Securing your webmail/OWA on Microsoft Exchange and a few other tips
This is what I’d called a “blogomercial” with a hidden agenda but I hope you’ll find some interesting pointers anyway, the commercial part is at the end really. 🙂
Servicing your users and customer over the Internet
Anything facing the Internet is a potential target for anyone who wants to gain access or disrupt your data operations. If it’s here, people will try to get in or make it stop working. That’s just the way it is and I’m sure you’re aware of it.
There’s different methods for the attacks actually, they could be a DOS attack, a DDOS attack , SYN Floods to name a few
The motives behind any of these could be a number of things such a hacktivism, former employees or even current, script kiddies just fooling around, organized crime, extortion, theft of company secrets and so on.
Just take your pick really.
You need to make a SWOT analysis and have a Business Continuity Plan (BCP) in place for the different scenarios actually. It sounds expensive (and, yes, it can be) but the day you servers are under attack, you’ll be happy you took the time to create one. Trust me. So will your CEO be.
A few of the different techniques for DOS, DDOS , Brute force
The methods of taking down a server vary. As with everything else in the real world, there are different tools to get the same job done, it’s basically a matter of taste and skill and how much time the attackers have on their hands. If you’ve pissed of a state , you’re probably going to have an extremely bad day since they do have extensive resources to keep you “offline” for as long as they want really.
For instance there’s SYN flooding , basically equivalent to old school prank calling,
Send a network packet to the server announcing you want to “speak” , the server responds but no one is there to continue the “conversation” . If you do this a few hundred thousand times, the server will have quite a few “phone calls” to attend to and therefore can’t actually be bothered with picking up the “phone” for the legitimate “calls” thus making a DOS attack meaning “Denial of Service”, the server can no longer service what it’s meant to service, that being your users or customers.
DOS and DDOS Attacks
A DDOS (Distributed Denial of Service) attack is actually the same thing , the main difference being that its spread out over an extremely large number of computers around the world doing the same thing , making it very difficult to manually block each and every one of them in the firewall manually. These computers are usually part of something called botnets and the users of these computers are rarely aware even of them being a part of it. In this scenario you need to contact a lot of people and get it sorted, for instance your ISP, the server guys and firewall guys and you need to have a look at the BCP. What do we do when this happens and so on. Do we move the servers, up the bandwidth, go out of business, wait until it passes and so on ?
MITM, Man in the Middle
Using MITM (Man In The Middle) attacks is also popular method if you haven’t secured your server and your communications with valid SSL certificates. Quite a few actually use self-issued certificates on the websites and on their OWA site and that’s not a good thing. When someone who knows what they’re doing connect to a site that has a self issued certificate the first thing that comes to mind is ..”hmm .. these sysadmins are cheap and lazy and I’m fairly sure they just set this server up using default values.. let’s have a look” .. )
The problem is that there’s actually no real way for the connecting computer to validate that the site it is connecting to actually is the site it’s hoping for. It might as well be someone claiming to be that site since the certificate used can’t be validated by a third party (the “Trustad Authorities”). This way , phishing attacks (“phising” is when you “phish” for a users valid credentials to use them later at the users real websites)
It’s absolutely no guarantee even if you do use a valid certificate since also the “Trusted Authorities” can be hacked and therefore all of their certificates can be compromised (yes, it’s already happened a few time in the past year, GoDaddy, Verisign and even Microsoft themselves realized they had a bug in how Windows Update actually validates that it is connecting to the Windows Update site and nowhere else.)
Brute force attacks
Another method of rendering you server useless is to use a brute force attack on the usernames (sometimes also known as a “dictionary attack” ) .
If you know the naming convention of the usernames used at the company (quite often as easy as the email addresses of the employees or compaynameusername) you can keep on pounding the server with valid usernames and wrong passwords , hopefully rendering the user accounts to become locked out all the time by triggering the Account Lockout Policy. An easy entry point to this is the .. *tadaa* .. yes, you guessed it, the Microsoft Exchange Webmail/OWA interface (or for instance a Sharepoint login interface) .
