Re: Security issue with MS Exchange and Windows 2003 Server

Hi Karl,

Thks for your recommendation, your "MVP" is worth the title. Finaly
something straight, clear and different on all 48 posts that we have.
"Chapeau!!!"

Please see my firts post and few of them after my first posts you will see
my intention is to secure the new servers (See below how I install and secure
them - Please give me your comments if possible) and proccess to the move of
mails data and DC promote however, I was not sure about the infection that
may caused to the new servers. After the 46 posts I feel that I have no other
choice to be drastic as per my 47th post. Please don't take me wrong but
amost all other suggestions or comments from other posts except David for the
multi AV are very unhelpful!!!

I am in the last state of moving the mails, I have processed 3 move tests to
made sure everything is okay.

5 fck days to wait for a straight answer!!!!!!!!!!!!!!!!

How I install the new servers:

We have 2 separate static IPs from the router where is connect to the
internet. the first ip is use by my actual lan, the second one is for test
purpose (My nickname is IT Tester - I tests a lot of other apps and VB or
Linux on my test lan)

the 2nd ip is protected with linux firewall - no incomming only outgoing no
smtp/pop3 no ftp no https no telnet only ssh and vpn.

I mounted my new servers and all rebuilt pc from the 2nd lan - only an
switch + the mounted servers or pcs.

I install my W2K3 on the server w/o internet connection. upon finshed, I
created 2 local users (AVS and Debug) which will be use as av services
account and logon user.

Install avast server version and run pre-boot scan.

Install rmonit, starter and erunt to protect registry changes and control
startup process. create a backup of registry using erunt.

Connect to internet. update virus def. Disconnect from internet and run a
second scan on safe mode (F8).

If result are correct then I connect back to internet and run windows update
by using www.microsoft.com/update/

Once all security patches and SP1 for server and SP2 for XP, then I make a
port scan to see if any unsafe ports are open.

Once above done, I assign a lan static ip to the new serevr (dhcp for xp)
and attached the server to the production lan and network as member server.

promote the new server to DC but not primary DC as I am not sure about mails
server.

once AD is replcate to the new Dc, I disconnect the new DC.

I start to install the mails server exactly as above + install exchange SP2
and all patches.

I done the last store tape backup in case of failure during the move. I have
test successfully the 3 moves.

I post my 1st post on saturday night as I am not sure about the
virus/infection spray on the new servers.

Yesterday I have backup from the community to prepare an drastic plan that
you read this morning. Yes I have a family and life. Family need money = job
= smooth it or ... be a loser.

Okay... It look too good to be true what you just said about slim chance of
infection when servers are well mounted.

However I would hear a similar affirmation from othe mvp...

Regards,







"Karl Levinson, mvp" wrote:

