Upload
geoffrey-dalton
View
212
Download
0
Embed Size (px)
Citation preview
MSG329
Controlling Viruses with Exchange Server and Outlook
Jan De ClercqSenior Member of Technical StaffHewlett-PackardTechnology Leadership Group
AgendaDefining the Virus Problem
Virus ‘Lifecycle’
Known Exploits + Prevention
Virus Detection & PreventionProtecting Points of Entry & Attack
Exchange Server - Specific Detection & Scanning Methods – Test Results
What’s new: Exchange Server 2003 enhancements
What is a Virus?
Code that exploits existing systemsIntrusion into system
Self-replication & propagation
Benefits from automation
Can carry payload
Can be harmful or benignWithout user consent
Resides in specific security context
Payload can be nuisance message or much, much worse
Escalating Payloads
PCs
Networks
Systems
Services
Companies
Future Attacks*
’98 ’99 ’00 ’01 ’02 ’03 ’04 ’05 …
Increasing Popularity:•Trojan Horses•Active Content•Network Payload
Ease-of-Authoring•Code-base•Executables•Macros•Script
Target = PC’s • Wireless • Networks • Directory
*Source: MEC’99 presentation*Source: MEC’99 presentation
Virus Terminology
Virus, Worm, Trojan Horse, etc.
Polymorphic, Stealth, Variants, etc.
Scanning, Signatures, Recursive Decompression, Heuristics, etc.
Payload, Transmission VectorsDisturbing Trends
Transmission Rate & Vectors Up
Payload Latency Down
Payload Potency Up
HTTP SMTP File-based (media)
Foreign MTA
PC Configuration
Front-End ServersFirewalls
Back-End (Mailbox) Servers
Email Clients
(Outlook Web Access, Outlook, Outlook Express)
User LogonContext
Virus ‘Lifecycle’
Defining the Virus Problem
Network Network Security Security
ContentContentControlControl
SystemSystemOperationsOperations
The Virus The Virus Problem is Problem is three-foldthree-fold
Solving the Virus Problem
Network Network Security Security
ContentContentControlControl
SystemSystemOperationsOperations
Varying Levels of Commitment = Varying Levels of Commitment = Effort in each areaEffort in each area
1. Basic1. Basic2. Intermediate2. Intermediate3. Highest Security3. Highest Security
What is your commitment to solution?
99%AV Screening @ Gateways / Mailboxes
99.9%Above + Content restrictions + OS Config
99.99%Above + Sandbox + Client lockdown
..or Outsource the Problem
Known Exploits + Prevention
Learning from Previous OutbreaksVirus Case Studies: Past Exploits
What have we learned?
What can we predict? (lead time…)
Where are we exposed?
Exploit Example Solution(s)
Head Hits Steering Wheel
Bad crash
Chronological Order
Air Bag
Viral Capabilities Precede Outbreaks*
Authoring CapabilitiesAuthoring Capabilities
Viral OutbreaksViral Outbreaks
1996 1997 1998 1999 20001996 1997 1998 1999 2000
1997 1998 1999 2000 20011997 1998 1999 2000 2001
ExecutablesExecutablesExecutablesExecutables MacroMacroMacroMacro Script Script Script Script TransportTransportTransportTransport
*Source: MEC’99 presentation*Source: MEC’99 presentation
Outbreak Response
Advance preparation
Detection Systems & Notification
On OutbreakUnplug infected system(s)
Shut down SMTP outbound*
Shut down MTAs / Hubs
Download new signatures
Run A/V or cleanup utilties
Determine when OK to re-connect
* Exchange 2003 Enhancement
Well-known exploits
Exploit Example Solution(s)
Exploited known / patched vulnerability
Morris Worm 11.2.88
Stay current e.g. via Windows Update & Office Update
Get Secure, Stay Secure
microsoft.com/security Security Tools
Bulletins and Virus Alerts
Windows + Office Update Windows + Office Integration
E.g. issue with ‘SQL Slammer’
Automatic Updates
But what about Change Control?Software Update Server (SUS)
HTML script and email
Exploit Example Solution(s)
‘Demo’ HTML virus
First known: HTML.Internal
11.10.98
Set IE zone security to "Medium" or higher
For truly paranoid: Outlook Key
ZAPHTML from slipstick.com
Outlook 2002 Plain Text
Convert all incoming HTML non-digitally-signed or non-encrypted email to plain text - See Q307594
Can still view in OWA
Social Engineering
Exploit Example Solution(s)
Here is that document you asked for ... don't show anyone else ;-)
Melissa
03.26.99
User Education“Trust nothing”
Disable Macros
Ongoing User Education
IDC survey: more than a third (37 per cent) of business email users would still open the attachment of an email titled 'ILOVEYOU'
The report found that on any day of the year users would open an email appearing to be from someone they know if the following appeared in the subject line: Great Joke (54 per cent), Look at this (50 per cent), Message (46 per cent), No title (40 per cent) or special offer (39 per cent).
