MSG329 Controlling Viruses with Exchange Server and Outlook Jan De Clercq Senior Member of Technical Staff Hewlett-Packard Technology Leadership Group

MSG329

Controlling Viruses with Exchange Server and Outlook

Jan De ClercqSenior Member of Technical StaffHewlett-PackardTechnology Leadership Group

AgendaDefining the Virus Problem

Virus ‘Lifecycle’

Known Exploits + Prevention

Virus Detection & PreventionProtecting Points of Entry & Attack

Exchange Server - Specific Detection & Scanning Methods – Test Results

What’s new: Exchange Server 2003 enhancements

What is a Virus?

Code that exploits existing systemsIntrusion into system

Self-replication & propagation

Benefits from automation

Can carry payload

Can be harmful or benignWithout user consent

Resides in specific security context

Payload can be nuisance message or much, much worse

Escalating Payloads

PCs

Networks

Systems

Services

Companies

Future Attacks*

’98 ’99 ’00 ’01 ’02 ’03 ’04 ’05 …

Increasing Popularity:•Trojan Horses•Active Content•Network Payload

Ease-of-Authoring•Code-base•Executables•Macros•Script

Target = PC’s • Wireless • Networks • Directory

*Source: MEC’99 presentation*Source: MEC’99 presentation

Virus Terminology

Virus, Worm, Trojan Horse, etc.

Polymorphic, Stealth, Variants, etc.

Scanning, Signatures, Recursive Decompression, Heuristics, etc.

Payload, Transmission VectorsDisturbing Trends

Transmission Rate & Vectors Up

Payload Latency Down

Payload Potency Up

HTTP SMTP File-based (media)

Foreign MTA

PC Configuration

Front-End ServersFirewalls

Back-End (Mailbox) Servers

Email Clients

(Outlook Web Access, Outlook, Outlook Express)

User LogonContext


Defining the Virus Problem

Network Network Security Security

ContentContentControlControl

SystemSystemOperationsOperations

The Virus The Virus Problem is Problem is three-foldthree-fold

Solving the Virus Problem




Varying Levels of Commitment = Varying Levels of Commitment = Effort in each areaEffort in each area

1. Basic1. Basic2. Intermediate2. Intermediate3. Highest Security3. Highest Security

What is your commitment to solution?

99%AV Screening @ Gateways / Mailboxes

99.9%Above + Content restrictions + OS Config

99.99%Above + Sandbox + Client lockdown

..or Outsource the Problem


Learning from Previous OutbreaksVirus Case Studies: Past Exploits

What have we learned?

What can we predict? (lead time…)

Where are we exposed?

Exploit Example Solution(s)

Head Hits Steering Wheel

Bad crash

Chronological Order

Air Bag

Viral Capabilities Precede Outbreaks*

Authoring CapabilitiesAuthoring Capabilities

Viral OutbreaksViral Outbreaks

1996 1997 1998 1999 20001996 1997 1998 1999 2000

1997 1998 1999 2000 20011997 1998 1999 2000 2001

ExecutablesExecutablesExecutablesExecutables MacroMacroMacroMacro Script Script Script Script TransportTransportTransportTransport

*Source: MEC’99 presentation*Source: MEC’99 presentation

Outbreak Response

Advance preparation

Detection Systems & Notification

On OutbreakUnplug infected system(s)

Shut down SMTP outbound*

Shut down MTAs / Hubs

Download new signatures

Run A/V or cleanup utilties

Determine when OK to re-connect

* Exchange 2003 Enhancement

Well-known exploits


Exploited known / patched vulnerability

Morris Worm 11.2.88

Stay current e.g. via Windows Update & Office Update

Get Secure, Stay Secure

microsoft.com/security Security Tools

Bulletins and Virus Alerts

Windows + Office Update Windows + Office Integration

E.g. issue with ‘SQL Slammer’

Automatic Updates

But what about Change Control?Software Update Server (SUS)