It’s always there, it’s fairly easy to find ( mail.companyname.com, webmai.companyname.com , mailserver.companyname.com/owa and so on. Tekkies might be good at tekkie stuff but we do lack imagination when it comes to naming stuff. And we are lazy 🙂
It’s not that difficult to find out what mail server a company is using (easiest way is to use the NSLOOKUP command and search for the MX record, start a telnet session to the server and see what it presents itself as . It’s usually in cleartext what kind of server you “talking” to )
Once you know this , you also know a few other things automatically.
Practical use for the information
By default , there are two valid usernames in a Windows Active Directory (I will stick to 2008+ AD here)
First, it’s the older naming that quite a few still uses. This is the COMPANYNAMEUSERNAME naming convention . These usernames can be difficult to guess , it could be the users first name (COMPANYNAMESAMUEL) or the the first characters of the first name and surname (COMPANYNAMESAMSMIi) and so on. It’s basically more or less a question of how large the company is.
The larger it is, the longer the username but also , much more standardized in naming since otherwise it becomes an administrative nightmare for the system administrators and we are a lazy bunch really. We want to be able to find our user quickly and and easily in order to support them and keep track.*grin*
The easier approach is to attack the user account using their mail addresses. Quite a few sysadmins don’t realize that the mail address is also a valid logon name since they are used to thinking of logins using the the old naming convention.
Since they also want to provide access to webmail , and usually, 97 times out of a 100 (no, I just guessed a number, I have no statistics to support it, it’s just a gut feeling, ok ? ) they don’t require any special VPN software for their user to access the webmail (OWA) interface since the whole idea is to let users easily connect to their mail, wherever they are.
This means that the OWA interface is reachable for the entire world to try and login into and thus leaving you open for DOS, DDOS, brute force attacks and so on .
SPAM and overload
There’s also so the various methods of overloading our server with SPAM and viruses.
It’s not unusual to use the secondary MX record (which is used for failover in case the usual mail server has some issues) for your mail domain actually. Most companies that have secondary MX in place have a more or less effective defense on the primary MX but the secondary is often forgotten and is a popular way to over flood a server with various SPAM.
Quite often , they’ve set it up in the way that the primary MX might point to the secured, external provider or the secured, primary mail server interface and the secondary points directly to the mail server, thus not taking the way through the washing and security mechanisms in place but instead be delivered directly to the mail server.
A few countermeasures then ..
So , what can be done then? Should you close down the OWA / webmail interface? Stop using email? Revert to faxing?
No, of course not
Here’s a few pointers on what I’d suggest on securing and managing your Exchange servers. It’s not all the tricks in the book and I’m sure I’ve missed out on quite a few ones really but it’s a start I guess. Just, remember, there is no such as thing as absolute security.
1. Minimize the attack surface behind a good firewall that can deal with the SYN Floods and port scans and stuff. Be cautious not to open up anything more than what’s absolutely necessary to and from the outside world.
If you’re using an external “mail cleaning service”, don’t allow port 25 from any other IP/IP ranges than them. If your users are to use your Exchange Server for relaying , set up a connector with SSL and SMTP authentication on other port and enable logging on it. Protect it by using Syspeace (yes, here the first commercial part so you’ll see where this is headed 🙂 )
Also, best practices is to use a DMZ (Demilitarized Zone) for any of your serevr facing the Internet although when I start to think of , I’m not sure if that’s necessary. There’s different opinions in the matter really. The idea is to have the attacker not being able to come in further into you network, should they succeed in gaining control over the server on he DMZ. Unfortunately, I’m fairly sure that somewhere on the those servers there are administrator password and stuff that’s useful knowledge for further access into your network.
2. Get valid, proper, shiny and bonafide certificates for your communications. It’s not costly and not complicated to implement. Its mainly the hassle of you having to remember when to renew them, otherwise stuff will stop working when they expire.
3. Use an automatic brute force prevention software ( I highly recommend Syspeace since it also protects, Sharepoint, Citrx, Terminal Server, CRM , RDWEB, basically anything that uses Windows Authentication ) to get rid of the DOS attack where username/password is hammered onto you servers (brute force attacks / dictionary attacks) . (I’ve written an earlier entry on why firewalls, VPNS, account lockout polices and so on aren’t enough here: http://syspeace.wordpress.com/2012/10/16/various-brute-force-prevention-methods-for-windows-servers-pros-and-cons/ ).
