Re: Security issue with MS Exchange and Windows 2003 Server
From: ITTester (ITTester_at_discussions.microsoft.com)
Date: 11/29/05
- Next message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- Previous message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- In reply to:(deleted message) Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Next in thread: Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 05:47:12 -0800
Hi Leythos,
Thaks for all suggestion however my sole purpose of this post it's to find
safe way to move all my mailboxes to an new server. Almost of your suggestion
have been done on the new network topology already. I am in the last
production phrase of this migration project. Please see below for my reply.
Please note whatsoever software that I use below to protect our new network,
MS Windows products as Windows XP, 2003 Server and Exchange are incomparable.
I am a fan of MS
"Leythos" wrote:
> In article <749DC8D1-E799-44BE-87B2-7A183AA70D06@microsoft.com>,
> ITTester@discussions.microsoft.com says...
> > I using same AV than you but version 9, but I lost confidence into this AV
> > as the AV couldn't detect any phishing links contained inside the mail body
> > or malware sites. We are infected thru malware sites and phishing links. Our
> > staffs do a lot of researches on the net for design purposes.
>
> Sorry, but AV software does not and is not suppose to detect Phishing
> emails, it's not suppose to detect if a site is malicious or not, it
> detects when bad things have entered the node in question.
AV software suppose to protect you against any wellknown malware or
malicious scripts or any virus that may affect you pc. what use to pay for an
av which couldn't detect!!!
Install Avast and test the AV by surf on some wellknown malware site as
www.googkle.com as you will see how this software protect you when you surf
on the internet.
Send yourself a test phishing email on the pc that you have install avast
and you will see the different between other av makers
> If your staff do a lot of "research" on the net, then they should be
> protected better than you have done - I would suggest the following:
>
> 1) Firewall using HTTP Proxy that does not permit ActiveX, does not
> permit JavaScript, does not permit java applets, blocks cookies, etc...
> It should also block the downloading of files.
on the new network I already installed and use the below software:
Triple Firewalls (Cisco Pix 506e - DMZ Linux Netfilter/Iptable - Linux
Firewall
Postfix - SMTP Server
Squid (www.squid-cache.org)
Amavisd-new
Spamassassin
Clamav
Sophie
DCC
Razor
Pyzor
Anomy Sanitizer
Snort
Prelude
V-Server
> 2) FireFox or Opera or some non-IE Browser
Done for all staffs need to surf the internet
Block all other staffs that didn't need accss to internet using transparent
proxy - Squid
> 3) Set IE to high-security mode
Not neccessary as I use the above browsers. I banned IE access on the proxy
> 4) Firewall using SMTP Proxy - blocks attachments based on MIME Type,
> blocks attachments based on size and bad headers.
See my above - Squid and Sanitizer + Avast
> 5) Antivirus software for Exchange (GFI Mail Essentials is only part of
> the solution, you should have ALSO purchased GFI Mail Security) that can
> remove attachments based on content type and scannable or not scannable.
I have test GFI Security, the application itself need a good performance
server otherwise your server will crash. Very expensive, poor support. Do not
erase completely all malware, store inside the server, blacklst and whitelst
easy to bypass if activated. spam detection not usable in corporate
environment, can't detect fake user and/or phishing email.
I have test depthly mailessential for 1 year and sec for 3 months with a
volume of 500-1000 emails per day in average. sec crashed constantly.
> 6) Antivirus on exchange that gets real updates every 1~4 hours, not
> just set for updates at that interval, but where the AV vendor actually
> pushes new updates out quicker.
I use clamav + sophie on 2 frontend filtering server - Avast and SAV on
backend servers
update on clamav and sophie is settled for every hour
avast is auto-update every 2 hours
SAV autoupdate every week!!!! you couldn't update SAV as the Virus def is
only available 1 time a week!!! Pay too much for nothing
> 7) Antivirus software on ALL nodes for real-time scanning, memory
> scanning, expanded threat scanning.
Real-time scan on all AV + Monit + email + paging when suspected activities
> > I am in the stage of doing exactly as the way you suggested but we didn't
> > wanted to take the chance to be infected again that why I consulted MS
> > communities to see if anyone have better idea than this one.
>
> I'm a firm believer in wiping and reinstalling and using a backup tape
> from before the infection to restore from.
Yes - I have consider this option and have tested but email on tape = email
on infected server - I didn't have any backup older than 2 weeks, also, we
cannot afford to loose 2 weeks of emails. Emails is our working tools.
> > > Once that's done I would setup SMS 4.6 to remove attachments that could
> > > contain malware and also use it for spam filtering.
> >
> > The problem is not scan after moving the mailboxes but during the move.
> > Please make some researches on Google about HackDef, but please be careful,
> > there are no cure yet against this rootkit. If you are MS engineer at
> > security level. you will known about
>
> You don't understand the store then - if you mount the store, just
> mounting the store will not reinfect you, the store as a file can not be
> infected. The contents of the store don't infect the system, only
> opening the objects inside the store and processing them can infect you
> again. If the AV product scanning the store can detect it, then it can
> remove it - also, since you can process the "Attachment" rules on the
> store, you can also remove any attachments before you put the server
> back online.
Thanks for your point regarding the store. However, MS and SAV or any AV
makers are strongly recommended you DO NOT SCAN YOUR STORE CONTAINER OR ANY
LOG OR DB CONTAINERS as there is an possibility (99%) of corruption of your
store db if your log is been delete or held by the AV. Go to your store
container and delete one single log and you will see on the end of the day
(Please do not do).
GFI gave the same recommendation.
> So, if you restrict the HTTP sessions like I said above, restrict SMTP
> in the manner described, there is no path inbound for the malware. It's
> worked for our clients for years.
>
One other that you may help me, during the move test, I saw that you have 2
option as below:
1. same administrative zone
2. cross administrative zone.
My understanding for this is the second option mean the administrative is
from one other DC, meaning the infected DC can not control the cross DC.
please confirm if you knew about.
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
- Next message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- Previous message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- In reply to:(deleted message) Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Next in thread: Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) Leythos: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
