Re: Security issue with MS Exchange and Windows 2003 Server
From: Leythos (void_at_nowhere.lan)
Date: 11/29/05
- Previous message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- In reply to: ITTester: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Next in thread: David H. Lipman: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) David H. Lipman: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) ITTester: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Nov 2005 17:09:08 GMT
In article <B9BB5752-2A92-43B7-9B56-959E18067527@microsoft.com>,
ITTester@discussions.microsoft.com says...
> Hi Leythos,
>
> Thaks for all suggestion however my sole purpose of this post it's to find
> safe way to move all my mailboxes to an new server. Almost of your suggestion
> have been done on the new network topology already. I am in the last
> production phrase of this migration project. Please see below for my reply.
>
> Please note whatsoever software that I use below to protect our new network,
> MS Windows products as Windows XP, 2003 Server and Exchange are incomparable.
> I am a fan of MS
>
> "Leythos" wrote:
>
> > In article <749DC8D1-E799-44BE-87B2-7A183AA70D06@microsoft.com>,
> > ITTester@discussions.microsoft.com says...
> > > I using same AV than you but version 9, but I lost confidence into this AV
> > > as the AV couldn't detect any phishing links contained inside the mail body
> > > or malware sites. We are infected thru malware sites and phishing links. Our
> > > staffs do a lot of researches on the net for design purposes.
> >
> > Sorry, but AV software does not and is not suppose to detect Phishing
> > emails, it's not suppose to detect if a site is malicious or not, it
> > detects when bad things have entered the node in question.
>
> AV software suppose to protect you against any wellknown malware or
> malicious scripts or any virus that may affect you pc. what use to pay for an
> av which couldn't detect!!!
>
> Install Avast and test the AV by surf on some wellknown malware site as
> www.googkle.com as you will see how this software protect you when you surf
> on the internet.
>
> Send yourself a test phishing email on the pc that you have install avast
> and you will see the different between other av makers
I'm confused, if you had all of this then how did you get compromised?
> > If your staff do a lot of "research" on the net, then they should be
> > protected better than you have done - I would suggest the following:
> >
> > 1) Firewall using HTTP Proxy that does not permit ActiveX, does not
> > permit JavaScript, does not permit java applets, blocks cookies, etc...
> > It should also block the downloading of files.
>
> on the new network I already installed and use the below software:
>
> Triple Firewalls (Cisco Pix 506e - DMZ Linux Netfilter/Iptable - Linux
> Firewall
>
> Postfix - SMTP Server
> Squid (www.squid-cache.org)
> Amavisd-new
> Spamassassin
> Clamav
> Sophie
> DCC
> Razor
> Pyzor
> Anomy Sanitizer
> Snort
> Prelude
> V-Server
Looks like overkill and we've never had a compromised client under our
management and don't use/need anything like the above.
> > 2) FireFox or Opera or some non-IE Browser
>
> Done for all staffs need to surf the internet
> Block all other staffs that didn't need accss to internet using transparent
> proxy - Squid
>
> > 3) Set IE to high-security mode
>
> Not neccessary as I use the above browsers. I banned IE access on the proxy
>
> > 4) Firewall using SMTP Proxy - blocks attachments based on MIME Type,
> > blocks attachments based on size and bad headers.
>
> See my above - Squid and Sanitizer + Avast
Then how did you get compromised?
> > 5) Antivirus software for Exchange (GFI Mail Essentials is only part of
> > the solution, you should have ALSO purchased GFI Mail Security) that can
> > remove attachments based on content type and scannable or not scannable.
>
> I have test GFI Security, the application itself need a good performance
> server otherwise your server will crash. Very expensive, poor support. Do not
> erase completely all malware, store inside the server, blacklst and whitelst
> easy to bypass if activated. spam detection not usable in corporate
> environment, can't detect fake user and/or phishing email.
>
> I have test depthly mailessential for 1 year and sec for 3 months with a
> volume of 500-1000 emails per day in average. sec crashed constantly.
We have a Dual Xeon 3.0ghz with 3GB RAM running 24/7/365 as a dedicated
Exchange 2003 server on Server 2003 and use GFIMS and GFIME and take
about 600 email per day - never found a performance issue or stability
problem with either GFI product, in fact, the mail server has not been
rebooted in about 4 months at that client.
