Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 219 times |
Download: | 2 times |
Securing Exchange, IIS, and SQL InfrastructuresSecuring Exchange, IIS, and SQL Infrastructures
Fred Baumhardt Fred Baumhardt Infrastructure Solutions ConsultingInfrastructure Solutions Consulting
Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003
Session OverviewSession Overview Microsoft Microsoft Defence-in-depthDefence-in-depth Model Model Strategic Multi-Product Strategic Multi-Product DefenceDefence Implementing End to End Exchange SecurityImplementing End to End Exchange Security Implementing End to End IIS SecurityImplementing End to End IIS Security SQL SecuritySQL Security
Defense-in-DepthDefense-in-Depth Perimeter Defences:Perimeter Defences: Packet Packet
Filtering, Stateful Inspection of Filtering, Stateful Inspection of Packets, Intrusion DetectionPackets, Intrusion Detection
Network Defences:Network Defences: VLAN Access VLAN Access Control Lists, Internal Firewall, Control Lists, Internal Firewall, Auditing, Intrusion DetectionAuditing, Intrusion Detection
Host Defences:Host Defences: Server Hardening, Server Hardening, Host Intrusion Detection, IPSec Host Intrusion Detection, IPSec Filtering, AuditingFiltering, Auditing
Application Defences:Application Defences: AV, Content AV, Content Scanning, Layer 7 (URL) Switching Scanning, Layer 7 (URL) Switching Source, Secure IIS, Secure ExchangeSource, Secure IIS, Secure Exchange
Data and Resources:Data and Resources: Databases, Databases, Network Services and Applications, Network Services and Applications, File SharesFile Shares
Data & Resources
Application Defences
Host Defences
Network Defences
Perimeter Defences
Assu
me P
rior
Layers
Fail
MANAGEMENT
Strategic DefenceStrategic Defence Know what’s in your Datacenter Know what’s in your Datacenter Segment your NetworksSegment your Networks
Most attacks, worms, can be defeated by Most attacks, worms, can be defeated by network protection – to buy time for patchesnetwork protection – to buy time for patches
Internal IDS to clean up client VLANsInternal IDS to clean up client VLANs IPSec Policies to contain breakoutsIPSec Policies to contain breakouts
Plan your management -incident responsePlan your management -incident response Application Inspection internal firewallsApplication Inspection internal firewalls
Strategic Defence Cont.Strategic Defence Cont.
Reduce Attack Surface Reduce Attack Surface Disable unnecessary software and Disable unnecessary software and
servicesservices Use MBSA – IISLockdown etcUse MBSA – IISLockdown etc Use a third party vulnerability scannerUse a third party vulnerability scanner
Configure AD group policy and use Configure AD group policy and use role based security templatesrole based security templates Restricted GroupsRestricted Groups Restricted ServicesRestricted Services Restricted Registry and File ACLsRestricted Registry and File ACLs
The Total Trust NetworkThe Total Trust Network
Modern networks are generally one Modern networks are generally one large TCP/IP space segmented by large TCP/IP space segmented by firewalls to the Internetfirewalls to the Internet
Trust is implicit in all organisationTrust is implicit in all organisation TCP/IP was not designed for TCP/IP was not designed for
securitysecurity
THIS HAS TO STOP – Network THIS HAS TO STOP – Network Segmentation is now criticalSegmentation is now critical
Secure Your NetworkingSecure Your NetworkingInternet
Redundant Routers
ISA Firewalls
VLAN
VLAN
DC + Infrastructure
NIC teams/2 switches
VLAN
Front-end
VLAN
Backend
Intrusion Detection Intrusion Detection Intrusion Detection
First Tier Firewalls
URL Filtering for OWARPC Termination for Outlook
Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do
..
