeHardening Exchange

Exchange 2003 “Secure by default” examplesExchange 2003 “Secure by default” examples

Legacy protocols (POP3/IMAP4) are disabledLegacy protocols (POP3/IMAP4) are disabled

OMA is disabledOMA is disabled

OWA password changes are offOWA password changes are off

Kerberos authentication between OWA FE and BEKerberos authentication between OWA FE and BE

Anonymous SMTP relaying is offAnonymous SMTP relaying is off

Top Level Public Folders are locked downTop Level Public Folders are locked down

10MB message limits10MB message limits

Tightened permissionsTightened permissions

Watch for upgrade scenarios!Watch for upgrade scenarios!

Existing settings are often not changedExisting settings are often not changed

Hardening Exchange by RoleHardening Exchange by RoleExchange Front End Servers at MS ITExchange Front End Servers at MS IT

OWA, OMA, EAS, RPC/HTTPs on a single consolidated OWA, OMA, EAS, RPC/HTTPs on a single consolidated platform (Exchange 2003)platform (Exchange 2003)

Reduced attack surfaceReduced attack surface

POP3/IMAP4/SMTP are disabledPOP3/IMAP4/SMTP are disabled

Information Store is removedInformation Store is removed

Forms based authentication and session timeouts for OWAForms based authentication and session timeouts for OWA

Reduced infrastructure exposure for RPC/HTTPsReduced infrastructure exposure for RPC/HTTPs

Leverage Exchange 2003 SP1 RPC/HTTP enhancementsLeverage Exchange 2003 SP1 RPC/HTTP enhancements

No DC exposure for RPC/HTTPsNo DC exposure for RPC/HTTPs

Only ports 6001, 6002 and 6004 of the Back End are allowedOnly ports 6001, 6002 and 6004 of the Back End are allowed

SSL enforced between the client and FE server at all stagesSSL enforced between the client and FE server at all stages

Kerberos authentication between Front End and Back EndKerberos authentication between Front End and Back End

Hardening Exchange by RoleHardening Exchange by RoleExchange Gateway Servers at MS ITExchange Gateway Servers at MS IT

No anonymous SMTP relaying, even internallyNo anonymous SMTP relaying, even internally

No SMTP authentication is exposed to the InternetNo SMTP authentication is exposed to the Internet

Prevents password guessingPrevents password guessing

Secure authenticationSecure authenticationfor internal connectionsfor internal connections

If anonymous is enabled If anonymous is enabled “Send As” check can’t be enforced“Send As” check can’t be enforced

Explicit maximum message sizeExplicit maximum message sizeand DSNs on SMTP Virtual Serversand DSNs on SMTP Virtual Servers

220 microsoft.com ESMTP Server220 microsoft.com ESMTP Server

ehloehlo

250-maila.microsoft.com Hello [207.46.125.18]250-maila.microsoft.com Hello [207.46.125.18]

250-TURN250-TURN

250-SIZE 10485760250-SIZE 10485760

250-DSN250-DSN

Prevents remote servers from transmitting large messages

Securing Exchange CommunicationsSecuring Exchange Communications

What do you want to secure?What do you want to secure?

User data in transitUser data in transit

User credentialsUser credentials

System data in transitSystem data in transit

What do you want to secure against?What do you want to secure against?

External threatsExternal threats

Internal threatsInternal threats

Securing AuthenticationSecuring AuthenticationUse Windows Integrated authenticationUse Windows Integrated authentication

Proactively disable insecure (Basic) authentication throughout the messaging Proactively disable insecure (Basic) authentication throughout the messaging infrastructure wherever possibleinfrastructure wherever possible

ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r ldifde -d "CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=contoso,DC=com" -r "(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:"(objectClass=protocolCfgSMTPServer)" -p Subtree -l msExchAuthenticationFlags -f CON:

1 – Anonymous, 2 – Basic, 4 – Windows Integrated1 – Anonymous, 2 – Basic, 4 – Windows Integrated

If Basic authentication is required, use transport level security (SSL/TLS, IPSEC)If Basic authentication is required, use transport level security (SSL/TLS, IPSEC)

C:\>base64>> decode TEFCXGpvZWRvdzpUb3RhMTF5JGVjdXJI

DOMAIN\joedoe:Tota11y$ecuredecode succeeded

Securing Mobile Messaging Securing Mobile Messaging CommunicationsCommunications

Reduced exposure – Exchange FE servers are in Reduced exposure – Exchange FE servers are in CorpNet rather than in the DMZCorpNet rather than in the DMZ

ISA 2004 used to protect Exchange FE servers – SSL ISA 2004 used to protect Exchange FE servers – SSL bridging modebridging mode

Certificate on the FE server must be trusted and Certificate on the FE server must be trusted and “verifiable” by ISA“verifiable” by ISA

DMZDMZInternetInternet Corporate networkCorporate network

ISA ServerActive

Directory

Mailbox Server

Exchange 2003 FE(OWA, OMA, EAS, RPC/HTTPs)

ClientsSSLSSL Kerberos

Using IPSEC for ExchangeUsing IPSEC for Exchange

IPSEC was essential to secure Exchange 2000 FE-to-BE IPSEC was essential to secure Exchange 2000 FE-to-BE OWA transactions in MS IT environmentOWA transactions in MS IT environment

IPSEC policies exampleIPSEC policies example

Exchange FE: Exchange FE: memeany; TCP anyany; TCP any80; Encrypt 80; Encrypt (Kerberos)(Kerberos)

Exchange BE: Exchange BE: Respond onlyRespond only

You can be really creative with IPSEC if “block on fail” is neededYou can be really creative with IPSEC if “block on fail” is needed

Use GPO to apply IPSEC policies by server roleUse GPO to apply IPSEC policies by server role

Exchange 2003 FE-to-BE uses Kerberos authenticationExchange 2003 FE-to-BE uses Kerberos authentication

User credentials are encrypted by defaultUser credentials are encrypted by default

IPSEC is still possible to protect data traveling between FE and BE, IPSEC is still possible to protect data traveling between FE and BE, but beware of data exposure at the next hop (SMTP)but beware of data exposure at the next hop (SMTP)

Using SSL/TLSUsing SSL/TLSDoes SSL/TLS provide security?Does SSL/TLS provide security?

Best Practices:Best Practices:

Use certificates trusted by communicating partiesUse certificates trusted by communicating parties

Ensure that clients/servers perform full certificate validation (trust Ensure that clients/servers perform full certificate validation (trust chain, common name, expiration, etc)chain, common name, expiration, etc)

When enabling SSL, don’t permit non SSL connectionsWhen enabling SSL, don’t permit non SSL connections

A B

C

DNS Request

Spoofed DNS

ResponseSSL

ConclusionConclusion

Top things to rememberTop things to rememberStay up-to-date with software and patch versions at all levelsStay up-to-date with software and patch versions at all levels

Establish layered e-mail hygiene defencesEstablish layered e-mail hygiene defences

Enforce e-mail security at multiple levelsEnforce e-mail security at multiple levels

Secure Exchange servers by roleSecure Exchange servers by role

Consistently enforce OS security settings (for example, through Consistently enforce OS security settings (for example, through Group Policies)Group Policies)

Do periodic audits to ensure that security levels are maintainedDo periodic audits to ensure that security levels are maintained

Be cognisant of security in upgrade scenariosBe cognisant of security in upgrade scenarios

Use only secure authentication methods and enforce SSL/TLS Use only secure authentication methods and enforce SSL/TLS or IPSEC where neededor IPSEC where needed

© 2004 Microsoft Corporation. All rights reserved. This presentation is for © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.informational purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.