Source: http://www.theregister.co.uk/content/8/16668.html 2/6/2001
User EducationLearn with each Attack
Social Engineering
Unsafe attachmentsActive content
Hidden extensions
Save & scan if unsure
Unsafe messagesOpen = launch
Leave ‘suspicious’ incoming messages alone for a few hours or days
Opening Unprotected Points of EntryE.g. POP email, Web email etc.
Mass email generator
Exploit Example Solution(s)
Programmatic access to address book
Melissa
03.26.99
Admin Education: e.g. Dummy entries in GAL (weak)
Outlook Security Update
Need for purging worm generated emails
Outlook Security Update
“The Most Powerful Anti-Virus Tool on the Planet”
The vast majority of email-borne viruses (such as ILOVEYOU, Melissa, and Goner) can be stopped in their tracks by taking one simple action -- installing the Outlook E-mail Security Update today. Updates are available for Outlook 2000 and Outlook 98. The update is built into Outlook 2002 in Office XP.
http://www.microsoft.com/technet/security/virus/virus.asp
These are live hyperlinks in
the PowerPoint
deck
Outlook Security Update
Outlook 98 Servicepack 2 and onward
Viruses are prevented from programmatically accessing the address book
Certain attachment types are restrictedLevel 1, Level 2
http://www.microsoft.com/office/outlook/evaluation/security.asp
Internet Security Zone to Restricted Sites by default
Launch attachments
Exploit Example Solution(s)
Launch attachments directly from email
Melissa
03.26.99
Outlook Security Update
Save to disk allows A/V scanning
Hidden extensions
Exploit Example Solution(s)
E.g. Executable appears as zip or text or picture
Worm.ExploreZip
06.06.99
‘Hide extensions’ (Explorer default) must be changed
Attachment blocking
Outlook Security Update
Active Script
Exploit Example Solution(s)
E.g. VBS viruses
VBS/Freelink
10.14.99
Change default VBS action to Edit (in Registry)
Outlook Security Update
Default Script ActionsGive up Automation? No!
e.g. change default action to Edit instead of disabling WSH – save ability to run scriptsREGEDIT /S VIRUSFIX.REG[HKEY_CLASSES_ROOT\VBSFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\VBEFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\JSFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\JSEFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\WSFFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\WSHFile\Shell]@="Edit“
…
Use Group Policy to Restrict Applications
Auto-launch attachment
Exploit Example Solution(s)
Auto-launch attachments - runs when email opened
Bubbleboy
11.09.99
Microsoft Security Bulletin (MS99-032): Patch Available for "scriptlet.typelib/Eyedog" Vulnerability
Network + blended attacks
Exploit Example Solution(s)
Uses Admin context to attack NT system and uses network
W32.FunLove
11.11.99
Reduce logon context
File-based scanning even for servers
Solving the Virus Problem
Network Network Security Security
Viral capability = logon / security context
RunAs (Win32 apps) or Remote Desktop
Blended threatsEmailSharesIISBackdoors / Spyware
Email & MIME are ‘too trusting’
Fool me once, fool me twice
Exploit Example Solution(s)
"kindly check the attached LOVELETTER coming from me.“
ILOVEYOU.txt.vbs
05.04.2000
‘Hide extensions’ (Explorer default) must be changed
Change default VBS action to Edit (in Registry)
Outlook Security Update
HTML Automation
Exploit Example Solution(s)
User does not have to open attachment to become infected. Attaches to outgoing signature in Outlook Express.
