Understanding Security andExchange Server 2007

Harold Wongharold.wong@microsoft.comblogs.technet.com/haroldwong

Agenda

Messaging security Antivirus Anti-spam

Security enhancements with ISA Server 2006

Securing messages in transit

Security Threats to E-Mail

The most common way for viruses to enter an organization is through e-mail

“…antivirus experts at SoftScan said that 89.5 per cent of all viruses scanned were classified as phishing malware”

- Clement James, “Virus Levels Soar in August,” IT News.com.au, September 5, 2006

Spam volume continues to trend upward over time

“Spammers now generate an estimated 55 billion messages per day... A year ago that number was 30billion..”

- Robert McMillian, “Spam’s New Image,” CIO.com, August 15, 2006

Phishing scams have become more sophisticated and successful in a short period of time

Choices for Exchange Message Filtering Exchange Hosted Filtering

Anti-spam and antivirus protection in the cloud SLA backed e-mail security performance

Exchange Server 2007 Edge Transport server role Anti-spam and antivirus protection in the perimeter Features customized and controlled on-premise

Antivirus Filtering

Anti-spam Filtering

Comprehensive Antivirus, Anti-Spam ProtectionChoice: Hosted e-mail security

Choices for Network Edge Protection Internet-based services protect against spam and viruses

before they penetrate the network Comprehensive Enterprise-class Hosted Services for E-mail

Security and Management Service for e-mail security with performance backed by SLAs

Simplify E-mail Administration Offloading e-mail security allows IT to focus on other initiatives

Firewall

Mailbox ServerHub Transport Server Client Access Server

SMTPInternet

+

On-Premise Software

Features of Exchange Hosted Services

Active Protection

Protection against the latest threats before they reach your network

Manage regulatory compliance requirements

Provide e-mail that’s always available

Enterprise-ClassReliability

Global network of tier-one data centers that meet security audit standards

Service availability and performance backed by SLAs

Dedicated expertise and 24/7 network monitoring

Simplified E-mail Administration

Dedicate IT resources to other projects

Activate services quickly with no additional equipment or software

Integrate with your existing e-mail infrastructure

Exchange Hosted FilteringAnti-spam, Antivirus, Content and Policy Enforcement, Disaster Recovery

Only requires a simple MX record change

Performance and uptime SLA

Active multi-layer spam and virus protection

Multi-engine virus filtering (Symantec, Trend Micro, Kaspersky Labs, Sophos)

Flexible policy filter to enforce any e-mail-use rules

E-mail queuing helps ensure mail is never lost

Full e-mail encryption No public and private key managementGateway, policy-based e-mail encryption

Uninterrupted e-mail accessibilityRapid recovery from unplanned disasters and network outagesThirty-day rolling historical e-mail store

E-mail retention for help with compliance and e-discoveryCustomized report generation for help demonstrating complianceFully indexed, searchable archive

Real-time threat prevention featuresMulti-layer anti-spam and antivirusCustomized content and policy enforcement

Protection with Hosted Services

Comprehensive Antivirus, Anti-Spam ProtectionChoice: On-premise protection

Choices for Network Edge Protection On-premise software protects against spam and viruses before

they penetrate the network Local Control of Data

Antivirus, anti-spam and security policies can be customized to meet the needs of the organization

Built-in Protection Protection for your data and your network that can expand as

the organization grows

Firewall

SMTPInternet

+

On-Premise Software

Mailbox Server

Hub Transport Server

Client Access Server

Edge Transport Server

The Edge Transport Server Role Consistent Exchange management experience Perimeter deployment Not joined to Active Directory (AD)

Limited AD information transferred securely from the Hub Transport server

Utilizes information from AD for recipient filtering High availability for SMTP Secure SMTP configuration

Address rewriting Relay control Smarthost Transport Layer Security (TLS)

