EX04: Exchange 2007 Security, Part II

Jim McBee

jmcbee@somorita.com

http://mostlyexchange.blogspot.com

Agenda

Why the Edge Transport Role?Message HygieneSecuring Internet Client AccessSummary

Exchange 2007 Themes

IT Pro Situation

E-mail is mission-critical

E-mail systems too complex/ expensive

Management tasks tedious, not automated

ControlControl

Org-wide Situation

Security the top concern

Spam and viruses compromise the e-mail experience

Regulatory compliance critical in many industries

Built-In Built-In ProtectionProtection

Info Worker Situation

Anywhere Anywhere AccessAccess

Users want easy access to all their communications

Mobile devices are increasingly common

Calendaring is frustrating

Protecting The Perimeter Prevent hostile or unwanted content from

reaching Exchange mailbox servers Enforce messaging policies before e-mail

enters internal network Reduce the attack surface for your Internet

exposed resources Perimeter security

– Exchange Server 2007 Edge Services– Microsoft Forefront Security for Exchange Server– Microsoft ISA Server

Why The Edge Transport Role?

The Need For The Edge (cont.) Mail routers on the organization border have

specialized needs– CAS role is designed for mailbox access– Hub Transport tied into Active Directory– Increased security threats– Must balance conflicting objectives

• Make intelligent routing choices• Reject bad messages, not allow into the organization• Enforce message hygiene and policy• Minimize firewall exposure and reconfiguration

The Need For The Edge

Exchange 2003: Monolithic architecture– No granular control over which code

modules are installed– Some services (Store) are required for RFC-

required functionality.– Active Directory membership

• Need DC and GC access• Exposes entire forest

– Perceived to be vulnerable as a border MTA

Exchange 2007 On The Edge

Full AD integration without AD exposure– EdgeSync

Easier than ever to provide secure transit without a lot of configuration

Enforce policies on the edge for a big compliance win!

Extensive message hygiene featuresFully scriptable

Message Hygiene

Message Hygiene at the Edge

Enterprise-ready capabilities built-in to Exchange 2007 Edge Server role– Anti-spam– Anti-virus

Easily extended for third-party functionality

Fighting Spam in Exchange 2007 Connection filtering

– Drop bad connections based on source IP address• Allow/deny lists• DNS real-time blocklists• Third party allow lists

– Preserve resources (CPU, RAM, bandwidth) Protocol filtering

– Drop bad connections based on SMTP conversation• Sender filtering• Recipient filtering• Protocol errors

– Slow down persistent senders to avoid excessive resource consumption (tarpitting)

Fighting Spam in Exchange 2007 Content filtering

– Reject or bounce messages based on content cues• Intelligent Message Filter (IMF)• Sender ID and domain reputation• Computational puzzles• Transport rules

– Most resource intensive

Quarantine– Managed by administrator– Integrated with IMF

Connection Filtering

Admin-configured allow/deny– By IP– By domain– By sender– By recipient

Real-time lists– Block lists (DNS RBLs)– Allow lists (bonded senders)

Protocol Filtering Sender filters

– Local restrictions– Sender ID

Recipient filters Protocol analysis

– SMTP errors• Example: Bad/missing domain in HELO/EHLO• Example: DNS checks for matching A and PTR records

– Patterns in connections/submissions

Tarpitting

Tarpitting: How It Works

1. An SMTP client establishes connection.

2. After a configurable error threshold, Exchange adds a delay to each SMTP responses.

3. With each subsequent error or protocol violation, Exchange increases the delay time.

4. The SMTP client continues to get valid responses – just farther apart.

5. The SMTP client maintains the connection while successfully completing fewer actions.

Sender ID By-domain DNS-based policy to identify hosts trusted

to send mails from that domain– Published in DNS– Backwards compatible with Sender Protection Framework

(SPF)– Check envelope (MAIL FROM) or Purported Responsible

Address (PRA) Server can take action at check time or integrate

results with IMF Performed by Edge

– Usually performed by the first server in the organization to handle a given message

– If that server isn’t Edge, Exchange may not get the full benefit of the Sender ID check

Content Filtering Intelligent Message Filter (IMF)

– Uses SmartScreen technology– Compares and weights composite score from several data

sources• Sender ID (if used)• IP address presence on blocklists (if so configured)• Message characteristics