>
> "ITTester" <ITTester@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:469B5E34-4CDE-4257-9768-84BE95C9B018@xxxxxxxxxxxxxxxx
>
> > 1. I will export all mailboxes to an external hard drive using ost and pst
> > method when is possible to mailbox size.
> > 2. In paralle I will install on a rebuild PC and test the multi AV scan
> from
> > David and if all test passed successfully including the remote scan I will
> > move to the step 3.
> > 3. I will rebuild 2 pcs fully updated.
>
> The security of this depends entirely on how securely you build the PCs,
> something that wasn't really detailed here. If you don't secure the new
> email server, it can be infected, but by being plugged into the same
> network, not really because of the email transfer.
>
> > 4. On the first pc I will install Norton 2006 retail version (trial) +
> Avast
> > and I will dual scans the entire content of the external hard drive once
> the
> > export proccess is finished.
>
> Define dual scan. You don't want two "on access" AV scanners running in
> memory at the same time.
>
> > 5. On the second PC I will install windows 2000 server - we have an 2000
> > server license before we move to windows 2003 server.
> > 6. Install Avast and Symantec AV - I have test both AV running on same PC
> > and is workable either I have a warning windows.
>
> This is NOT a good idea. No one recommends doing this.
>
> > 7. Both pcs will be installed on an separated subnet and vlan
> > (192.168.x.x/24), isolated from other lan PC.
> > 8. Both pcs will be firewalled and monitoring for intrusion by an
> separated
> > and "reversed" firewall (Linux Firewall, snort, clamav, sophie, squid,
> anomy
> > sanitazer), "reversed" firewall mean outcomming LAN user are authorized to
> go
> > in remote terminal session to consult the pst or ost files but data will
> not
> > be able to going out by blocking all ports excepted terminal session port.
>
> This seems excessive for a restore procedure.
>
> > 9. The external hard drive will be attached as slave hd on the second pc
> > isolated from c drive.
> > 10. Strong security policy and log will be settled on the 2nd pc
> > 11. Staff will logging by remote using terminal session on the 2nd pc to
> > consulte their pst or ost. no export data is allowed. Printer is attached
> to
> > the 2nd pc to print data if need. All staffs need to learn how-to use
> > terminal session, no exception allowed.
>
> This does not seem necessary or typical.
>
> > 12. In event of infection, event will be sent to my external mail address.
> > 13. I will log locally to the second pc and will try to eradicate the
> > virus/trojan otherwise the 2nd pc will be erased and rebuild again. all
> mails
> > are in the 2nd slave hard drive. so there are no mails loss.
> >
> > Gentlemen, please give me your comments, I hope above method is the best
> for
> > my case.
>
> It seems overly complex to me. You say you have a family and a life... you
> would have much more time for these if you cross off most of those steps.
>
> It should be possible to do it much more simply, by following the standard
> install process. Just build the servers securely, using the instructions at
> www.microsoft.com/technet/security and move the data to them. Simple. For
> the email server, just copy over the email database files and import them
> onto the new server, and there's zero chance of the server OS becoming
> infected. Viruses in the email message store [user inboxes] are really no
> big deal as long as all your client PCs have up to date antivirus.
>
> I think you are mistaken about hackdef. If this is hacker defender, it can
> easily be removed without causing problems. It may cause problems if there
> are pre-existing problems on the server, or if something else malicious is
> on the system. It doesn't do anything intentionally damaging to the system,
> and it does not spread. It is possible you have a unique situation that
> does not apply to most other people. And yes, I do security work for a
> living.
>
> > Okay, now this is my question that I am very concerned about.
> >
> > I wanted to import the Active Directory (AD) from the infected server to
> my
> > new Domain Controller (DC). What are the percentage of infection that my
> new
> > DC will have?
>
> Again, as with the Exchange migration, the chances of infection from the
> actual AD import is slim to none. The easiest way is to put both on the
> same network, promote the new server and retire the old one. But if you
> don't securely harden the domain controller [especially installing all
> Microsoft patches and service packs] before plugging it into the network, it
> can be infected via the network.
>
> > Do I need to start the DC from scratch for safety reason.
>
> You don't "need" to. But you may want to. See my post in
> microsoft.public.security.
>
>
>
.

Relevant Pages

  • Re: New Event Log Errors!
    ... Somehow along those lines I'd also installed the Certificate Authority ... Did you apply the last Server Pack for SBS Server? ... Please install Windows Support Tools on the win2k3 sp1 problematic ... Microsoft is providing this information only as a convenience to you: ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot activate SBS 2003 SP2
    ... everywhere and sitting on the case of the server is the old board - balanced ... slip stream SBS you would have had it ages ago. ... My main reason for slipstreaming the install is because I cannot get ... updates that need to be applied if one is to have a succesful outcome ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot activate SBS 2003 SP2
    ... the old array was a raid 5 that should not have become so rooted but the twit who built the server did not actually enable the spare drive to act as a spare!! ... The problem is SBS is unique and I've rarely if ever seen it work. ... The server has been chugging away in a small business environment for several years and I have administered it for them for about a year making sure that the updates were installed and their mailboxes were managed etc etc. ... My main reason for slipstreaming the install is because I cannot get the original 2003 server install to cope with the new hardware and it falls over part way into the install - BSOD bit. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot activate SBS 2003 SP2
    ... everywhere and sitting on the case of the server is the old board - balanced ... slip stream SBS you would have had it ages ago. ... My main reason for slipstreaming the install is because I cannot get ... updates that need to be applied if one is to have a succesful outcome ...
    (microsoft.public.windows.server.sbs)
  • unsubmit
    ... Using a development server also [Roberto ... Can't find cable Internet connec [Roberto ... You can fix that manually by 'apt-get install ... > development machine, so if the production server goes down, we can ...
    (Debian-User)