Features Unique to Edge Transport

Recipient Filtering based on AD information

Outlook Safe Lists propagated to Edge

Administrator managed spam quarantine

Highly Available Messaging With Exchange Server 2007 Poison message detection

SMTP back-pressure

ESE backed queues

Exchange 2007 Antivirus SupportNative Scanning Infrastructure

Multiple third-party antivirus vendors support Exchange Server 2007 Symantec Trend Micro Kasperksy Lab GFI Software McAfee

VSAPI to enable scanning messages in the store Antivirus Stamp to minimize unnecessary rescanning

Example of an Antivirus Stamp:X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;infoVSKing: AV vendor name  (8 characters)5: Vendor version  (32-bit unsigned integer)0 (VIRSCAN_NO_VIRUS): Virus status (32-bit unsigned integer)Info: Optional Virus info (128 byte string)

Forefront Security for Exchange Server Antivirus Features

Forefront server security solutions help businesses protecttheir messaging servers against viruses and worms

Multiple scan engines at multiple layers throughout the corporate infrastructure provide maximum protection against e-mail and collaboration threats

Advanced Advanced ProtectionProtection

Tight integration with Microsoft Exchange, Windows-based SMTP, SharePoint and Live Communications Servers maximizes availability and management control

Availability Availability & Control& Control

Ensures organizations can eliminate inappropriate language and dangerous attachments from internal and external communications

Secure Secure ContentContent

Anti-spamFeature

Exchange 2003 RTM

Exchange 2003 SP1

Exchange 2003 SP2

Exchange 2007RTM

IP Allow And Deny Lists Yes Yes Yes Yes

IP DNS Block Lists Yes Yes Yes Yes

Recipient Filtering Yes Yes Yes Yes

Sender Filtering Yes Yes Yes Yes

Content Filtering (Smartscreen) Yes Yes Yes

Content Filter Updates (Smartscreen) Bi-weekly Daily

Sender ID Yes Yes

IP Safe Lists (aka Bonded Sender) Yes

Outlook Postmark Validation Yes

Protocol Analysis Data Gathering Yes

Protocol Analysis Sender Reputation Yes

Open Proxy Validation Yes

Dynamic Spam Data Update Service Yes

Per User/OU Spam Settings Yes

Admin Quarantine Yes

Automatic DNS block lists Yes

Anti-spam Feature Comparison by Exchange Release

How Spam is Filtered

Connection filteringReal Time Block Lists Global accept / deny and exception lists

SMTP Filtering LayerSender and Recipient FilteringSender IDSMTP Command Tar-pitting

Content FilteringOutlook Safe List AggregationAnti-Spam/Anti-Phishing SCL Per-user/OU Spam preferencesInternational Domain SupportOutlook Postmark ValidationQuarantine and Spam Reporting

Incoming Internet

E-mail

Outlook Mailbox

Inbox

Junk E-mail

1 Connection Filtering

3 Content Filtering

2 Sender & Recipient Filtering

1

2

3

1

3

2

Robust Anti-Spam Reporting Performance counters Exchange Management Shell data feeds Microsoft Operations Manager graphical displays

Forefront Security for Exchange ServerUpdates: Anti-Spam

Continuous stream of spam and virus filter updates Published on the Microsoft Update (MU)

infrastructure No administrator intervention required to keep

Edge filters fresh Windows Server Update Service supported

Updates include Daily IMF content filter updates Multiple intra-day IP reputation updates Multiple intra-day spam signatures

Security enhancements withInternet Security and Acceleration Server 2006

Securing Exchange Server 2007 with ISA Server 2006

External Web

ServerIntranet Web Server

Exchange

Active

Directory SharePoint

Administrator

DMZ

User

Internet

ISA 2006

Appliance

HEAD

QUARTERS

Internal

Network

Integrated Security

Improved idle-based time-outs for session mgmt

NE

W

Smartcards & one-time password support

NE

W

Customized logon forms for most devices & apps

NE

W

LDAP authentication for Active Directory

NE

W

Authentication delegation (NTLM, Kerberos)