KAK worm
05.05.2000
HTML off?
Outlook Key
Outlook Express Security Update
Server-side scanning
Outlook Express Security Update
Q291387 OLEXP: Using Virus Protection Features in Outlook Express 6
Security tab of the Tools, OptionsDisable Active Content in HTML E-mail
OE6 uses Restricted Zone instead of Internet ZoneWarn me when other applications try to send mail as meDo not allow attachments to be saved or opened that could potentially be a virus Managed via Control Panel: Folder Options - Confirm open after download checkbox
POP Email Proxy Scanning
New transports & file types
Exploit Example Solution(s)
Spread via IRC LIFE_STAGES.TXT.SHS
06.20.2000
Admin Education
e.g. Filter out SHS extension
(who knew?)
Admin EducationLearn with each Attack
Address Book / GAL accessActive Content & Unwanted content types??_, 00?, 386, ACM, ADT, APP, ARC, ARJ, ASP, AX?, BAT, BIN, BO?, CAB, CBT, CDR, CHM, CLA, CMD, COM, CNV, CPL, CSC, DL?, DEV, DOC, DOT, DRV, EXE, GMS, GZ?, HLP, HT?, ICE, IM?, INI, JS?, LZH, MB?, MD?, MPD, MPP, MPT, MSI, MSG, MSM, MSO, MSP, MST, OBD, OBT, OCX, OLE, OV?, PCI, POT, PP?, QLB, QPW, RAR, REG, RTF, SCR, SHS, SMM, SYS, TAR, TD0, TLB, TSP, VBS, VS?, VWP, VXD, WBK, WIZ, WPC, WPD, WSI, XL?, XML, XSL, XTP, ZIP
DO NOT RELY ON SCANNING BY EXTENSION!
Desktop & Outlook DeploymentsSecurity Patches (e.g. Outlook via Internet)IE Security ZonesWindows settings (file extensions, scripts)
Admin Logon context Run As or Remote Admin (Terminal Server)
Network attack + backdoor
Exploit Example Solution(s)
Start as e-mail, IRC or download, scan IP ranges – provide own backdoor
Qaz.trojan (W32.HLLW.QAZ.A)
08.14.2000Bymer (alias Msinit and Wininit)
11.07.2000
Basic security "best practices” – Network Share settings, firewalls etc.
Alternate Data Streams
Exploit Example Solution(s)
Proof of concept W2K.Stream
09.07.2000
Block *} attachments
Upgradeable virus
Exploit Example Solution(s)
Variable attachment ending with .exe or .scr
+ Capability to upgrade itself via usenet
W32.Hybris
11.14.2000
Outlook Update
.SCR filtering
Testing, Testing…
Exploit Example Solution(s)
EXE that is not a Flash movie
Shockwave worm 11.30.2000
Outlook Update
Tennis anyone?
Exploit Example Solution(s)
Another VBS hidden extension
AnnaKournikova.jpg.vbs
02.12.2001
See Worm.ExploreZip 06.06.99
VBS/Freelink
10.14.99
RTF vulnerability
Exploit Example Solution(s)
Infected .rtf document will attempt to download remote .DOT file carrying Trojan horse from Russian Web site
W97M.Goga or DUNpws.ik
06.14.2001
Microsoft patch (MS01-028) or Word 2002 or later
Another blended threat
Exploit Example Solution(s)
Attempt at randomizing email contents
+ Infect files shared over an open network
SirCam worm
07.18.2001
Basic security "best practices"
Bug in random number generator, file deleting, space filling payloads likely not activated
Email, Network, Internet….
Exploit Example Solution(s)
Hybrid virus: Exploited IIS vulnerability - email attachment, network shares, IIS server.
Code Red 09.18.2001
Basic security "best practices“
Microsoft Security Bulletin (MS01-020) Originally posted: March 29, 2001
If at first you don’t succeed
Exploit Example Solution(s)
Variant Nimda variants Basic security "best practices“
Microsoft Security Bulletin (MS01-020) Originally posted: March 29, 2001
Email spoofing + randomization
Exploit Example Solution(s)
Well known:
See MS01-020 and/or MS01-027
Klez & .E variant
10.25.2001
Outlook Security Patch
Malformed MIME
Exploit Example Solution(s)
Malformed MIME exploit: allow attachment to execute without prompting
W32.Badtrans.B
11.24.2001
Microsoft Security Bulletin (MS01-020) superceded by MS01-027.