HTML script and email


‘Demo’ HTML virus

First known: HTML.Internal

11.10.98

Set IE zone security to "Medium" or higher

For truly paranoid: Outlook Key

ZAPHTML from slipstick.com

Outlook 2002 Plain Text

Convert all incoming HTML non-digitally-signed or non-encrypted email to plain text - See Q307594

Can still view in OWA

Social Engineering


Here is that document you asked for ... don't show anyone else ;-)

Melissa

03.26.99

User Education“Trust nothing”

Disable Macros

Ongoing User Education

IDC survey: more than a third (37 per cent) of business email users would still open the attachment of an email titled 'ILOVEYOU'

The report found that on any day of the year users would open an email appearing to be from someone they know if the following appeared in the subject line: Great Joke (54 per cent), Look at this (50 per cent), Message (46 per cent), No title (40 per cent) or special offer (39 per cent).

Source: http://www.theregister.co.uk/content/8/16668.html 2/6/2001

http://www.theregister.co.uk/content/8/16668.html

User EducationLearn with each Attack

Social Engineering

Unsafe attachmentsActive content

Hidden extensions

Save & scan if unsure

Unsafe messagesOpen = launch

Leave ‘suspicious’ incoming messages alone for a few hours or days

Opening Unprotected Points of EntryE.g. POP email, Web email etc.

Mass email generator


Programmatic access to address book

Melissa

03.26.99

Admin Education: e.g. Dummy entries in GAL (weak)

Outlook Security Update

Need for purging worm generated emails


“The Most Powerful Anti-Virus Tool on the Planet”

The vast majority of email-borne viruses (such as ILOVEYOU, Melissa, and Goner) can be stopped in their tracks by taking one simple action -- installing the Outlook E-mail Security Update today. Updates are available for Outlook 2000 and Outlook 98. The update is built into Outlook 2002 in Office XP.

http://www.microsoft.com/technet/security/virus/virus.asp

These are live hyperlinks in

the PowerPoint

deck

http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspx

http://office.microsoft.com/downloads/2000/Out2ksec.aspx

http://office.microsoft.com/downloads/9798/Out98sec.aspx


Outlook 98 Servicepack 2 and onward

Viruses are prevented from programmatically accessing the address book

Certain attachment types are restrictedLevel 1, Level 2

http://www.microsoft.com/office/outlook/evaluation/security.asp

Internet Security Zone to Restricted Sites by default



Launch attachments


Launch attachments directly from email

Melissa

03.26.99


Save to disk allows A/V scanning

Hidden extensions


E.g. Executable appears as zip or text or picture

Worm.ExploreZip

06.06.99

‘Hide extensions’ (Explorer default) must be changed

Attachment blocking


Active Script


E.g. VBS viruses

VBS/Freelink

10.14.99

Change default VBS action to Edit (in Registry)


Default Script ActionsGive up Automation? No!

e.g. change default action to Edit instead of disabling WSH – save ability to run scriptsREGEDIT /S VIRUSFIX.REG[HKEY_CLASSES_ROOT\VBSFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\VBEFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\JSFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\JSEFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\WSFFile\Shell]@="Edit"[HKEY_CLASSES_ROOT\WSHFile\Shell]@="Edit“

…

Use Group Policy to Restrict Applications

Auto-launch attachment


Auto-launch attachments - runs when email opened

Bubbleboy

11.09.99

Microsoft Security Bulletin (MS99-032): Patch Available for "scriptlet.typelib/Eyedog" Vulnerability

Network + blended attacks


Uses Admin context to attack NT system and uses network

W32.FunLove

11.11.99

Reduce logon context

File-based scanning even for servers



Viral capability = logon / security context

RunAs (Win32 apps) or Remote Desktop

Blended threatsEmailSharesIISBackdoors / Spyware

Email & MIME are ‘too trusting’

Fool me once, fool me twice


"kindly check the attached LOVELETTER coming from me.“

ILOVEYOU.txt.vbs

05.04.2000

‘Hide extensions’ (Explorer default) must be changed

Change default VBS action to Edit (in Registry)


HTML Automation


User does not have to open attachment to become infected. Attaches to outgoing signature in Outlook Express.

