msg308 secure access to exchange from the internet steve riley microsoft corporation

MSG308

Secure Access to Exchangefrom the Internet

Steve Riley

Microsoft Corporation

FAQs

Exchange?On the Internet??

Are you out of your #!%@&$ mind???

It’s topical

Design alternativesVPNs

OWA

RPC—native and over HTTP

Recommended designTo DMZ or not to DMZ…that is the question

This session…

Is about—Securing Internet access to an Exchange installation

Isn’t about—General Exchange security

VPNs

The usual choice

VPN clients in all versions of WindowsYes, PPTP can be made secure

L2TP+IPsec is the future

Technology is well-understoodNeeds an IT staff, though

More work than most small and medium organizations want to deal with

Technical problems

Won’t work in some public locationsVPN protocols blocked

IPSec vs. NATBut see SEC406, 3:15 Thurs, Ballroom A 3-4!

Packet fragmentationIKE

IPSec NAT-T

Technical problems

Default gateway modificationsAll traffic goes to VPN tunnel

No access to local network

Split-tunneling often disallowedThis is a good thing!

VPNs are useful to connect remote clients to corporate networks

Less useful when connecting from corporate network to some ASP

Outlook Web Access

Universal availability

Browsers are everywhere

Familiar interface

OWA 2003 is almost just like Outlook

Security issues

HTTPS is the transportIntrusion detection?

Conformance to email policy?

OWA 2000 has no session timeoutFixed in OWA 2003

Forms authentication—cookie for session

Typical design

GoodSeparates protocol from message store

Network protection

BadTunnel through outside firewall: no inspection

Many holes in inside firewall for authentication

Anonymous initial connections to OWA

ExBEExBE ADAD

OWAOWA

Improving OWA security

Security goalsInspect SSL traffic

Maintain wire privacy

Enforce conformance to HTML/HTTP

Allow only known URL constructionBlock URL-borne attacks

OptionallyPre-authenticate incoming connections

Protect OWA with ISA Server

ISA Server becomes the “bastion host”

Web proxy terminates all connections

Decrypts HTTPS

Inspects content

Inspects URL (with URLScan)

Re-encrypts for delivery to OWA

OWAOWA

ISAISAServerServer

ExchangeExchange ADAD

x36dj23sx36dj23s2oipn49v2oipn49v<a href…<a href…http://...http://...

Protect OWA with ISA Server

Easy authentication to Active Directory

Pre-authenticate communications

ISA Server queries user for credentials

Verifies against AD

Embeds in HTTP headers to OWA

Avoids second prompt!

Requires FP1

OWAOWA

ISAISAServerServer

ExchangeExchange ADAD

404404

Results

Known good content

Known good URL

Known good user

Dare I say it… trusted access?

Exchange RPCon the Internet

RPC on the Internet?

Business case

Many users require full OutlookThird-party plugins

Mailbox synchronization

Client-side rules

Complete address book

VPNs are too costly if this is the only requirement

Design choices

Run it naked

Assign the RPC ports

Use RPC over HTTP

Publish with ISA Server

RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)

RPC client RPC client (Outlook)(Outlook)

RPC client RPC client (Outlook)(Outlook)

Service UUID Port

Exchange {12341234-1111… 4402

AD replication {01020304-4444… 3544

MMC {19283746-7777… 9233

RPC services grab random RPC services grab random high ports when they start, high ports when they start,

server maintains tableserver maintains table

RPC connection setup

135/tcp135/tcp

Client connects to Client connects to portmapper on server portmapper on server

(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants

{12341234-1111…}{12341234-1111…}

Client accesses Client accesses application over application over

learned portlearned port

Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”

Server matches UUID to Server matches UUID to the current port…the current port…

4402/tcp4402/tcp

Portmapper responds Portmapper responds with the port and closes with the port and closes

the connectionthe connection

4402/tcp4402/tcp

Design choices

Run it naked

Assign the RPC ports

Use RPC over HTTP

Publish with ISA Server

RPC naked on the net

GoodEasy to build!

BadEasy to compromise!

Firewall must permit all traffic on all high ports

Firewall can’t tell what’s Exchange and what isn’t

No protection against RPCDump, for instance

ExchangeExchange

Potential RPC attacks

ReconnaissanceNETSTAT

RPCDump

DoS against portmapper

Privilege escalation or other specific service attacks

Design choices

Run it naked

Assign the RPC ports

Use RPC over HTTP

Publish with ISA Server

Registry keys

Need to set fixed port numbers forInformation Service

Directory Service

System Attendant

See KB 148732

Best to use ports just above 5000

Fixed RPC ports

GoodStill easy to build

Limited open ports on firewall

135/tcp + 3 high ports

BadStill easy to compromise

Doesn’t stop any of the previous attacks

Firewall still can’t tell what’s Exchange and what isn’t

Scaleable?

ExchangeExchange

Design choices

Run it naked

Assign the RPC ports

Use RPC over HTTP

Publish with ISA Server

New in Exchange 2003

Result of high customer demand

UsefulAll firewalls allow 80/tcp and 443/tcp

Enables access from any location

No special firewall setup required

But is it secure?