Originally posted: May 16, 2001
Social Engineering
Exploit Example Solution(s)
Q216309.exe –SMTP engine disguised as Internet Security Update.
Attacks mapped drives
Gibe
03.04.2002
Outlook Update
User Education: Microsoft DOES NOT send patches via email
AP headline: “New virus can infect photo files”
Exploit Example Solution(s)
Claims to infect JPG files – once you install the EXE
Perrun
06.14.2002
Ummm, don’t install the EXE
I’m getting tired…
Exploit Example Solution(s)
Mass-mailing, Termination of Antivirus Programs and Firewalls, Compromise of Cached Passwords
W32.Lirva.A@mm
January 10, 2003
Outlook Update
User Education
Microsoft DOES NOT send patches via email
What’s next?
Exploit Example Solution(s)
Well-known exploits:
"about:" or "javascript:"
IFRAME tag
See ntbugtraq.com
Outlook Security Update or get Outlook 2002 or later
Illegal MIMEExploit Example Solution(s)
RFC 822 standards for MIME, wide variety of interpretations of multipart structure
Content-Type: text/plain; name==?us-ascii?Q?eicar.com?=
name=eicar.com
name=””eicar.com
name=.”eicar.com”
name=eicar .com
name=”eicar.com
name==?us-ascii?Q?eicar.com?=
name==?us-ascii?Q?eicar?=.com
name==?us-ascii?Q?eicar?= =?us-ascii?Q?.com?=
name=”eicar.=?us-ascii?Q?com?=”
name=”eicar.=?us-ascii?Q?com?=
name=eicar.=?us-ascii?Q?com?=
name=eicar.=?us-ascii?Q?co?=m
Outlook Security Update
Block .DAT
What’s next?
Exploit Example Solution(s)
<Your network here>
<Your name here>
Look for exploit opportunities in your own environment
(to prevent!)
AgendaDefining the Virus Problem
Virus ‘Lifecycle’
Known Exploits + Prevention
Virus Detection & PreventionProtecting Points of Entry & Attack
Exchange Server - Specific Detection & Scanning Methods – Test Results
What’s new: Exchange Server 2003 enhancements
Protecting Points of Entry
1. Firewalls & Gateways*
2. Mailbox Servers
3. Clients / Desktops
NetworkServer
Firewall / SMTP
Gateway
Internet
Po
int
of
En
try
Po
int
of
En
try
Point of EntryPoint of Entry Point of EntryPoint of Entry
Mailbox Servers
Your Organization
* Could be Exchange perimeter
1: Firewalls & Gateways
Content & Virus ScanningISA e.g. Trend InterScan VirusWall, GFI DownloadSecurity for ISA Server, Finjan SurfinGate - See isaserver.org
Windows Server 2003 SMTP products
Port watch products
http://msdn.microsoft.com/msdnmag/issues/02/09/NewStuff/default.aspx
MSDN Magazine > September 2002
Also File-based Scanning
Solving the Virus Problem
ContentContentControlControl
Anti-Virus Scanning
Content FilteringBy file type
By content
Balance between
effectiveness and
maximum loss rate
Exchange 2003 Filtering
See Simon Attwell’s Anti-spam session
Connection FilteringReal Time Blacklists,
Content FilteringSpam Beacon blocking
Recipient FilteringBlock/Allow addresses
Restricted Distribution Lists
Allow authenticated Internal email
Restrict Relaying
2: Mailbox Servers
Store-based Content & Virus Scanning
Exchange Scanning Methods<1998 MAPI
2000 AVAPI
2001 VSAPI
2002 VSAPI2
2003 VSAPI2.5
Product Selection Criteria
Warning: Exclude Exchange Binaries, Warning: Exclude Exchange Binaries, Databases, Logs, etc. from Databases, Logs, etc. from File-basedFile-based Scanning Scanning
Anti-Virus Resource Usage
