Windows/Exchange security auditing tool

From: Kevan Smith (Kevan.Smith_at_tideworks.com)
Date: 09/08/04

  • Next message: DeGennaro, Gregory: "RE: XP-SP2 "Feature"" 
    Date: Wed, 8 Sep 2004 13:08:28 -0700
To: <focus-ms@securityfocus.com>

     
    Note, this is a repost due to expiration of the initial post. Feel free
    to strip this line if approved. Tx. 

    ----
Exchange 2003 has no internal directory services so to speak, it uses AD
for account maintenance, so yes Exchange 2000/2003 does require very
fast, very reliable connectivity to a Windows 2000/2003 DC/GC.  Best
practice recommendation is to have at least one domain controller with
GC services in the same network segment as each Exchange back-end server
and access to multiple DC/GCs for redundancy.  The front-end (OWA)
server can be on a separate segment (read, separate interfaces on a
firewall), but should maintain a solid connection to at least 1 DC/GC
(again redundancy...).  
The most common method of setting up OWA in a mid-size to large
organization is to place your back-end Exchange server (hosting
mailboxes) in the internal network or an internal DMZ with at least one
DC/GC, then a separate front-end server in a publicly accessible DMZ.
Lock down your ports, and make your pinholes in the firewall.
Another method, also common in larger organizations, is to further
isolate the front-end server behind an ISA server for further
protections.  Fewer holes in the firewall, better SSL protection, higher
cost/overhead.
Your concern over exposure is valid; it's the same concern which drives
us to use UNIX based SMTP proxies.  As to the real exposure limit, keep
OWA restricted to https and require authentication at IIS before even
presenting the OWA logon page, and you give yourself a good level of
protection against unauthorized access to your GAL.  
Your remaining risk is that because your Exchange server requires access
to your Domain Controllers, it's a potential path into your network.
Prevent hackers from hop-scotching from a hijacked web server to the LAN
via the OWA server by placing the OWA server in an isolated DMZ.
Alternatively, Since you're using 2-factor authentication via
pseudo-random numbers, force users to authenticate at the firewall
before a single packet reaches the OWA server.  In doing this, you're
inherently protected against unauthorized access and would then have the
option of keeping your OWA server in the private LAN.
There is one final alternative, which involves replicating your user
accounts and using cross-forest authentication.  This does remove the
direct connectivity into the network (though there is still the
connectivity between DCs in the respective forests), but IMHO is an
extreme measure with many hidden costs, and is not warranted in most
circumstances.
References:
http://www.microsoft.com/technet/itsolutions/msit/deploy/ex03atwp.mspx
KB270836
KB298369
KB264035
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3
rpc.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.m
spx
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc
070902/wcblurb070902.asp
http://support.microsoft.com/servicedesks/webcasts/en/wc021203/WC021203.
ppt
Kevan S.
MCSE, Contributing Author, MCSE Guide to Microsoft Exchange 2000 Server
Administration.
-----Original Message-----
From: Chad Lorenc [mailto:CLorenc@entfederal.com]
Sent: Thursday, September 02, 2004 3:01 PM
To: focus-ms@securityfocus.com
Subject: RE: Windows/Exchange security auditing tool
I have a quick question, we are rolling out exchange 2003 with OWA.  Our
OWA server sits one of our DMZ's, because of the active directory
component the engineers state that OWA must be a part of our internal AD
domain.  We currently do not have any servers bridging the internal AD
domain into the DMZ's. 
Is there anyway around this requirement?  
How significant of a risk does this create, or more importantly are the
feasible exploits past information probing?  
We do have multiple layers of protection such as two factor
authentication (AD login + random authenticator), host monitoring,
firewall rules, VLAN's etc.  I am just curious, on its own, what kind of
risk we assume with this design.
Chad Lorenc
DISCLAIMER:
The information contained in this email and in any attachments is
intended for the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you have received
this email in error, please notify us immediately by replying to the
message and delete the email from your computer. Use of this information
by persons or entities other than the intended recipient is prohibited.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: DeGennaro, Gregory: "RE: XP-SP2 "Feature""

    Relevant Pages

    • Re: OWA Authentication Problem With SBS 2003
      ... you are able to log in OWA after disabling the form based ... authentication, and you would like to let the OWA work when you re-enable ... obtain access to your Exchange Server 2003 mailbox. ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: Unable to authenticate via SMTP to SBS2003
      ... an authentication issue is encountered. ... In Outlook Express, open the Properties window of the mail account and then ... How to Configure a POP3 Client Computer to Use Exchange as the SMTP Server ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS2k3 and activesync over the air
      ... Did you apply Exchange SP2 on your Small ... Business Server? ... Open IIS from the Server Management ... Click Edit under Authentication and ...
      (microsoft.public.windows.server.sbs)
    • Re: Need Help ActiveSync 4.2 + exchange 2003 sp2 on SBS 2003 premium sp1
      ... Here's a list of the errors that are known for Exchange ActiveSync - ... To enable Integrated Windows Authentication on the Exchange virtual ... Re-enable Kerberos on the Exchange server by following the ...
      (microsoft.public.pocketpc.activesync)
    • RE: OWA Loading Issue
      ... First please let me know why you are trying to get the OWA interface to not ... credential to access the Exchange, this is more secure to your Exchange and ... Disable Forms-Based Authentication and enable Integrated ... please enable Integrated Windows Authentication in Exchange ...
      (microsoft.public.windows.server.sbs)