implementing exchange server security ward solutions

Implementing Exchange Server Security

Ward Solutions

Session Prerequisites

Hands-on experience with Microsoft Windows Server 2003

Working knowledge of Microsoft Exchange Server 2003

Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP

Working knowledge of networking, including TCP/IP, DNS, and IIS

Basic understanding of PKI concepts and technologies

Level 300

Session Overview

Implementing Exchange Server

Securing Exchange Server Services and Messaging Protocols

Maintaining Security on Exchange Server

Configuring Exchange to Protect Against Unwanted E-Mail

Exchange Server 2003 Security Overview

Secure by designSecure by designSecure by default

Support for Sender, Recipient and Connection filtering, including Block List services

Secure by default

Support for Sender, Recipient and Connection filtering, including Block List services

Secure by defaultSecure by default

User logon on server disabled

Messaging limits configuration of 10MB

User logon on server disabled

Messaging limits configuration of 10MB

Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx

Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx

Exchange Server Deployment Scenarios

ISA Server integratedISA Server integrated

General deployment General deployment FE/BE deploymentFE/BE deployment

Exchangeserver

Exchangeserver

InternetInternet

Front-endExchange

server

Front-endExchange

server

Back-end Exchange

servers

Back-end Exchange

servers

ISA serverISA server

Exchangeserver

Exchangeserver

Hosted Exchange

Exchange Server Client Scenarios

General client access:General client access:

Microsoft OutlookMicrosoft Outlook

Mobile client access:Mobile client access:

Outlook Web Access

Outlook Mobile Access

Exchange Server ActiveSync

Outlook Web Access

Outlook Mobile Access

Exchange Server ActiveSync

Exchange Server 2003 client scenarios include the following:Exchange Server 2003 client scenarios include the following:

Configuration and Security Update Recommendations for Exchange Server

Component Configuration

Operating system and software

Microsoft Windows Server 2003 with the latest security updates Exchange Server 2003 with Service Pack 1 (or higher)Microsoft Exchange Intelligent Message Filter

Browser Internet Explorer 6 with the latest security updates

Security update management Microsoft Baseline Security Analyzer

Implementing a Defense-in-Depth Approach to Exchange Server Security

Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, security update management, antivirus updates, auditing

Host

Network segments, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, backup and restore strategy

Data

Securing Exchange Servers: What Are the Challenges?

Challenges to securing an Exchange server include:Challenges to securing an Exchange server include:

Maintaining the security of the underlying Windows infrastructure

Maintaining baseline security hardening practices

Understanding security options for various deployment scenarios

Maintaining the security of the underlying Windows infrastructure

Maintaining baseline security hardening practices

Understanding security options for various deployment scenarios

Hardening the Messaging Environment

To harden your Exchange messaging environment, deploy the following:To harden your Exchange messaging environment, deploy the following:

Environment Configuration

Server environment

Domain, Domain Controller, and Member Server Baseline Policy templatesWindows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638

Messaging environment

Exchange Domain Controller Baseline Policy templateExchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx

Hardening Back-End Exchange Servers

Tasks for hardening back-end Exchange servers include:Tasks for hardening back-end Exchange servers include:

Hardening services

Hardening file access control lists (ACLs)

Changing privilege rights

Enabling additional services (optional)

Hardening services


Changing privilege rights


Apply the Exchange 2003 Backend.inf security template to your back-end serversApply the Exchange 2003 Backend.inf security template to your back-end servers

Hardening Front-End Exchange Servers

Tasks for hardening front-end Exchange servers include:Tasks for hardening front-end Exchange servers include:

Hardening services



Running URLScan (optional but recommended)

Dismounting the mailbox store and deleting the public folder store (optional but recommended)

Hardening services



Running URLScan (optional but recommended)

Dismounting the mailbox store and deleting the public folder store (optional but recommended)

Apply the Exchange 2003 Frontend.inf security template to your front-end serversApply the Exchange 2003 Frontend.inf security template to your front-end servers

Understanding SMTP Relaying

SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns

SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns

Relaying may be necessary when:Relaying may be necessary when:

Accepting mail for another organization

Supporting clients that use POP3 or IMAP4

Supporting applications that generate SMTP mail

Accepting mail for another organization

Supporting clients that use POP3 or IMAP4

Supporting applications that generate SMTP mail

Prevent open relays by:Prevent open relays by:

Allowing only authenticated computers to relay

Restricting relaying to specific computers or users

Using an SMTP connector to relay mail to particular domains

Allowing only authenticated computers to relay

Restricting relaying to specific computers or users

Using an SMTP connector to relay mail to particular domains

Demonstration 1: Securing and Testing SMTP Relaying

Securing SMTP relaying and testing for open relays

Securing SMTP Communication Between Mail Servers

To secure SMTP communication between servers:To secure SMTP communication between servers:

Install and configure an X.509 certificate on the SMTP server 11

• Enable and configure TLS encryption for inbound mail

22

• Enable and configure TLS encryption for outbound mail to specific domains

33

Securing Exchange Servers: Best Practices

Limit Exchange Server functionality to clients that are strictly requiredLimit Exchange Server functionality to clients that are strictly required

Remain current with the latest updates for both Exchange Server 2003 and the operating systemRemain current with the latest updates for both Exchange Server 2003 and the operating system

Use SSL/TLS and forms-based authentication for Outlook Web AccessUse SSL/TLS and forms-based authentication for Outlook Web Access

Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 trafficUse ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic

Maintaining Security on Exchange Server: What Are the Challenges?

Challenges to maintaining security on an Exchange server include:Challenges to maintaining security on an Exchange server include:

Keeping up with the latest security updates

Keeping up with recommended best practices

Understanding the impact of configuring the various options within Exchange Server

Maintaining documentation on configuration and security settings

Keeping up with the latest security updates

Keeping up with recommended best practices

Understanding the impact of configuring the various options within Exchange Server

Maintaining documentation on configuration and security settings

Analyzing Exchange Server 2003 Using MBSA

MBSA checks for issues related to the following:MBSA checks for issues related to the following:

Known Windows and Internet Explorer security issues Known Windows and Internet Explorer security issues

Missing security updates Missing security updates

Weak account passwords Weak account passwords

Internet Information Services (IIS) security issues Internet Information Services (IIS) security issues

Exchange Server security issues Exchange Server security issues

SQL Server security issues SQL Server security issues

Validating Exchange Server Configuration Settings

ExBPA can examine your Exchange servers to:ExBPA can examine your Exchange servers to:

Generate a list of issues, such as misconfigurations or unsupported or non-recommended optionsGenerate a list of issues, such as misconfigurations or unsupported or non-recommended options

Judge the general health of a systemJudge the general health of a system

Help troubleshoot specific problemsHelp troubleshoot specific problems

Demonstration 2: Analyzing Configuration Settings on Exchange Server 2003

Analyze Exchange Server using MBSA and the ExBPA Tool

Implementing Antivirus Protection on Exchange Server

Consider the following when designing and implementing an antivirus solution: Consider the following when designing and implementing an antivirus solution:

Design a defense-in-depth approach

Implement an antivirus scanner that supports AVAPI 2.5

Prevent file-based scanning on Exchange Server folders

Design a defense-in-depth approach

Implement an antivirus scanner that supports AVAPI 2.5

Prevent file-based scanning on Exchange Server folders

Preparing for and Installing IMF - what is Spam?

Unsolicited Commercial E-mail

More than 50% of email traffic

Costly use of resources

IT

Personnel

Potentially offensive

Phishing

Preparing for and Installing IMF Microsoft’s Anti-UCE Strategy

Innovative Technologies

Industry Self-Regulation and Cooperation

Working with Governments``

What Are the Exchange Options for Limiting Unwanted E-Mail?