A/V Process uses CPU + drives up Store.exe Process
Limits Server Scalability
Solution / Options:Scale Vertically e.g. Add Processors
“Surround” Mailbox Servers with A/V Scanning
3: Clients / DesktopsUser & Admin Education
Outlook E-mail Security See Session SEC360 Outlook Security and Virus Protection (Weds 9 am)
Other Options: Turn off the email preview pane
Tool, Options, Send tab, Mail Sending Format, Plain Text
Desktop Anti-VirusScans email attachments saved to temporary folder
Q49500 List of Antivirus Software Vendors
Outlook Express E-mail Security
AgendaDefining the Virus Problem
Virus ‘Lifecycle’
Known Exploits + Prevention
Virus Detection & PreventionProtecting Points of Entry & Attack
Exchange Server - Specific Detection & Scanning Methods – Test Results
What’s new: Exchange Server 2003 enhancements
What’s new: Exchange Server 2003
EnhancementsVSAPI2.5
OWA Attachment Blocking
Filtering (Anti-Spam)
MIME Handling
Outlook Version ControlAllows Patch Enforcement
VS API V2.0 in Ex2k SP1Scans messages and attachmentsPriority based Scanning Queue
Proactive Message Scanning
Enhanced Background Scanning
Thread pooling
Message Details
Per-MDB Scanning
EDK Gateway content scanning
Message body and attachment scanning
Native MAPI/MIME content scanning
Scanner On-Demand Reload
VS API V2.5 in Ex2003
Antivirus App can delete messages
Antivirus App can send messages to the sender, and add additional virus status messages thus allowing clients to better indicate the infection status of a given message
VSAPI Scanning
Proactive ScanningAs messages arrive inbound to the server
On Access ScanningWhen messages are accessed via client or agent
Background ScanningOngoing scanning of messages
Primarily used for re-scanning data when virus signatures are updated
Priority Scanning Queue
One queue exist for entire Store processMaximum of 30 items
Messages are submitted to queue with a high or low priority
Requested item (i.e. Message Open) receives high priority
Saves and Posted items receive low priority
High priority messages are always scanned before low priority
Item priority can be upgraded upon access
Proactive Scanning
Proactively scans messages as they are submitted to Store
Transport Submit, Client Submittal
Gives item an opportunity to be scanned prior to access (i.e. Message Open)
Proactive Items receive a low Priority.
Maximum of 30 low priority items in queue.FIFO based removal of low priority items in queue
If removed, then item will be scanned when accessed
On Access Scanning
ProcessThe item’s virus stamp is checked
If item has not been scanned by current virus signature, the item is inserted into queue
Items are assigned a high priority in queue
If item was in low priority queue when accessed, item priority is upgraded to high
Client waits to be “signaled” when scanning is complete or times out
Essentially eliminates the need for traditional manual scanning
Background Scanning
Opens Each corresponding MsgFolder Table and walks contents
ptagVirusScannerStamp is now stamped on Folders, MsgFolder, Msg, and Attachment table entries
Optimiziation: If ptagVirusScannerStamp is up-to-date on Folder entry, contents are not scanned.