KAK worm

05.05.2000

HTML off?

Outlook Key

Outlook Express Security Update

Server-side scanning

Outlook Express Security Update

Q291387 OLEXP: Using Virus Protection Features in Outlook Express 6

Security tab of the Tools, OptionsDisable Active Content in HTML E-mail

OE6 uses Restricted Zone instead of Internet ZoneWarn me when other applications try to send mail as meDo not allow attachments to be saved or opened that could potentially be a virus Managed via Control Panel: Folder Options - Confirm open after download checkbox

POP Email Proxy Scanning

New transports & file types


Spread via IRC LIFE_STAGES.TXT.SHS

06.20.2000

Admin Education

e.g. Filter out SHS extension

(who knew?)

Admin EducationLearn with each Attack

Address Book / GAL accessActive Content & Unwanted content types??_, 00?, 386, ACM, ADT, APP, ARC, ARJ, ASP, AX?, BAT, BIN, BO?, CAB, CBT, CDR, CHM, CLA, CMD, COM, CNV, CPL, CSC, DL?, DEV, DOC, DOT, DRV, EXE, GMS, GZ?, HLP, HT?, ICE, IM?, INI, JS?, LZH, MB?, MD?, MPD, MPP, MPT, MSI, MSG, MSM, MSO, MSP, MST, OBD, OBT, OCX, OLE, OV?, PCI, POT, PP?, QLB, QPW, RAR, REG, RTF, SCR, SHS, SMM, SYS, TAR, TD0, TLB, TSP, VBS, VS?, VWP, VXD, WBK, WIZ, WPC, WPD, WSI, XL?, XML, XSL, XTP, ZIP

DO NOT RELY ON SCANNING BY EXTENSION!

Desktop & Outlook DeploymentsSecurity Patches (e.g. Outlook via Internet)IE Security ZonesWindows settings (file extensions, scripts)

Admin Logon context Run As or Remote Admin (Terminal Server)

Network attack + backdoor


Start as e-mail, IRC or download, scan IP ranges – provide own backdoor

Qaz.trojan (W32.HLLW.QAZ.A)

08.14.2000Bymer (alias Msinit and Wininit)

11.07.2000

Basic security "best practices” – Network Share settings, firewalls etc.

Alternate Data Streams


Proof of concept W2K.Stream

09.07.2000

Block *} attachments

Upgradeable virus


Variable attachment ending with .exe or .scr

+ Capability to upgrade itself via usenet

W32.Hybris

11.14.2000

Outlook Update

.SCR filtering

Testing, Testing…


EXE that is not a Flash movie

Shockwave worm 11.30.2000

Outlook Update

Tennis anyone?


Another VBS hidden extension

AnnaKournikova.jpg.vbs

02.12.2001

See Worm.ExploreZip 06.06.99

VBS/Freelink

10.14.99

RTF vulnerability


Infected .rtf document will attempt to download remote .DOT file carrying Trojan horse from Russian Web site

W97M.Goga or DUNpws.ik

06.14.2001

Microsoft patch (MS01-028) or Word 2002 or later

Another blended threat


Attempt at randomizing email contents

+ Infect files shared over an open network

SirCam worm

07.18.2001

Basic security "best practices"

Bug in random number generator, file deleting, space filling payloads likely not activated

Email, Network, Internet….


Hybrid virus: Exploited IIS vulnerability - email attachment, network shares, IIS server.