Look back at the last slide…Not necessarily positive attributes

Simply running RPC over HTTP doesn’t solve all the problems

No protocol awareness in firewall

No pre-authenticated connections

No inspection if HTTPS

Is secure from RPC-borne attacksUntil attack tools have HTTP wrappers…

What’s the big deal?

Knowing a port number or a UUID doesn’t mean you know the intent

What do the following tell you:80/tcp

49494/tcp

{23947829-3857-2983-9838293069843927}

They are application identifiersThat’s all!

well-known port

well-known port

for HTTP

for HTTP

random (fixed?) p

ort

random (fixed?) p

ort

for Exchange

for Exchange

well-known UUID

well-known UUID

for Exchange

for Exchange

So what’s it good for?

RPC over HTTP is no more, and no less, secure than fixed-port RPC

So use it:If your business case requires it

You are comfortable with the risk

It’s another option for customers who are satisfied with its operation

Design choices

Run it naked

Assign the RPC ports

Use RPC over HTTP

Publish with ISA Server

ISA Server

More than just a proxy

True application-aware content-filtering firewall

Exchange RPC

SMTP

H.323

FTP

DNS

POP3/IMAP4

Exchange RPC filter

Intimately aware of—How Exchange RPC connections establish

What the proper protocol format is

Allows only Exchange RPC UUIDs

Enforces client authentication

Can optionally enforce encryptionRequires Feature Pack 1

Supports new mail notification

Published RPC interfaces

{99E64010-B032-11D0-97A4-00C04FD6551D}: "Store admin (1)"

{89742ACE-A9ED-11CF-9C0C-08002BE7AE86}: "Store admin (2)"

{A4F1DB00-CA47-1067-B31E-00DD010662DA}: "Store admin (3)"

{A4F1DB00-CA47-1067-B31F-00DD010662DA}: "Store EMSMDB"

{9E8EE830-4459-11CE-979B-00AA005FFEBE}: "MTA"

{1A190310-BB9C-11CD-90F8-00AA00466520}: "Database"

{F5CC5A18-4264-101A-8C59-08002B2F8426}: "Directory NSP"

{F5CC5A7C-4264-101A-8C59-08002B2F8426}: "Directory XDS"

{F5CC59B4-4264-101A-8C59-08002B2F8426}: "Directory DRS"

{38A94E72-A9BC-11D2-8FAF-00C04fA378FF}: "MTA 'QAdmin'"

{0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE}: "Information Store (1)"

{1453C42C-0FA6-11D2-A910-00C04F990F3B}: "Information Store (2)"

{10F24E8E-0FA6-11D2-A910-00C04F990F3B}: "Information Store (3)"

{1544F5E0-613C-11D1-93DF-00C04FD7BD09}: "Directory RFR"

{F930C514-1215-11D3-99A5-00A0C9B61B04}: "System Attendant Cluster"

{83D72BF0-0D89-11CE-B13F-00AA003BAC6C}: "System Attendant Private"

{469D6EC0-0D87-11CE-B13F-00AA003BAC6C}: "System Attendant Public Interface"

Filter operation

Client connects to filter’s “portmapper”

Runs as part of filter

Responds only to requests for Exchange RPC

ISA Server returns filter’s Exchange RPC port numbers

Client makes new connection

ISAISAServerServer

ExchangeExchange ADAD

Filter operation

ISA Server connects to Exchange’s portmapper

Exchange returns port numbers

ISA Server makes new connection

ISAISAServerServer

ExchangeExchange ADAD

Filter operation

Client logs on to Exchange

Exchange proxies logon to Active Directory

Need “No RFR Service” key to make this happen: KB 302914

Filter watches for approval

Filter checks whether encryption is on, if required

Client mailbox opens

ISAISAServerServer

ExchangeExchange ADAD

Protects from RPC attacks

Reconnaissance?NETSTAT shows only 135/tcp

RPCDump simply fails

DoS against portmapper?Known attacks fail

Successful attack leaves Exchange protected

Service attacks?No reconnaissance info available

ISA Server-to-Exchange connections fail unless prior client-to-ISA Server connection is correctly formatted

Yes!

Yes!

Yes!

Results

Known good connection

Known good encryption (optional)

Known good user

Dare I say it… trusted access?

Recommended design

Recall the typical design

ExFEExFE SMTPSMTP

ExBEExBE ADAD

New requirements, new designs

Move critical servers inside for better protection

Add ISA Server to your existing DMZ

Increase security by publishing:

Exchange RPC

OWA over HTTPS

SMTP (content filter)

ExFEExFE SMTPSMTP

ExBEExBE ADAD

ISA ServerISA Server

Next StepsNext Steps

Consider your risk—What do you have?

What are you comfortable with?

Consider the way attacks are evolvingPorts mean nothing

Attacks look like legitimate traffic

Evaluate and deploy ISA Server for all current and future Exchange installations

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

Suggested Reading And Resources

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion: 0-Administrator's Companion: 0-7356-1979-47356-1979-4

9/24/039/24/03

Active Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Windows® Server 2003 Technical Reference: 0-7356-Technical Reference: 0-7356-1577-21577-2

TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.