New items in folders will be scanned when submitted or accessed
Sleeps until Store is restarted or Virus Interface is updated
Effectiveness Testing @hp
Problem Files & Tests
Settings: Scan All Attachments Types, Notify Sender, Admin and Recipient, Repair if possible, Quarantine if Not
Detection: Start AV Service, send virus
Performance & Detection:Run LoadSim – Normal Load
MailStorm – Push to Bottleneck
Sample Test Environment
COMPAQDrive 0 Open Drive 1 Open18 GB 18 GB
COMPAQDrive 0 Open Drive 1 Open18 GB 18 GB
COMPAQDrive 0 Open Drive 1 Open18 GB 18 GB
COMPAQDrive 0 Open Drive 1 Open18 GB 18 GB
ProLiant DL360 front-endservers FE360L9 - 12Version 6.0 (Build 4712.4:Service Pack 1)
ProLiant ML ActiveDirectory GlobalCatalog ServersDNS, DHCP
ProLiant DL MailboxServer Version 6.0 (Build5762.4: Service Pack 2)
ProLiant 1850 MailboxServer Version 6.0 (Build4712.4: Service Pack 1)
Test Clients
RG
1AG
1to
RG
1AG
2
EXVS1 -- ClusterVersion 6.0(Build 4712.4: ServicePack 1)
First Routing Group
Second Routing Group
Active Directory Organization
Problem Files & TestsViruses
Known virusMacro VirusDisguised VirusZip in Embedded MessageAcknowledge ZIPEncrypted ZIP
Problem Files Zero Byte .COM.com URL format Empty ZIP file> 2GB unzipped file Illegal MIME e.g.UPPERCASE headerInvalid filenamesSyntax errors
AV Service startingSignature UpdateDigital Signature & EncryptedTo Uninitialized Mailbox Delayed SendWith Invalid Return AddressEmbedded in Outlook FormTo Distribution List To Public Folder via PostTo Public Folder via SMTP addressDrag & Drop File to PFExchange Settings: Private.PST delivery (Client logged on)Invalid Address (create NDR)Invalid Address (NDR) with valid CCMessage in Sent Items
VSAPI PerfMon CountersMessages Processed
This a cumulative value of the total number of top- level messages that are processed by the virus scanner
Messages Processed/ sec
This counter represents the rate at which top- level messages are processed by the virus scanner
Messages Cleaned The total number of top- level messages that are cleaned by the virus scanner
Messages Cleaned/ sec The rate at which top- level messages are cleaned by the virus scanner
Messages Quarantined
The total number of top- level messages that are put into quarantine by the virus scanner
Messages Quarantined/ sec The rate at which top- level messages are put into quarantine by the virus scanner
Files Scanned The total number of separate files that are processed by the virus scanner
Files Scanned/ sec The rate at which separate files are processed by the virus scanner
Files Cleaned The total number of separate files that are cleaned by the virus scanner
Files Cleaned/ sec The rate at which separate files are cleaned by the virus scanner
Files Quarantined The total number of separate files that are put into quarantine by the virus scanner
Files Quarantined/ sec The rate at which separate files are put into quarantine by the virus scanner
Bytes Scanned The total number of bytes in all of the files that are processed by the virus scanner
Queue Length The current number of outstanding requests that are queued for virus scanning
Folders Scanned in Background The total number of folders that are processed by background scanning
Messages Scanned in Background The total number of messages that are processed by background scanning
AV Test Suites
Exchange 200X Server Mailbox and Public Folder Store virus protection
Test Suite 1: Normal Load
Test Suite 2: Peak Load (Stress Test)
Test Suite 3: Impact of RAID level, Multiple Storage Groups, and Stores
SMTP Front-End virus protectionTest Suite 4: Measure SMTP throughput and resource utilization with and without anti-virus scanning
Testing Results Exchange 200X Scanning
Effectiveness ~100% - Known Viruses
Performance: Less Difference with VSAPI than MAPI but STILL SIGNIFICANT
Performance impact - Determinant Variables:In-memory scanning vs. disk access
Message rate & size mix
Existing processor load & CPU(s)
See whitepaper at http://www.hp.com/solutions/activeanswers
Key Product Selection CriteriaFeatures & Functionality
Product Selection BasicsExchange 5.x, Exchange 2000, Exchange 2003 Compatibility
Version (Front-End Exchange Server, Windows Server SMTP only, or Back-End Store version)Multiple stores and client access from MAPI, OWA, Internet protocols and the EXIFS (M: drive).API Method used: MAPI, AVAPI, VSAPI or Combination?
Special Hardware Support, multi-processor, clusters, etc.Remote installation, configuration, monitoring, updating, and management?
Enterprise (Multi-Server) Console and remote administration?Administrative Console type: Web, MMC, both?Scheduled, automatic updates of the virus signature files
Push or pull? Firewall/proxy settings? Can it fan out from an internal http or \\UNC share?
Scan Engine used (or multiple scan engines)Does it scan in memory or must it write attachments to disk?Scans all message content (attachments and compressed files, message body, HTML)Heuristics or other technology to detect and prevent macro viruses and new viruses
Product Selection CriteriaFeatures for dealing with virus outbreaks?
Purging or deletion of entire worm messages?