Code Red 09.18.2001

Basic security "best practices“

Microsoft Security Bulletin (MS01-020) Originally posted: March 29, 2001

If at first you don’t succeed


Variant Nimda variants Basic security "best practices“

Microsoft Security Bulletin (MS01-020) Originally posted: March 29, 2001

Email spoofing + randomization


Well known:

See MS01-020 and/or MS01-027

Klez & .E variant

10.25.2001

Outlook Security Patch

Malformed MIME


Malformed MIME exploit: allow attachment to execute without prompting

W32.Badtrans.B

11.24.2001

Microsoft Security Bulletin (MS01-020) superceded by MS01-027.

Originally posted: May 16, 2001

Social Engineering


Q216309.exe –SMTP engine disguised as Internet Security Update.

Attacks mapped drives

Gibe

03.04.2002

Outlook Update

User Education: Microsoft DOES NOT send patches via email

AP headline: “New virus can infect photo files”


Claims to infect JPG files – once you install the EXE

Perrun

06.14.2002

Ummm, don’t install the EXE

I’m getting tired…


Mass-mailing, Termination of Antivirus Programs and Firewalls, Compromise of Cached Passwords

W32.Lirva.A@mm

January 10, 2003

Outlook Update

User Education

Microsoft DOES NOT send patches via email

What’s next?


Well-known exploits:

"about:" or "javascript:"

IFRAME tag

See ntbugtraq.com

Outlook Security Update or get Outlook 2002 or later

Illegal MIMEExploit Example Solution(s)

RFC 822 standards for MIME, wide variety of interpretations of multipart structure

Content-Type: text/plain; name==?us-ascii?Q?eicar.com?=

name=eicar.com

name=””eicar.com

name=.”eicar.com”

name=eicar .com

name=”eicar.com

name==?us-ascii?Q?eicar.com?=

name==?us-ascii?Q?eicar?=.com

name==?us-ascii?Q?eicar?= =?us-ascii?Q?.com?=

name=”eicar.=?us-ascii?Q?com?=”

name=”eicar.=?us-ascii?Q?com?=

name=eicar.=?us-ascii?Q?com?=

name=eicar.=?us-ascii?Q?co?=m


Block .DAT

What’s next?


<Your network here>

<Your name here>

Look for exploit opportunities in your own environment

(to prevent!)







Protecting Points of Entry

1. Firewalls & Gateways*

2. Mailbox Servers

3. Clients / Desktops

NetworkServer

Firewall / SMTP

Gateway

Internet

Po

int

of

En

try

Po

int

of

En

try

Point of EntryPoint of Entry Point of EntryPoint of Entry

Mailbox Servers

Your Organization

* Could be Exchange perimeter

1: Firewalls & Gateways

Content & Virus ScanningISA e.g. Trend InterScan VirusWall, GFI DownloadSecurity for ISA Server, Finjan SurfinGate - See isaserver.org

Windows Server 2003 SMTP products

Port watch products

http://msdn.microsoft.com/msdnmag/issues/02/09/NewStuff/default.aspx

MSDN Magazine > September 2002

Also File-based Scanning



Anti-Virus Scanning

Content FilteringBy file type

By content

Balance between

effectiveness and

maximum loss rate

Exchange 2003 Filtering

See Simon Attwell’s Anti-spam session

Connection FilteringReal Time Blacklists,

Content FilteringSpam Beacon blocking

Recipient FilteringBlock/Allow addresses

Restricted Distribution Lists

Allow authenticated Internal email

Restrict Relaying

2: Mailbox Servers

Store-based Content & Virus Scanning

Exchange Scanning Methods<1998 MAPI

2000 AVAPI

2001 VSAPI

2002 VSAPI2

2003 VSAPI2.5

Product Selection Criteria

Warning: Exclude Exchange Binaries, Warning: Exclude Exchange Binaries, Databases, Logs, etc. from Databases, Logs, etc. from File-basedFile-based Scanning Scanning

Anti-Virus Resource Usage

A/V Process uses CPU + drives up Store.exe Process

Limits Server Scalability

Solution / Options:Scale Vertically e.g. Add Processors

“Surround” Mailbox Servers with A/V Scanning

3: Clients / DesktopsUser & Admin Education

Outlook E-mail Security See Session SEC360 Outlook Security and Virus Protection (Weds 9 am)

