Windows/Exchange security auditing tool

From: Kevan Smith (Kevan.Smith_at_tideworks.com)
Date: 09/08/04

  • Next message: DeGennaro, Gregory: "RE: XP-SP2 "Feature""
    Date: Wed, 8 Sep 2004 13:08:28 -0700
    To: <focus-ms@securityfocus.com>
    
    

     
    Note, this is a repost due to expiration of the initial post. Feel free
    to strip this line if approved. Tx.

    ----
    Exchange 2003 has no internal directory services so to speak, it uses AD
    for account maintenance, so yes Exchange 2000/2003 does require very
    fast, very reliable connectivity to a Windows 2000/2003 DC/GC.  Best
    practice recommendation is to have at least one domain controller with
    GC services in the same network segment as each Exchange back-end server
    and access to multiple DC/GCs for redundancy.  The front-end (OWA)
    server can be on a separate segment (read, separate interfaces on a
    firewall), but should maintain a solid connection to at least 1 DC/GC
    (again redundancy...).  
    The most common method of setting up OWA in a mid-size to large
    organization is to place your back-end Exchange server (hosting
    mailboxes) in the internal network or an internal DMZ with at least one
    DC/GC, then a separate front-end server in a publicly accessible DMZ.
    Lock down your ports, and make your pinholes in the firewall.
    Another method, also common in larger organizations, is to further
    isolate the front-end server behind an ISA server for further
    protections.  Fewer holes in the firewall, better SSL protection, higher
    cost/overhead.
    Your concern over exposure is valid; it's the same concern which drives
    us to use UNIX based SMTP proxies.  As to the real exposure limit, keep
    OWA restricted to https and require authentication at IIS before even
    presenting the OWA logon page, and you give yourself a good level of
    protection against unauthorized access to your GAL.  
    Your remaining risk is that because your Exchange server requires access
    to your Domain Controllers, it's a potential path into your network.
    Prevent hackers from hop-scotching from a hijacked web server to the LAN
    via the OWA server by placing the OWA server in an isolated DMZ.
    Alternatively, Since you're using 2-factor authentication via
    pseudo-random numbers, force users to authenticate at the firewall
    before a single packet reaches the OWA server.  In doing this, you're
    inherently protected against unauthorized access and would then have the
    option of keeping your OWA server in the private LAN.
    There is one final alternative, which involves replicating your user
    accounts and using cross-forest authentication.  This does remove the
    direct connectivity into the network (though there is still the
    connectivity between DCs in the respective forests), but IMHO is an
    extreme measure with many hidden costs, and is not warranted in most
    circumstances.
    References:
    http://www.microsoft.com/technet/itsolutions/msit/deploy/ex03atwp.mspx
    KB270836
    KB298369
    KB264035
    http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3
    rpc.mspx
    http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.m
    spx
    http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc
    070902/wcblurb070902.asp
    http://support.microsoft.com/servicedesks/webcasts/en/wc021203/WC021203.
    ppt
    Kevan S.
    MCSE, Contributing Author, MCSE Guide to Microsoft Exchange 2000 Server
    Administration.
    -----Original Message-----
    From: Chad Lorenc [mailto:CLorenc@entfederal.com]
    Sent: Thursday, September 02, 2004 3:01 PM
    To: focus-ms@securityfocus.com
    Subject: RE: Windows/Exchange security auditing tool
    I have a quick question, we are rolling out exchange 2003 with OWA.  Our
    OWA server sits one of our DMZ's, because of the active directory
    component the engineers state that OWA must be a part of our internal AD
    domain.  We currently do not have any servers bridging the internal AD
    domain into the DMZ's. 
    Is there anyway around this requirement?  
    How significant of a risk does this create, or more importantly are the
    feasible exploits past information probing?  
    We do have multiple layers of protection such as two factor
    authentication (AD login + random authenticator), host monitoring,
    firewall rules, VLAN's etc.  I am just curious, on its own, what kind of
    risk we assume with this design.
    Chad Lorenc
    DISCLAIMER:
    The information contained in this email and in any attachments is
    intended for the person or entity to which it is addressed and may
    contain confidential and/or privileged material. If you have received
    this email in error, please notify us immediately by replying to the
    message and delete the email from your computer. Use of this information
    by persons or entities other than the intended recipient is prohibited.
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: DeGennaro, Gregory: "RE: XP-SP2 "Feature""

    Relevant Pages

    • Re: OWA Authentication Problem With SBS 2003
      ... you are able to log in OWA after disabling the form based ... authentication, and you would like to let the OWA work when you re-enable ... obtain access to your Exchange Server 2003 mailbox. ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • RE: Unable to authenticate via SMTP to SBS2003
      ... an authentication issue is encountered. ... In Outlook Express, open the Properties window of the mail account and then ... How to Configure a POP3 Client Computer to Use Exchange as the SMTP Server ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS2k3 and activesync over the air
      ... Did you apply Exchange SP2 on your Small ... Business Server? ... Open IIS from the Server Management ... Click Edit under Authentication and ...
      (microsoft.public.windows.server.sbs)
    • Re: Need Help ActiveSync 4.2 + exchange 2003 sp2 on SBS 2003 premium sp1
      ... Here's a list of the errors that are known for Exchange ActiveSync - ... To enable Integrated Windows Authentication on the Exchange virtual ... Re-enable Kerberos on the Exchange server by following the ...
      (microsoft.public.pocketpc.activesync)
    • RE: OWA Loading Issue
      ... First please let me know why you are trying to get the OWA interface to not ... credential to access the Exchange, this is more secure to your Exchange and ... Disable Forms-Based Authentication and enable Integrated ... please enable Integrated Windows Authentication in Exchange ...
      (microsoft.public.windows.server.sbs)