An Alternate DMZ ApproachAn Alternate DMZ Approach A Flat DMZ Design to push intelligent inspection outwardsA Flat DMZ Design to push intelligent inspection outwards ISA layer 7 switching (OWA) or RPC filtration (Outlook)ISA layer 7 switching (OWA) or RPC filtration (Outlook) No Firewalls between front-end and backend serversNo Firewalls between front-end and backend servers Front-end and backend servers authenticate clientsFront-end and backend servers authenticate clients IPSec if required between front-end and backendIPSec if required between front-end and backend
Exchange ServerExchange Server
TCP 443: HTTPSTCP 443: HTTPS
Stateful PacketStateful PacketFilteringFilteringFirewallFirewall
Application Application Filtering Filtering Firewall (ISA Firewall (ISA Server)Server)
TCP 80: HTTPTCP 80: HTTPInternetInternet
TCP 443: HTTPS OrTCP 443: HTTPS Or
Exchange Specific IssuesExchange Specific Issues
Exchange Client Selection crucialExchange Client Selection crucialExchange Supporting Infrastructure Exchange Supporting Infrastructure
SecuritySecurityTop 10 Action Points to secure Top 10 Action Points to secure
ExchangeExchange
Selecting an Exchange ClientSelecting an Exchange Client
ExperienceExperience ComplexityComplexity SecuritySecurity
POP3/IMAP4 via POP3/IMAP4 via SSL with SMTPSSL with SMTP
BasicBasic Medium/ Medium/ HighHigh
MediumMedium
OWA via SSL OWA via SSL with ISAwith ISA
ModerateModerate LowLow FullFull
VPN – VPN – L2TPw/IPSEC L2TPw/IPSEC PPTPv2PPTPv2
FullFull HighHigh FullFull
Secure RPC with Secure RPC with ISAISA
FullFull Medium/ Medium/ LowLow
FullFull
Security from Internet ClientsSecurity from Internet Clients Every time you connect into a network Every time you connect into a network
you extend the security perimeteryou extend the security perimeter VPN and to a lesser extent RPC VPN and to a lesser extent RPC
Publishing both require care at the clientPublishing both require care at the client
Harden your clients on the Internet or Harden your clients on the Internet or hackers will attack clients and ride the hackers will attack clients and ride the VPNVPN
Require RPC encryption for OutlookRequire RPC encryption for Outlook Client Based IDS systemsClient Based IDS systems
Internal SecurityInternal Security
Don’t assume Internet is the only threatDon’t assume Internet is the only threat Assume internal people want to attack you – Assume internal people want to attack you –
more than external peoplemore than external people Defensive Tactics include:Defensive Tactics include:
Client Network SegmentationClient Network Segmentation Encryption of Client Traffic – e.g. require RPCEncryption of Client Traffic – e.g. require RPC Review of public folder/client permissionsReview of public folder/client permissions Third party – AV – IDS – AuditingThird party – AV – IDS – Auditing Server Role – Security templates from Ops guideServer Role – Security templates from Ops guide Extend the security scope to all infrastructure Extend the security scope to all infrastructure
Exchange relies on: AD – DNS – SMTP Relay etcExchange relies on: AD – DNS – SMTP Relay etc
Top 10 Ways to Get Exchange Top 10 Ways to Get Exchange SecureSecure
1.1. Implement theImplement the Security Operations Guides Security Operations Guides for Windows and Exchangefor Windows and Exchangehttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices
2.2. Use MBSA to identify missing patchesUse MBSA to identify missing patches
3.3. Implement IISLockdown based on roleImplement IISLockdown based on role
4.4. Secure Infrastructure AssetsSecure Infrastructure Assets
5.5. Use the EDSLock script to restrict groupsUse the EDSLock script to restrict groups
..