Other Options: Turn off the email preview pane

Tool, Options, Send tab, Mail Sending Format, Plain Text

Desktop Anti-VirusScans email attachments saved to temporary folder

Q49500 List of Antivirus Software Vendors

Outlook Express E-mail Security







What’s new: Exchange Server 2003

EnhancementsVSAPI2.5

OWA Attachment Blocking

Filtering (Anti-Spam)

MIME Handling

Outlook Version ControlAllows Patch Enforcement

VS API V2.0 in Ex2k SP1Scans messages and attachmentsPriority based Scanning Queue

Proactive Message Scanning

Enhanced Background Scanning

Thread pooling

Message Details

Per-MDB Scanning

EDK Gateway content scanning

Message body and attachment scanning

Native MAPI/MIME content scanning

Scanner On-Demand Reload

VS API V2.5 in Ex2003

Antivirus App can delete messages

Antivirus App can send messages to the sender, and add additional virus status messages thus allowing clients to better indicate the infection status of a given message

VSAPI Scanning

Proactive ScanningAs messages arrive inbound to the server

On Access ScanningWhen messages are accessed via client or agent

Background ScanningOngoing scanning of messages

Primarily used for re-scanning data when virus signatures are updated

Priority Scanning Queue

One queue exist for entire Store processMaximum of 30 items

Messages are submitted to queue with a high or low priority

Requested item (i.e. Message Open) receives high priority

Saves and Posted items receive low priority

High priority messages are always scanned before low priority

Item priority can be upgraded upon access

Proactive Scanning

Proactively scans messages as they are submitted to Store

Transport Submit, Client Submittal

Gives item an opportunity to be scanned prior to access (i.e. Message Open)

Proactive Items receive a low Priority.

Maximum of 30 low priority items in queue.FIFO based removal of low priority items in queue

If removed, then item will be scanned when accessed

On Access Scanning

ProcessThe item’s virus stamp is checked

If item has not been scanned by current virus signature, the item is inserted into queue

Items are assigned a high priority in queue

If item was in low priority queue when accessed, item priority is upgraded to high

Client waits to be “signaled” when scanning is complete or times out

Essentially eliminates the need for traditional manual scanning

Background Scanning

Opens Each corresponding MsgFolder Table and walks contents

ptagVirusScannerStamp is now stamped on Folders, MsgFolder, Msg, and Attachment table entries

Optimiziation: If ptagVirusScannerStamp is up-to-date on Folder entry, contents are not scanned.

New items in folders will be scanned when submitted or accessed

Sleeps until Store is restarted or Virus Interface is updated

Effectiveness Testing @hp

Problem Files & Tests

Settings: Scan All Attachments Types, Notify Sender, Admin and Recipient, Repair if possible, Quarantine if Not

Detection: Start AV Service, send virus

Performance & Detection:Run LoadSim – Normal Load

MailStorm – Push to Bottleneck

Sample Test Environment

COMPAQDrive 0 Open Drive 1 Open18 GB 18 GB




ProLiant DL360 front-endservers FE360L9 - 12Version 6.0 (Build 4712.4:Service Pack 1)

ProLiant ML ActiveDirectory GlobalCatalog ServersDNS, DHCP

ProLiant DL MailboxServer Version 6.0 (Build5762.4: Service Pack 2)

ProLiant 1850 MailboxServer Version 6.0 (Build4712.4: Service Pack 1)

Test Clients

RG

1AG

1to

RG

1AG

2

EXVS1 -- ClusterVersion 6.0(Build 4712.4: ServicePack 1)

First Routing Group

Second Routing Group

Active Directory Organization

Problem Files & TestsViruses

Known virusMacro VirusDisguised VirusZip in Embedded MessageAcknowledge ZIPEncrypted ZIP