4. Enforce an Account Lockout Policy and enforce complex password. Yes, people will hate you but they will hate you even more if someone actually succeeds in hacking your users data. Have a look at the link above about Account Lockout Policies though. Do not have local users more than necessary on the Exchange Server itself.
5. Verify all of the websites with the NTFS permissions when it comes to file access, remove the IISTART from the root and remove any default .HTML and .ASPX pages that don’t need to be there.. Don’t let he attackers realize you’re lazy and using default values everywhere. I’ve seen so many servers withe default start page on IIS and that’s just not right.
6. Verify also you’re not open for relaying ( this is usually default nowadays) . Anything that is installed by default by the IIS , take good look at it and decide if it really needs to be there, If not remove it!
7. Redirect all of the 404 and other serious html errors to somewhere else. Google, your worst competitor, your mother-in-law, 127.0.0.1 , anywhere really , just get rid of the traffic from your own site. A lot of 404 errors could mean that someone is trying to find out stuff about your server and if you have any default installed scripts or pages in place that can be used to gain access to your server .
8. Antivirus of course.If you’re not using one today, well.. maybe you shouldn’t be reading this at all but you should be out looking for another job really. I hear there’s good money in flipping burgers.
I’ve used most of them , some are good and some .. well , just aren’t. For the moment I do use Fsecure or Trend a lot. I’m not a big fan of McAfee due the fact they’ve released a few .. not so good updates the recent years that crashed servers around the world. I’m sure they a great product, it’s the product testing and quality verification that needs improvement. Just remember , the same thing goes for antivirus as for 0day attacks, if you antivirus provider hasn’t released any protection against that virus you just got into your system , there’s not that much you can do about it, more than start cleaning your server once you the antivirus updated or even restore your server to a state prior to the virus. An antivirus is not the single point of protection. Common sense is the best antivirus protection in the world.
9. Also, as a complement, use an online service also that filters all of your incoming and outgoing mail from viruses and SPAM and also have you secondary MX records point to it. Usually these services also hold you mail in queue if they cant’ be delivered, buying you time to change the IP addresses or server if you are under attack and not losing any mails.
10. Set up DNS Blacklisting and DNS GREY Listing. It’s not very complicated to do really and you do get rid of a lot of unwanted traffic.
11. Don’t use the “validate reverse DNS” options since a lot of companies haven’t actually set it up correctly so you’ll just risk not getting email from them. The idea is good but it doesn’t work in real life.
12. Enable logging on the connectors and basically enable logging on everything. READ!! the log files. Don”t just turn on logging and let it be. At least once a day , have someone read the (or script queries against the log files ) and see what’s really going on. Search for anything out of the ordinary.
13. Remember to check your mail queues on a regular basis If you’re starting to have loads of undelivered mail to and from various domains you could actually have a DNS server that’s under attack , not being able to service your Exchange server with required information . On the subject of DNS servers. There’s absolutely no point in having your DNS servers reachable through the firewall thus enabling attackers to flood it with DNS queries and UDP floods. Also, you external DNS server needs to be secured! Have a word with your ISP or whoever is running the external DNS server and see what they’ve got in place.
14. Patch you servers with all of the security patches that are released. Do it as quickly as possible. There’s is absolutely no defense against 0day attacks.
A 0day is a security bug in the software of the server your running and they vary on how much impact they may have. The name comes from that it is day 0 of it’s public release and the manufacturer, in this case Microsoft, hasn’t released any patch against it leaving you vulnerable no matter what you do. Some of them are even just a nifty way of adding stuff (specific strings ) to the URL or the service the attacker wants to reach and bypassing all of the built in security by “fooling” the server.
15. Disable services that don’t need to be running, DHCP client and stuff. Although they’re not reachable from the Internet , they quite often are reachable from the inside and should you have an attacker on the inside of your network or a virus infected computer , you might be having a bad day.
Minimize attack surfaces, once again And keep the server resources to actually servicing what they’re supposed to instead of having unnecessary stuff in RAM / CPU . This is of course valid for any servers, Citrix, terminal servers, domain controllers, Sharepoint and so on.