Top 10 Ways To Get Exchange Top 10 Ways To Get Exchange SecureSecure
6.6. Get adequate antivirus protection for Get adequate antivirus protection for servers and desktopsservers and desktops
7.7. Use perimeter SMTP scanningUse perimeter SMTP scanning
8.8. Automate Patch ManagementAutomate Patch Management
9.9. Use SSL, IPsec, and MAPI encryption Use SSL, IPsec, and MAPI encryption where appropriatewhere appropriate
10.10. Plan your response to an Plan your response to an intrusion/worm before it happensintrusion/worm before it happens
IIS Security BasicsIIS Security Basics
Turn it off where not requiredTurn it off where not required Use IISLockdown tool – be aware of Use IISLockdown tool – be aware of
its impact on applicationsits impact on applications Use a layer 7 proxy like ISA ServerUse a layer 7 proxy like ISA Server Use W2K Security Operations Use W2K Security Operations
templates and guides to lock down templates and guides to lock down IIS by OU – and roleIIS by OU – and role
Legacy Firewalls and Data AttacksLegacy Firewalls and Data Attacks
InternetInternal Web ServerInternal Web Server
Internal Exchange ServerInternal Exchange Server
Internal Network
Normal Firewall – Normal Firewall – Checks Rules - OKChecks Rules - OK
Overflow Overflow
AttackerAttacker
Internet
Normal Firewalls only check rules like source , destination and port – NOT DATA ITSELF
Data passes through firewall unchecked and hits internal IIS box essentially intact – attacks pass through
Virus AuthorVirus Author
Virus or attack inside data passes
Countering Application Level Countering Application Level AttacksAttacks
Internet
Internal Web ServerInternal Web Server
Internal Exchange ServerInternal Exchange Server
Internal Network
ISA Checks ISA Checks Data Data inside trafficinside traffic
Overflow Overflow
AttackerAttacker
Internet
Security devices evolve to inspect data Application Filters that know what to look for:
Web – Stop Overflows – check syntax of commandsIntrusion Detection – scans for patterns of attack
Force Internal Traffic to be Inspected by Internal Firewalls
Virus AuthorVirus Author
Virus or attack inside data is blocked – alert is raised
ISA FiltersISA Filters
ISA Server and IISISA Server and IIS
URLScan – syntax and http level checking of URLScan – syntax and http level checking of acceptable verbs – URLs, and charactersacceptable verbs – URLs, and characters
Layer 7 URL blocking – EG Layer 7 URL blocking – EG mail.corp.com/exchange OK – mail.corp.com/exchange OK – mail.corp.com/£$%^^^£$” - Droppedmail.corp.com/£$%^^^£$” - Dropped
HTTPS Termination – inspection and re-HTTPS Termination – inspection and re-encryption – inspect the un-inspectableencryption – inspect the un-inspectable
Defeats all known URL based overflows – Defeats all known URL based overflows – itself is not susceptible as it has no IISitself is not susceptible as it has no IIS
SMTP Scanner for IIS SMTP mailSMTP Scanner for IIS SMTP mail
SQL Server SecuritySQL Server Security
Understand the applicationUnderstand the application Don’t let all machines talk to SQL – Don’t let all machines talk to SQL –
SEGMENT YOUR LANSEGMENT YOUR LAN Usually application servers talk to Usually application servers talk to
DB – not clients directlyDB – not clients directly Know where MSDE is installed – Know where MSDE is installed –
include in your management planinclude in your management plan Replace MSDE with managed SQL Replace MSDE with managed SQL
servers where possibleservers where possible
SQL and SlammerSQL and Slammer Bug should have never been there !!!Bug should have never been there !!! Patches should be made easier and Patches should be made easier and
faster to deployfaster to deploy However…….However……. Infrastructure defences could have Infrastructure defences could have
prevented slammer:prevented slammer: VLAN off SQL – nothing to infectVLAN off SQL – nothing to infect Internal Firewalls – block ports to slammerInternal Firewalls – block ports to slammer External Firewalls – DMZ machines sending External Firewalls – DMZ machines sending
without being asked – should only replywithout being asked – should only reply App inspecting filters – FW blocks trafficApp inspecting filters – FW blocks traffic IDS – recognises and sends RST – alerts IDS – recognises and sends RST – alerts
adminadmin
Understand Issues and MitigateUnderstand Issues and Mitigate
SQL in mixed mode has no lockoutSQL in mixed mode has no lockout Can be brute forced so use Windows auth.Can be brute forced so use Windows auth.
SQL runs as local admin by defaultSQL runs as local admin by default SA will have equivalent to machine admin SA will have equivalent to machine admin Thus don’t run it on DCThus don’t run it on DC
SQL and MSDE listen on known portsSQL and MSDE listen on known ports So change them where you canSo change them where you can
SA can go across multiple databasesSA can go across multiple databases Plan your security model carefullyPlan your security model carefully Multiple instances give true account isolationMultiple instances give true account isolation
SQL Powered ApplicationsSQL Powered Applications
Look at application end-to-endLook at application end-to-end From client to app server to dbFrom client to app server to db Encrypt all network transportsEncrypt all network transports
Avoid dependence only on client Avoid dependence only on client side validation – have SQL check side validation – have SQL check the data as well/insteadthe data as well/instead
Client authentication – how does it Client authentication – how does it get data to and from SQLget data to and from SQL
Injection – always pass data to Injection – always pass data to stored procedures – never queriesstored procedures – never queries