Customize alert messages to administrator(s), sender, and recipient?
Distinguish between external and internal? Choice of transports or alerting mechanisms such as NET SEND as well as e-mail?
Can it break or block digitally signed or encrypted e-mails to scan for viruses? Exclude folders from manual scanning (e.g. Organizational Forms Library)?Selective attachment blocking?
Does it provide any other form of content filtering?
Configure Quarantine thresholdsMaximum number of items, Maximum size of Quarantine, Oldest message in Quarantine etc.
More Features…Anti-Virus Functionality
Control over scanning ‘bias’ – certainty versus performanceDelete Select Files: corrupted compressed, UUEncoded or Encrypted filesControl over depth of scanning: maximum number of nested attachments or compressed archives and maximum scan timeScan Files Embedded in DocumentsTrusted Scanning Domain
Content Control FunctionalityControl over outbound disclaimersFilter by file type, sender/domain, subject line, message contentsControl over Encrypted files – quarantine or log eventProvide sample policies or categories or weightings
Simple, Centralized Reporting
ConclusionsSolving the Virus Problem is three-fold1. Network Security
2. Content Control
3. System Operations
Commitment to Solution99% 99.9% 99.99%
Scanning, Filtering, Lockdown
Pro-actively or Re-actively
Learning from Previous Outbreaks
Microsoft ResponsesOutlook Security Patch
New, Improved VSAPI
Appendices
Reference Slides follow
SummaryPoint of Attack Issue / source of problem Solution points
Entry into Organization Accepting active file content types
File blocking (by extension or all active content)
Front-End Servers & Firewalls – System Intrusion
Certain MIME exploits or new virus, no signature
Attachment blocking or Filter by content - Do not rely on attachment extensions (cannot trust MIME headers)
Back-End Servers – Received via email messages
Accepting active file content types
File blocking and scanning for known viruses
Opened in Email client Email client handling of attachments and address book access
Attachment Blocking and Outlook Object Model Guard
Personal Computer & User Attachment written to disk Desktop file-base anti-virus scanning
Trick user into launching virus
Fooled by attachment type or extension
Change default action for scripts to Edit
Un-hide file extension in Explorer
Opening unsafe attachments
Lack of end-user awareness Corporate Policy and Anti-Viral Education Campaign
Destructiveness of payload
Power of logon context Network security e.g. restricting shares
Use RunAs or Remote Desktop
Links to More Information
ActiveAnswershttp://www.hp.com/solutions/activeanswers
AV Vendors http://www.gfi.com/mailsecurity/msecpapers.htm
“One virus engine is not enough: The case for maximizing network protection with multiple anti-virus scanners”“Why you need an email exploit detection engine: Companies must supplement anti-virus protection for maximum security”“Protecting your network against email threats: How to block email viruses and attacks”“Why anti-virus software is not enough: The urgent need for server-based email content checking”
http://www.symantec.com/avcenter/whitepapers.html http://www.trendmicro.com/download/whitepapers/ http://www.sybari.com/products/whitepapers.asp
SystemSystemOperationsOperations
Solving the Virus ProblemTurning Down the Automation
Default Script Actions
Hidden File Extensions
Outlook Security Updates + Windows Patches
Client ConfigurationHidden extensions
Backdoors and Intrusion DetectionPersonal firewall e.g. ZoneAlarm
HTTP SMTP File-based (media)
Foreign MTA
PC Configuration
Front-End ServersFirewalls
Back-End (Mailbox) ServersReal-time Scanning
Email Clients(Outlook Web Access, Outlook, Outlook Express)
Attachment BlockingObject Model Guard
File Extensions,Automation &
Default File Actions
User LogonContext
Virus ‘Lifecycle’
Further Reading
“Mission-Critical Active Directory”, Jan De Clercq, Micky Balladelli, Digital Press, ISBN 1-55558-240-0
“Windows Server 2003 Security Infrastructures” Jan De Clercq, To be published late 2003
Questions?
[email protected]@HP.com
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion: 0-Administrator's Companion: 0-7356-1979-47356-1979-4 9/24/039/24/03
Active Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Windows® Server 2003 Technical Reference: 0-7356-Technical Reference: 0-7356-1577-21577-2
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.