Problem Files Zero Byte .COM.com URL format Empty ZIP file> 2GB unzipped file Illegal MIME e.g.UPPERCASE headerInvalid filenamesSyntax errors

AV Service startingSignature UpdateDigital Signature & EncryptedTo Uninitialized Mailbox Delayed SendWith Invalid Return AddressEmbedded in Outlook FormTo Distribution List To Public Folder via PostTo Public Folder via SMTP addressDrag & Drop File to PFExchange Settings: Private.PST delivery (Client logged on)Invalid Address (create NDR)Invalid Address (NDR) with valid CCMessage in Sent Items

VSAPI PerfMon CountersMessages Processed

This a cumulative value of the total number of top- level messages that are processed by the virus scanner

Messages Processed/ sec

This counter represents the rate at which top- level messages are processed by the virus scanner

Messages Cleaned The total number of top- level messages that are cleaned by the virus scanner

Messages Cleaned/ sec The rate at which top- level messages are cleaned by the virus scanner

Messages Quarantined

The total number of top- level messages that are put into quarantine by the virus scanner

Messages Quarantined/ sec The rate at which top- level messages are put into quarantine by the virus scanner

Files Scanned The total number of separate files that are processed by the virus scanner

Files Scanned/ sec The rate at which separate files are processed by the virus scanner

Files Cleaned The total number of separate files that are cleaned by the virus scanner

Files Cleaned/ sec The rate at which separate files are cleaned by the virus scanner

Files Quarantined The total number of separate files that are put into quarantine by the virus scanner

Files Quarantined/ sec The rate at which separate files are put into quarantine by the virus scanner

Bytes Scanned The total number of bytes in all of the files that are processed by the virus scanner

Queue Length The current number of outstanding requests that are queued for virus scanning

Folders Scanned in Background The total number of folders that are processed by background scanning

Messages Scanned in Background The total number of messages that are processed by background scanning

AV Test Suites

Exchange 200X Server Mailbox and Public Folder Store virus protection

Test Suite 1: Normal Load

Test Suite 2: Peak Load (Stress Test)

Test Suite 3: Impact of RAID level, Multiple Storage Groups, and Stores

SMTP Front-End virus protectionTest Suite 4: Measure SMTP throughput and resource utilization with and without anti-virus scanning

Testing Results Exchange 200X Scanning

Effectiveness ~100% - Known Viruses

Performance: Less Difference with VSAPI than MAPI but STILL SIGNIFICANT

Performance impact - Determinant Variables:In-memory scanning vs. disk access

Message rate & size mix

Existing processor load & CPU(s)

See whitepaper at http://www.hp.com/solutions/activeanswers

Key Product Selection CriteriaFeatures & Functionality

Product Selection BasicsExchange 5.x, Exchange 2000, Exchange 2003 Compatibility

Version (Front-End Exchange Server, Windows Server SMTP only, or Back-End Store version)Multiple stores and client access from MAPI, OWA, Internet protocols and the EXIFS (M: drive).API Method used: MAPI, AVAPI, VSAPI or Combination?

Special Hardware Support, multi-processor, clusters, etc.Remote installation, configuration, monitoring, updating, and management?

Enterprise (Multi-Server) Console and remote administration?Administrative Console type: Web, MMC, both?Scheduled, automatic updates of the virus signature files

Push or pull? Firewall/proxy settings? Can it fan out from an internal http or \\UNC share?

Scan Engine used (or multiple scan engines)Does it scan in memory or must it write attachments to disk?Scans all message content (attachments and compressed files, message body, HTML)Heuristics or other technology to detect and prevent macro viruses and new viruses

Product Selection CriteriaFeatures for dealing with virus outbreaks?

Purging or deletion of entire worm messages?

Customize alert messages to administrator(s), sender, and recipient?

Distinguish between external and internal? Choice of transports or alerting mechanisms such as NET SEND as well as e-mail?

