23
Securing Exchange, IIS, and SQL Securing Exchange, IIS, and SQL Infrastructures Infrastructures Fred Baumhardt Fred Baumhardt Infrastructure Solutions Consulting Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 Microsoft Security Solutions, Feb 4 th th , 2003 , 2003

Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

  • View
    224

  • Download
    2

Embed Size (px)

Citation preview

Page 1: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Securing Exchange, IIS, and SQL InfrastructuresSecuring Exchange, IIS, and SQL Infrastructures

Fred Baumhardt Fred Baumhardt Infrastructure Solutions ConsultingInfrastructure Solutions Consulting

Microsoft Security Solutions, Feb 4Microsoft Security Solutions, Feb 4thth, 2003, 2003

Page 2: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Session OverviewSession Overview Microsoft Microsoft Defence-in-depthDefence-in-depth Model Model Strategic Multi-Product Strategic Multi-Product DefenceDefence Implementing End to End Exchange SecurityImplementing End to End Exchange Security Implementing End to End IIS SecurityImplementing End to End IIS Security SQL SecuritySQL Security

Page 3: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Defense-in-DepthDefense-in-Depth Perimeter Defences:Perimeter Defences: Packet Packet

Filtering, Stateful Inspection of Filtering, Stateful Inspection of Packets, Intrusion DetectionPackets, Intrusion Detection

Network Defences:Network Defences: VLAN Access VLAN Access Control Lists, Internal Firewall, Control Lists, Internal Firewall, Auditing, Intrusion DetectionAuditing, Intrusion Detection

Host Defences:Host Defences: Server Hardening, Server Hardening, Host Intrusion Detection, IPSec Host Intrusion Detection, IPSec Filtering, AuditingFiltering, Auditing

Application Defences:Application Defences: AV, Content AV, Content Scanning, Layer 7 (URL) Switching Scanning, Layer 7 (URL) Switching Source, Secure IIS, Secure ExchangeSource, Secure IIS, Secure Exchange

Data and Resources:Data and Resources: Databases, Databases, Network Services and Applications, Network Services and Applications, File SharesFile Shares

Data & Resources

Application Defences

Host Defences

Network Defences

Perimeter Defences

Assu

me P

rior

Layers

Fail

MANAGEMENT

Page 4: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Strategic DefenceStrategic Defence Know what’s in your Datacenter Know what’s in your Datacenter Segment your NetworksSegment your Networks

Most attacks, worms, can be defeated by Most attacks, worms, can be defeated by network protection – to buy time for patchesnetwork protection – to buy time for patches

Internal IDS to clean up client VLANsInternal IDS to clean up client VLANs IPSec Policies to contain breakoutsIPSec Policies to contain breakouts

Plan your management -incident responsePlan your management -incident response Application Inspection internal firewallsApplication Inspection internal firewalls

Page 5: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Strategic Defence Cont.Strategic Defence Cont.

Reduce Attack Surface Reduce Attack Surface Disable unnecessary software and Disable unnecessary software and

servicesservices Use MBSA – IISLockdown etcUse MBSA – IISLockdown etc Use a third party vulnerability scannerUse a third party vulnerability scanner

Configure AD group policy and use Configure AD group policy and use role based security templatesrole based security templates Restricted GroupsRestricted Groups Restricted ServicesRestricted Services Restricted Registry and File ACLsRestricted Registry and File ACLs

Page 6: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

The Total Trust NetworkThe Total Trust Network

Modern networks are generally one Modern networks are generally one large TCP/IP space segmented by large TCP/IP space segmented by firewalls to the Internetfirewalls to the Internet

Trust is implicit in all organisationTrust is implicit in all organisation TCP/IP was not designed for TCP/IP was not designed for

securitysecurity

THIS HAS TO STOP – Network THIS HAS TO STOP – Network Segmentation is now criticalSegmentation is now critical

Page 7: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Secure Your NetworkingSecure Your NetworkingInternet

Redundant Routers

ISA Firewalls

VLAN

VLAN

DC + Infrastructure

NIC teams/2 switches

VLAN

Front-end

VLAN

Backend

Intrusion Detection Intrusion Detection Intrusion Detection

First Tier Firewalls

URL Filtering for OWARPC Termination for Outlook

Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do

..