Options to limit unwanted e-mail include:Options to limit unwanted e-mail include:

Recipient filtering

Sender filtering

Connection filtering

Microsoft Exchange Intelligent Message Filter

Recipient filtering

Sender filtering


Microsoft Exchange Intelligent Message Filter

Preparing for and Installing IMF

Accept/Accept/

Deny ListsDeny Lists

33rdrd ptyBlock Lists ptyBlock Lists

Recipient FilterRecipient Filter

Sender FilteringSender Filtering

Intelligent Message FilterIntelligent Message Filter

Information StoreInformation Store

Preparing for and Installing IMF - Exchange 2003 Anti Spam Strategy

Feature Filter Point Resource Cost

Accept/Deny Lists SMTP Session

Block ListsSMTP Session

Exchange Sender Filter SMTP Gateway

Recipient Filtering SMTP Gateway

Intelligent Message Filter Gateway/User Mailbox

Configuring Filtering by Recipient Address

Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

Configuring Filtering by Sender Address or Domain

Sender filtering blocks mail from specified senders or domains

Sender filtering blocks mail from specified senders or domains

Implementing Real-Time Block List Support Using Connection Filtering

Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

Demonstration 3: Implementing Real-Time Block List Support

Configure Real-Time Block List Support

Overview of Exchange Intelligent Message Filter

Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users

Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users

Preparing for and Installing IMF Intelligent Message Filtering

Utilizes Smart Screen Machine Learning

Applied at the gateway

Marks message with Spam Confidence Level (SCL) rating

Utilized throughout the mail stream

Scans headers, body of message and other attributes.

Hotmail and MSN

Outlook 2003 – Junk Folder

3rd Party products

Deploying the Intelligent Message Filter

Exchange Gateway Servers

Exchange Gateway Servers

Intelligent Message

Filter

Intelligent Message

Filter FirewallFirewall

InternetInternet

Exchange Intranet Servers

Exchange Intranet Servers

Intelligent Message Filter handles e-mail based upon two thresholds:Intelligent Message Filter handles e-mail based upon two thresholds:

Gateway blocking configuration

Store junk e-mail configuration

Gateway blocking configuration

Store junk e-mail configuration

ClientClient

SCL 5SCL 5

Smart Screen Technology

SCL 8SCL 8

Smart Screen Smart Screen

AlgorithmAlgorithm

Gateway ServerGateway ServerMailbox Store ServerMailbox Store Server

33rdrd Party Party

ToolsTools

SCL 5SCL 5

How the Intelligent Message Filter Works with Exchange and Outlook

Exchange Server 2003 Gateway Server

Exchange Server 2003 Gateway Server



Recipient filtering Recipient filtering

Sender filtering Sender filtering

Intelligent Message Filter

(GatewayThreshold)

Intelligent Message Filter

(GatewayThreshold)

Exchange Server 2003 Back-endExchange Server 2003 Back-end

Store threshold Store threshold

User mailboxUser mailbox

InboxInbox JunkJunk InboxInbox

Y N Y N

InternetInternet

Safe senderSafe

senderBlocked sender

Blocked sender

YesYes NoNo

SpamSpam

Managing IMF Archived Messages Using the Archive Manager

Archive Manager C# tool released with source on GotDotNet

http://workspaces.gotdotnet.com/imfarchive

Supports the following features:

Tree view of the Archive directory of messages View of RFC2822 decoded headers and raw message Resubmission of message to pickup directory Deletion of messages Forwarding of message as attachment to third-party

address

Demonstration 4: Implementing Exchange Intelligent Message Filter

Implement and configure Intelligent Message Filter

Session Summary

Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements

Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements

Implement the appropriate base and incremental security templates to fully secure Exchange Server Implement the appropriate base and incremental security templates to fully secure Exchange Server

Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools

Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility

Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility

Next Steps

Find additional security training events:

http://www.microsoft.com/seminar/events/security.mspxSign up for security communications:

http://www.microsoft.com/technet/security/signup/default.mspx

Find additional e-learning clinics

https://www.microsoftelearning.com/security

Get additional security information on Exchange Server 2003:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx

Questions and Answers

implementing exchange server security ward solutions

Documents

mb microsoft exchange

hosted exchange slide

securing exchange servers

security overview

mspx slide

security enhancements

unwanted email slide

messaging protocols