Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

A quote / A note / And one you won t believe

It's better to give / Than to receive!

”Run-DMC, Christmas Is

Understanding Security Auditing

Imagine that you took a new job as the lead Microsoft Exchange administrator and architect for a large company. What s the first thing you d want to do? Hopefully, after reading this far, your first instinct would be to audit the security of the company s Exchange organization, looking for holes and potential weaknesses. In a perfect world, you d have the time and resources to do exhaustive testing, all the way up to hiring a high-end consultancy like @stake to come in and do a complete penetration test. Because that s a fantasy for most of us, in this chapter I ve composed a list of questions you should ask and things you should look for when auditing the organization s Exchange security.

This isn t a comprehensive list, but it does focus attention on the key areas of messaging security covered in this book. I ve broken the questions down into categories that follow the chapter structure of the book so that you can quickly refer to the areas that are the most interesting to you.

Physical and Operational Security

• Are all of your Exchange servers adequately protected against physical attack, damage, or theft?

• What about the infrastructure servers on which they depend?

• Are critical machines protected with appropriate physical protective measures (for example, locked cases)?

• Do your laptop users have and use locking cables for their laptops?

• Are laptops protected with the Encrypting File System (EFS)?

Windows Server Security

• Are your machines up to date on service packs and security patches right now? Are you sure?

• Do you regularly use some kind of patch assessment tool (like Systems Management Server or Microsoft Baseline Security Analyzer) to inventory patches on your machines?

• Do you have an automated patch distribution system either deployed or planned? If not, why not? (Remember, the Microsoft Software Update Service, or SUS, is free, so cost factors aren t an acceptable excuse .)

• What group policies apply to your Exchange and infrastructure servers? Your client machines?

• Have you built your Active Directory infrastructure into role-based organizational units (OUs) so you can easily apply security templates?

• What security templates have you applied? If they ve been customized, how are you keeping track of the changes?

• What password policies are in effect? Do you force regular password changes?

Exchange Installation Security

• What account was used to install your Exchange organization?

• What accounts and groups have Exchange View-Only Admin permissions? Exchange Admin permissions? Exchange Full Admin permissions?

• Who has access to modify membership in the Exchange Domain Servers group?

• What permissions are granted on the Exchange organization object? Each administrative group? Each routing group? Each server? Make sure that these are recorded on paper somewhere so that you have a baseline to compare against.

• What permissions are now in effect on the tracking log shares on your servers?

SMTP Security and Antispam

• Do you allow the use of Simple Mail Transfer Protocol (SMTP) authentication for relaying? (If so, check out the description of SMTP AUTH attacks in Chapter 10, Antivirus Protection. )

• Are there specific target domains with which you could be using Transport Layer Security (TLS)?

• Is your relaying configuration secure against exploitation by spammers?

• Are you using a perimeter or server-based antispam product? Do you keep track of its effectiveness so you know when it needs tuning?

• Are you using Domain Name System (DNS) block lists? Do you have processes to regularly monitor what they re blocking to ensure that you re not losing legitimate mail?

• Are you using sender or recipient filtering? If so, what exactly are the filters configured to block?

Antivirus Protection

• Have you deployed antivirus scanners on your perimeter or bridgehead machines?

• Do you have Exchange-aware scanners deployed on your Exchange servers?

• Are your client machines protected by a good-quality desktop antivirus scanner?

• For all of your antivirus products, have you configured them to regularly pull updates? Have you verified that they can get updates on request?

Content Screening

• Do you have to encrypt content sent to specified destinations?

• Do you have a content filtering solution in place to block bad content? (Remember, your definition of bad might vary.)

• Are you required to screen or block incoming or outgoing content based on its use of encryption?

Internet Communications Security

• Have you properly configured Secure Sockets Layer (SSL) for your Internet- facing servers?

• Do you have any domain member servers located in your perimeter network?

• What ports are open from the Internet to your perimeter network? From the perimeter network to your internal network?

• Are you using Internet Protocol Security (IPSec) where appropriate?

PKI and E-Mail Security

• Do you have a deployed public-key infrastructure (PKI)?

• If so, are your PKI certificate authorities (CAs) protected with adequate physical and network security?

• Who issues your users certificates? If you use an internal CA, which specific people in your organization have the ability to issue and revoke certificates?

• Do you maintain records of issuance and revocation?

• Who controls your domain certificate trust list?

• Do you have organizational requirements for cross-certification support?

Client Security

• Do you have a process in place to get regular updates for the Microsoft Office Outlook 2003 Junk Mail Filter?

• Are you using the Microsoft Office policy templates to apply client-side security policies? If so, what policies are you applying?

• Are your client machines running antivirus software?

• Do you have a continuing program in place to help teach (or perhaps remind ) users about safe attachment handling processes?

• Are you using remote procedure call (RPC) over HTTP Secure (HTTPS)? If so, are you using it in conjunction with Microsoft Internet Security and Acceleration (ISA) Server or another RPC-aware screener?

Outlook Web Access and Front-End Server Security

• Are all front-end servers configured to require the use of SSL for Outlook Web Access?

• Is form-based authentication in use? If so, are appropriate time-out values in use?

• Are end users now using freedocs? If so, should you be restricting access to them?

• Have you implemented attachment blocking? If so, are the settings for attachment blocking consistently applied to all of your servers?

• Have you customized the list of blocked attachment types for Microsoft Outlook Web Access? (Remember, this list is completely independent of the list that Outlook uses.)

• Have you considered using a reverse proxy to make it easier to publish Outlook Web Access securely?

• Are you using IPSec to protect communications between front- and back- end servers?

• How is authentication configured on your front-end servers? Have you taken appropriate precautions to secure the underlying Microsoft Internet Information Services (IIS) installation?

• Have you customized the URLScan configuration on your machines? Do you have printed records of the configuration anywhere ?

Mobile Device Security

• How many mobile devices are your users using?

• Do you have any system in place for deciding who can and cannot have mobile device access to your Exchange resources?

• If you re not using Microsoft Outlook Mobile Access, have you disabled it for your users?

• Are your devices adequately protected by personal identification numbers (PINs)? Do you occasionally spot-check devices to ensure this? Are users trained to keep their PINs confidential?

• What procedures do you follow in case of a lost or stolen device?

• Do you have to load your organizational root certificate onto new devices? Do you have a process for doing so?

POP3, IMAP4, and NNTP Security

• Do you allow Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), or Network News Transfer Protocol (NNTP) traffic to your servers?

• If so, do you allow these protocols to be used with or without SSL? If you allow unsecured use of these protocols, remember that an attacker might be able to steal your users credentials.

Discovery, Compliance, Archiving, and Retention Security

• Does your organization fall under any of the legal, regulatory, or case law requirements discussed in Chapter 17, Discovery, Compliance, Archive, and Retrieval, and Chapter 20, The Law and Your Exchange Environment ?

• If so, do you have a discovery, compliance, archiving, and retention plan that meets your requirements?

Auditing and Logging

• Do you have processes in place to automatically monitor the event log for unusual events?

• Are you currently using an automated tool like the Microsoft Audit Collection System (MACS) to correlate events between event logs on different machines?

• Is anyone monitoring the event log for event ID 1016s and ensuring that the only ones that appear are from legitimate sources?