Can it break or block digitally signed or encrypted e-mails to scan for viruses? Exclude folders from manual scanning (e.g. Organizational Forms Library)?Selective attachment blocking?

Does it provide any other form of content filtering?

Configure Quarantine thresholdsMaximum number of items, Maximum size of Quarantine, Oldest message in Quarantine etc.

More Features…Anti-Virus Functionality

Control over scanning ‘bias’ – certainty versus performanceDelete Select Files: corrupted compressed, UUEncoded or Encrypted filesControl over depth of scanning: maximum number of nested attachments or compressed archives and maximum scan timeScan Files Embedded in DocumentsTrusted Scanning Domain

Content Control FunctionalityControl over outbound disclaimersFilter by file type, sender/domain, subject line, message contentsControl over Encrypted files – quarantine or log eventProvide sample policies or categories or weightings

Simple, Centralized Reporting

ConclusionsSolving the Virus Problem is three-fold1. Network Security

2. Content Control

3. System Operations

Commitment to Solution99% 99.9% 99.99%

Scanning, Filtering, Lockdown

Pro-actively or Re-actively

Learning from Previous Outbreaks

Microsoft ResponsesOutlook Security Patch

New, Improved VSAPI

Appendices

Reference Slides follow

SummaryPoint of Attack Issue / source of problem Solution points

Entry into Organization Accepting active file content types

File blocking (by extension or all active content)

Front-End Servers & Firewalls – System Intrusion

Certain MIME exploits or new virus, no signature

Attachment blocking or Filter by content - Do not rely on attachment extensions (cannot trust MIME headers)

Back-End Servers – Received via email messages

Accepting active file content types

File blocking and scanning for known viruses

Opened in Email client Email client handling of attachments and address book access

Attachment Blocking and Outlook Object Model Guard

Personal Computer & User Attachment written to disk Desktop file-base anti-virus scanning

Trick user into launching virus

Fooled by attachment type or extension

Change default action for scripts to Edit

Un-hide file extension in Explorer

Opening unsafe attachments

Lack of end-user awareness Corporate Policy and Anti-Viral Education Campaign

Destructiveness of payload

Power of logon context Network security e.g. restricting shares

Use RunAs or Remote Desktop

Links to More Information

ActiveAnswershttp://www.hp.com/solutions/activeanswers

AV Vendors http://www.gfi.com/mailsecurity/msecpapers.htm

“One virus engine is not enough: The case for maximizing network protection with multiple anti-virus scanners”“Why you need an email exploit detection engine: Companies must supplement anti-virus protection for maximum security”“Protecting your network against email threats: How to block email viruses and attacks”“Why anti-virus software is not enough: The urgent need for server-based email content checking”

http://www.symantec.com/avcenter/whitepapers.html http://www.trendmicro.com/download/whitepapers/ http://www.sybari.com/products/whitepapers.asp


Solving the Virus ProblemTurning Down the Automation

Default Script Actions

Hidden File Extensions

Outlook Security Updates + Windows Patches

Client ConfigurationHidden extensions

Backdoors and Intrusion DetectionPersonal firewall e.g. ZoneAlarm

HTTP SMTP File-based (media)

Foreign MTA

PC Configuration

Front-End ServersFirewalls

Back-End (Mailbox) ServersReal-time Scanning

Email Clients(Outlook Web Access, Outlook, Outlook Express)

Attachment BlockingObject Model Guard

File Extensions,Automation &

Default File Actions

User LogonContext


Further Reading

“Mission-Critical Active Directory”, Jan De Clercq, Micky Balladelli, Digital Press, ISBN 1-55558-240-0

“Windows Server 2003 Security Infrastructures” Jan De Clercq, To be published late 2003

Questions?

[email protected]@HP.com

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion: 0-Administrator's Companion: 0-7356-1979-47356-1979-4 9/24/039/24/03

Active Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Windows® Server 2003 Technical Reference: 0-7356-Technical Reference: 0-7356-1577-21577-2

TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.