Page 8: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

An Alternate DMZ ApproachAn Alternate DMZ Approach A Flat DMZ Design to push intelligent inspection outwardsA Flat DMZ Design to push intelligent inspection outwards ISA layer 7 switching (OWA) or RPC filtration (Outlook)ISA layer 7 switching (OWA) or RPC filtration (Outlook) No Firewalls between front-end and backend serversNo Firewalls between front-end and backend servers Front-end and backend servers authenticate clientsFront-end and backend servers authenticate clients IPSec if required between front-end and backendIPSec if required between front-end and backend

Exchange ServerExchange Server

TCP 443: HTTPSTCP 443: HTTPS

Stateful PacketStateful PacketFilteringFilteringFirewallFirewall

Application Application Filtering Filtering Firewall (ISA Firewall (ISA Server)Server)

TCP 80: HTTPTCP 80: HTTPInternetInternet

TCP 443: HTTPS OrTCP 443: HTTPS Or

Page 9: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Exchange Specific IssuesExchange Specific Issues

Exchange Client Selection crucialExchange Client Selection crucialExchange Supporting Infrastructure Exchange Supporting Infrastructure

SecuritySecurityTop 10 Action Points to secure Top 10 Action Points to secure

ExchangeExchange

Page 10: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Selecting an Exchange ClientSelecting an Exchange Client

ExperienceExperience ComplexityComplexity SecuritySecurity

POP3/IMAP4 via POP3/IMAP4 via SSL with SMTPSSL with SMTP

BasicBasic Medium/ Medium/ HighHigh

MediumMedium

OWA via SSL OWA via SSL with ISAwith ISA

ModerateModerate LowLow FullFull

VPN – VPN – L2TPw/IPSEC L2TPw/IPSEC PPTPv2PPTPv2

FullFull HighHigh FullFull

Secure RPC with Secure RPC with ISAISA

FullFull Medium/ Medium/ LowLow

FullFull

Page 11: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Security from Internet ClientsSecurity from Internet Clients Every time you connect into a network Every time you connect into a network

you extend the security perimeteryou extend the security perimeter VPN and to a lesser extent RPC VPN and to a lesser extent RPC

Publishing both require care at the clientPublishing both require care at the client

Harden your clients on the Internet or Harden your clients on the Internet or hackers will attack clients and ride the hackers will attack clients and ride the VPNVPN

Require RPC encryption for OutlookRequire RPC encryption for Outlook Client Based IDS systemsClient Based IDS systems

Page 12: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Internal SecurityInternal Security

Don’t assume Internet is the only threatDon’t assume Internet is the only threat Assume internal people want to attack you – Assume internal people want to attack you –

more than external peoplemore than external people Defensive Tactics include:Defensive Tactics include:

Client Network SegmentationClient Network Segmentation Encryption of Client Traffic – e.g. require RPCEncryption of Client Traffic – e.g. require RPC Review of public folder/client permissionsReview of public folder/client permissions Third party – AV – IDS – AuditingThird party – AV – IDS – Auditing Server Role – Security templates from Ops guideServer Role – Security templates from Ops guide Extend the security scope to all infrastructure Extend the security scope to all infrastructure

Exchange relies on: AD – DNS – SMTP Relay etcExchange relies on: AD – DNS – SMTP Relay etc

Page 13: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Top 10 Ways to Get Exchange Top 10 Ways to Get Exchange SecureSecure

1.1. Implement theImplement the Security Operations Guides Security Operations Guides for Windows and Exchangefor Windows and Exchangehttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices

2.2. Use MBSA to identify missing patchesUse MBSA to identify missing patches

3.3. Implement IISLockdown based on roleImplement IISLockdown based on role

4.4. Secure Infrastructure AssetsSecure Infrastructure Assets

5.5. Use the EDSLock script to restrict groupsUse the EDSLock script to restrict groups

..

Page 14: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Top 10 Ways To Get Exchange Top 10 Ways To Get Exchange SecureSecure

6.6. Get adequate antivirus protection for Get adequate antivirus protection for servers and desktopsservers and desktops

7.7. Use perimeter SMTP scanningUse perimeter SMTP scanning

8.8. Automate Patch ManagementAutomate Patch Management

9.9. Use SSL, IPsec, and MAPI encryption Use SSL, IPsec, and MAPI encryption where appropriatewhere appropriate

10.10. Plan your response to an Plan your response to an intrusion/worm before it happensintrusion/worm before it happens

Page 15: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

IIS Security BasicsIIS Security Basics

Turn it off where not requiredTurn it off where not required Use IISLockdown tool – be aware of Use IISLockdown tool – be aware of

its impact on applicationsits impact on applications Use a layer 7 proxy like ISA ServerUse a layer 7 proxy like ISA Server Use W2K Security Operations Use W2K Security Operations

templates and guides to lock down templates and guides to lock down IIS by OU – and roleIIS by OU – and role

Page 16: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Legacy Firewalls and Data AttacksLegacy Firewalls and Data Attacks