– Provides two confidence levels: spam and phish Custom weight lists

– Administrator configurable word lists allow fine-tuning of IMF results

Transport rules allow centralized dynamic response to time-critical threats

Quarantine

IMF FeaturesAutomatic updates

– Every 2 weeks– Daily with Enterprise licenses

Integrates domain reputation– Sender ID– Local dynamic domain reputation

Computational puzzlesSelf-adjusts as administrators remove

false positives from quarantineAnti-phishing protection

Microsoft Forefront Security

Microsoft Forefront Security

Attachment Filtering

Strip attachments– By file size– By MIME content type– By file extension

Look inside ZIP archivesCreate rules on the fly to block emerging

threats

Transport AV By Role

Edge Transport– Filters inbound and outbound traffic

Hub Transport– Filters all email between mailboxes– …even on the same server

Mailbox– Scan the mailbox store– Use legacy VSAPI 2.5 interface

Microsoft Hosted Exchange Services

Exchange Options

Provides Provides choicechoice in how you deploy, manage your messaging infrastructure in how you deploy, manage your messaging infrastructure

Exchange Hosted Services Exchange Hosted Services complementcomplement any Exchange mailbox any Exchange mailbox

Exchange Hosted Filtering included with Enterprise Client Access LicensesExchange Hosted Filtering included with Enterprise Client Access Licenses

HOSTED EXCHANGEHOSTED EXCHANGE((through service through service

providersproviders))

Complementary ServicesComplementary ServicesChoice for MessagingChoice for Messaging

Securely Publishing Exchange Resources To The Internet

Microsoft ISA Server Protection Reverse proxy Exchange services

– Outlook Web Access– RPC over HTTPS– ActiveSync

Offload Forms-Based Authentication– ISA Server has FBA logon form

Delegated authentication at the ISA Server– Authenticate user prior to allowing internal access– Supports Smart Card authentication

Enterprise Topology

SMTPClients

PBX/VoIP

Mailbox

Mailbox

PublicFolders

InternalClients

`

EdgeTransport

Routing

Hygiene

HubTransport

Routing

Policy

ExternalClients

`Unified

Messaging

Voice Messaging

Fax

Outlook Voice Access

ClientAccess

ApplicationsOWA

ProtocolsEAS, POP, IMAP, Outlook Anywhere

ProgrammabilityWeb services, Web parts

ISA Server

Reverse Proxy

Forms Based Authentication

SummaryMessage hygiene out of the box

– Four-stage granular anti-spam– Transport anti-virus by role

Microsoft Forefront Security for Exchange Server provides antivirus protection

Exchange Hosted Services offers you flexibility

ISA Server improves security for Internet exposed resources

For more information

Visit TechNet:– http://www.microsoft.com/technet

Visit the Exchange 2007 home page: – http://www.microsoft.com/exchange/preview/default.mspx

Microsoft Forefront– http://www.microsoft.com/forefront/default.mspx

Questions?

Antigen for SMTP Gateways

Detects and removes e-mail viruses at the network edge

Scans SMTP stack to disable threats within a message during the routing process

Provides advanced content filtering capabilities for messages and attachments

Integrates file filtering, keyword filtering, anti-spam, and content filtering during the routing process

Protects Windows Server 2003 and Windows 2000 Server SMTP gateways

Proactively notifies administrators of virus incidents and scan events by e-mail or event log

SMTP Gateway Server/Routing Server

Internet

Firewall

Exchange Servers

Users

Antigen for Exchange

Detects and removes viruses in e-mail messages and attachments

Scans at SMTP stack (most processing intensive scans)

Scans real-time at Exchange information store

Provides on-demand and scheduled scans of information store

Uses Microsoft-approved virus scanning API integration for Exchange 2000 and 2003

Provides advanced content-filtering capabilities for messages and attachments

Integrates file filtering, keyword filtering and anti-spam at the SMTP routing level

Protects Exchange Server 5.5, 2000, and 2003

ISA Server

Exchange Front End

Exchange Site 1

Exchange Site 2

Internet

Exchange Public Folder Server

Exchange Mailbox Server

Extending AVAgent framework for third party

integrationExchange 2007 provides new capabilities

– Managed MIME parsing and composing– Content-Transfer encoding (Base64, QP,

UUEncode, BinHex)– Managed TNEF and RTF parsing and

composing– Managed iCalendar/vCard parsing and

composing