16. I’m fairly sure you’ve set the ActiveSync functionality for your users since it is an effective and easy way for them to synchronize their iPads, iPhone, Androids and so on . Beware that you also remember to periodically check the various devices associated with the users. If you’ve got a user synchronizing more than 10 devices at the same time from different parts of the world, well.. either he or she is really into gadgets or their user validation information may have leaked (username / password)
17. If someone quits the company, be sure to use the mechanism for clearing the remote device from calendar entries, contacts and email using the built in mechanism in the Exchange server (it’s really easy to do ) . And, of course, if a user reports they’ve lost the devices, same thing, Clear the old device and unpair it from the Exchange server. Unfortunately, users don’t always tell you when they’ve lost stuff . They just buy a new gadget, set it up, synchronize and don’t think twice about the old one and what i actually contains.
18. A bot off topic but it has to do with BCP mentioned earlier. Be sure , please, be supersure even , you have adequate backups , containing multiple generations of data and have at least three or four of theses complete generations stored offisite in some way. Using an online backup service or just moving your tapes/disk manually out of the building. Test your DR Plan (Disaster Recovery plan) at least once a year to verify that your backups contain all you need if something happens. Be sure o have an updated technical description of how to restore your entire environment.
- In which order?
Onto what hardware/virtual machines?
That’s six quite easy questions that sum up what that technical restore plan should contain. It should be able to be read even be outside consultants in case of your entire IT department got killed in a freak barbecue accident the night before.
Keep it simple but detailed.
Include all necessary background info such as server configurations, IP plans, passwords and where the data is stored. a Network map explaining dependencies might also be useful. Don’t use in house mumbo jumbo and nicknames describing various systems and stuff.
Write your DRP from the perspective that you’re gone (in the freak barbecue accident) and the person reading it has never ever heard of your internal system before.
If you don’t have all of these things in place, the day something really happens you will regret you didn’t take the time to do it. Trust me. I’ve worked as a Disaster Recover Technician and Consultant at SunGard Availability Services in Sweden for 8 years . I’ve seen grown men cry and unless it’s not for the unexpected death of their favorite dog or a lost game for their favorite sports team , it’s not a pretty sight.
19. Also a bit off topic but still important. Be sure to have a good monitoring on the hardware aspects of your server and operating system aspects (running services, disk space used and so on ) . Personally I’m fond of Spiceworks för monitoring server health, licenses and inventory but it all boils down to resources and taking the time to set it up. As long as you have some working monitoring and someone who actually deals with the alerts that come up.
20. Sign up for the Microsoft Security Bulletin newsletter (and all similar that has to to do with your environment). Stay up to date and up to speed on what’s going on out there. Being a sysadmin is not a 9-5 job, it’s a lifestyle and the ones who do all of these things will be better protected once they’re attacked.
And onto the unmasked commercial part then ..
Since the focus on this article was to write in general about Exchange Server security and the hidden agenda was to mention Syspeace I’ll get back to it . *smooth, eh ? 🙂 *
Syspeace will help you in some of the scenarios above, particularly in the brute force prevention department. It’s easy to use and you’re instantly protected from the moment you’ve set it up)
It protects you from any brute force hacking attempts using Windows Authentication ( Terminal Server, OWA, RDWEB, Sharepoint, CRM, RDP, netlogon and so on ) and it also contains a Global Blacklist to have you preemptively protected from known attackers around the world.
It will not help you in all of the scenarios described above but it will absolutely make you life as a sysadmin much easier since it automatically blocks the attack, tracks it down and reports it. For the sysadmin it’s just an email telling him or her that
“This IP address with this DNS name from this COUNTRY tried logging in using this USERNAME and is now blocked according to this rule you’ve set up ”
The cost is equivalent to any antivirus so I’d hardly call it costly.
It’s easy to set up so you won’t be needing to redesign your infrastructure or call on expensive consultants to get it up and running. You’re done in 5 minutes. Tops.
Download a free, fully functional trial of Syspeace for yourself and see what I mean.
This “blogomercial” was written by
Juha Jurvanen, Senior IT consultant in backup. security, server operations and cloud @ JufCorp.com
Drop me an email if you’re interested in getting help in any of these matters. Or if you just want to say hi.