InternetInternal Web ServerInternal Web Server

Internal Exchange ServerInternal Exchange Server

Internal Network

Normal Firewall – Normal Firewall – Checks Rules - OKChecks Rules - OK

Overflow Overflow

AttackerAttacker

Internet

Normal Firewalls only check rules like source , destination and port – NOT DATA ITSELF

Data passes through firewall unchecked and hits internal IIS box essentially intact – attacks pass through

Virus AuthorVirus Author

Virus or attack inside data passes

Page 17: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Countering Application Level Countering Application Level AttacksAttacks

Internet

Internal Web ServerInternal Web Server

Internal Exchange ServerInternal Exchange Server

Internal Network

ISA Checks ISA Checks Data Data inside trafficinside traffic

Overflow Overflow

AttackerAttacker

Internet

Security devices evolve to inspect data Application Filters that know what to look for:

Web – Stop Overflows – check syntax of commandsIntrusion Detection – scans for patterns of attack

Force Internal Traffic to be Inspected by Internal Firewalls

Virus AuthorVirus Author

Virus or attack inside data is blocked – alert is raised

ISA FiltersISA Filters

Page 18: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

ISA Server and IISISA Server and IIS

URLScan – syntax and http level checking of URLScan – syntax and http level checking of acceptable verbs – URLs, and charactersacceptable verbs – URLs, and characters

Layer 7 URL blocking – EG Layer 7 URL blocking – EG mail.corp.com/exchange OK – mail.corp.com/exchange OK – mail.corp.com/£$%^^^£$” - Droppedmail.corp.com/£$%^^^£$” - Dropped

HTTPS Termination – inspection and re-HTTPS Termination – inspection and re-encryption – inspect the un-inspectableencryption – inspect the un-inspectable

Defeats all known URL based overflows – Defeats all known URL based overflows – itself is not susceptible as it has no IISitself is not susceptible as it has no IIS

SMTP Scanner for IIS SMTP mailSMTP Scanner for IIS SMTP mail

Page 19: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

SQL Server SecuritySQL Server Security

Understand the applicationUnderstand the application Don’t let all machines talk to SQL – Don’t let all machines talk to SQL –

SEGMENT YOUR LANSEGMENT YOUR LAN Usually application servers talk to Usually application servers talk to

DB – not clients directlyDB – not clients directly Know where MSDE is installed – Know where MSDE is installed –

include in your management planinclude in your management plan Replace MSDE with managed SQL Replace MSDE with managed SQL

servers where possibleservers where possible

Page 20: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

SQL and SlammerSQL and Slammer Bug should have never been there !!!Bug should have never been there !!! Patches should be made easier and Patches should be made easier and

faster to deployfaster to deploy However…….However……. Infrastructure defences could have Infrastructure defences could have

prevented slammer:prevented slammer: VLAN off SQL – nothing to infectVLAN off SQL – nothing to infect Internal Firewalls – block ports to slammerInternal Firewalls – block ports to slammer External Firewalls – DMZ machines sending External Firewalls – DMZ machines sending

without being asked – should only replywithout being asked – should only reply App inspecting filters – FW blocks trafficApp inspecting filters – FW blocks traffic IDS – recognises and sends RST – alerts IDS – recognises and sends RST – alerts

adminadmin

Page 21: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

Understand Issues and MitigateUnderstand Issues and Mitigate

SQL in mixed mode has no lockoutSQL in mixed mode has no lockout Can be brute forced so use Windows auth.Can be brute forced so use Windows auth.

SQL runs as local admin by defaultSQL runs as local admin by default SA will have equivalent to machine admin SA will have equivalent to machine admin Thus don’t run it on DCThus don’t run it on DC

SQL and MSDE listen on known portsSQL and MSDE listen on known ports So change them where you canSo change them where you can

SA can go across multiple databasesSA can go across multiple databases Plan your security model carefullyPlan your security model carefully Multiple instances give true account isolationMultiple instances give true account isolation

Page 22: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003

SQL Powered ApplicationsSQL Powered Applications

Look at application end-to-endLook at application end-to-end From client to app server to dbFrom client to app server to db Encrypt all network transportsEncrypt all network transports

Avoid dependence only on client Avoid dependence only on client side validation – have SQL check side validation – have SQL check the data as well/insteadthe data as well/instead

Client authentication – how does it Client authentication – how does it get data to and from SQLget data to and from SQL

Injection – always pass data to Injection – always pass data to stored procedures – never queriesstored procedures – never queries

Page 23: Securing Exchange, IIS, and SQL Infrastructures Fred Baumhardt Infrastructure Solutions Consulting Microsoft Security Solutions, Feb 4 th, 2003