> > 6) Antivirus on exchange that gets real updates every 1~4 hours, not
> > just set for updates at that interval, but where the AV vendor actually
> > pushes new updates out quicker.
>
> I use clamav + sophie on 2 frontend filtering server - Avast and SAV on
> backend servers
>
> update on clamav and sophie is settled for every hour
> avast is auto-update every 2 hours
> SAV autoupdate every week!!!! you couldn't update SAV as the Virus def is
> only available 1 time a week!!! Pay too much for nothing
SAV is available every day if you purchase the Corporate version, I know
this as fact as I've watched our servers auto-update more than once a
day even.
> > 7) Antivirus software on ALL nodes for real-time scanning, memory
> > scanning, expanded threat scanning.
>
> Real-time scan on all AV + Monit + email + paging when suspected activities
>
> > > I am in the stage of doing exactly as the way you suggested but we didn't
> > > wanted to take the chance to be infected again that why I consulted MS
> > > communities to see if anyone have better idea than this one.
> >
> > I'm a firm believer in wiping and reinstalling and using a backup tape
> > from before the infection to restore from.
>
> Yes - I have consider this option and have tested but email on tape = email
> on infected server - I didn't have any backup older than 2 weeks, also, we
> cannot afford to loose 2 weeks of emails. Emails is our working tools.
>
> > > > Once that's done I would setup SMS 4.6 to remove attachments that could
> > > > contain malware and also use it for spam filtering.
> > >
> > > The problem is not scan after moving the mailboxes but during the move.
> > > Please make some researches on Google about HackDef, but please be careful,
> > > there are no cure yet against this rootkit. If you are MS engineer at
> > > security level. you will known about
> >
> > You don't understand the store then - if you mount the store, just
> > mounting the store will not reinfect you, the store as a file can not be
> > infected. The contents of the store don't infect the system, only
> > opening the objects inside the store and processing them can infect you
> > again. If the AV product scanning the store can detect it, then it can
> > remove it - also, since you can process the "Attachment" rules on the
> > store, you can also remove any attachments before you put the server
> > back online.
>
> Thanks for your point regarding the store. However, MS and SAV or any AV
> makers are strongly recommended you DO NOT SCAN YOUR STORE CONTAINER OR ANY
> LOG OR DB CONTAINERS as there is an possibility (99%) of corruption of your
> store db if your log is been delete or held by the AV. Go to your store
> container and delete one single log and you will see on the end of the day
> (Please do not do).
You misunderstand what I said - the Symantec Mail Security product, once
the store is mounted, before you provide users access to it, can scan
INSIDE the store without any chance of damage (as it's exchange aware)
and remove malware and attachments - this is not the same as using SAV
10 to scan the mail store, I'm talking about Symantec Mail Security
(like GFI Mail Security), which will open a connection to the store and
scan the contents using exchange methods/access. The method works and is
recommended by Symantec and MS, using a FILE based scanner is not
recommended on any type of database.
> GFI gave the same recommendation.
Again, you need to understand what I wrote - Symantec MAIL SECURITY is a
stand-alone product that scans the mail store and SMTP session in real-
time and on-demand and IS APPROVED for that function. The same is true
for GFI MAIL SECURITY.
> > So, if you restrict the HTTP sessions like I said above, restrict SMTP
> > in the manner described, there is no path inbound for the malware. It's
> > worked for our clients for years.
> >
> One other that you may help me, during the move test, I saw that you have 2
> option as below:
>
> 1. same administrative zone
> 2. cross administrative zone.
>
> My understanding for this is the second option mean the administrative is
> from one other DC, meaning the infected DC can not control the cross DC.
> please confirm if you knew about.
I do not understand what you mean by the above.
-- spam999free@rrohio.com remove 999 in order to email me
- Previous message: J.Kilpinen: "Re: error message 0x8DDD0018 - need help"
- In reply to: ITTester: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Next in thread: David H. Lipman: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) David H. Lipman: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Reply:(deleted message) ITTester: "Re: Security issue with MS Exchange and Windows 2003 Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