NE

W

Efficient Management

Web publishing load balancing

NE

W

Exchange & SharePoint publishing tools

NE

W

Enhanced certificate administration

NE

W

Fast, Secure Access

Single sign-on for multiple resource access

NE

W

Automatic translation of embedded internal links

NE

W

Enhancing Exchange Server 2007 Security

DMZ Ready Exchange Server 2007 CAS must be in DMZ and must be domain member

Lower security and higher TCO

Pre-authentication NoneExternal packets from unknown source reach the servers

Feature Without ISA With ISA Server

Only ISA Server in DMZCan operate in Workgroup (auth via

LDAP / RADIUS)

OWAOutlook/RPC/HTTPMobile / ActiveSync (Mobile with Cert)

Authentication strength

Single factor (username+password)3rd party solutions (SecureId)

Two factor (credentials + certificate/OTP)

SecureID

Access to links(from OWA & from Outlook)

SharePoint documents (ReadOnly)SharePoint Document library (ReadOnly)No access to other web applicationsUNC

Full access to all SharePoint capabilities (documents, document libraries, calendar, admin etc)

Access to other web applicationsUNC (same)

Content / traffic inspection

Load balancing an array of OWA

None (Forefront inspects only SMTP) Yes (HTTP)

NLB (IP based only) or external LB device for cookie based LB

IP and Cookie based LB are part of ISA

Pre-Authentication Basics

Supports proxy of Outlook Anywhere (RPC/HTTP), Outlook Web Access, and Exchange ActiveSync

Ensure no un-authenticated HTTP traffic reaches the intranet

Pre-authentication is done by a reverse proxy in the perimeter network

Numerous authentication choices

Client AccessClient AccessServerServer

FirewallFirewall

ISA 2006ISA 2006

FirewallFirewall

HTTPSHTTPS

MailboxMailboxServerServer

ActiveActiveDirectoryDirectory

Confidential Messaging Features in Exchange 2007 Client Features Client to Server Server to Server Server to Perimeter Perimeter to Perimeter

ClientsClients

Internal NetworkInternal Network

Perimeter Perimeter NetworkNetwork

InternetInternet Perimeter Perimeter NetworkNetwork

Security and Exchange Server 2007

Exchange Server 2007 provides improved security out of the box

Message filtering is enhanced with Forefront Security for Exchange Server Exchange Hosted Filtering

ISA Server 2006 helps provide secure client access

Appendix

April 12, 2023

Security Environment

Need for filtering Viruses Spam Phishing

Need for security Compliance Confidentiality

Enterprise Topology

Enterprise NetworkEnterprise NetworkOtherSMTP

Servers

Routing Hygiene Routing Policy

INTERNET

ApplicationsOWA

ProtocolsActiveSync, POP,

IMAP, RPC / HTTP …

ProgrammabilityWeb services,

Web parts Mailbox

Public Folders

Voice Messaging

Fax

PBX or

VoIP

EdgeTransport

HubTransport

Client Access

Mailbox

Unified Messaging

EdgeSync Overview

Edge Server Features depend on data in Active Directory

Edge Servers MUST operate in perimeter networks

EdgeSync Publishes outbound to Edge Servers Subscribes an Edge Server to an AD Site Configures Security and Routing

The New Edge Transport Server RoleFeature Rich Perimeter E-mail Defense

Industry-leading anti-spam technology

Comprehensive antivirus protection with Microsoft Forefront Security for Exchange Server

Consistent Administration EdgeSync allows management alongside AD connected

servers Local administration through the Exchange Management

Console or the Exchange Management Shell

EdgeSync Published Data

Recipient SMTP Addresses Used to reject mail at the edge destined to non-existent

addresses Includes primaries / contacts / proxies Addresses are one-way hashed to protect from exposure

Outlook Safe Senders Users safe sender lists Applied per recipient

(one persons safe sender is not another’s) A message from a safe sender to a recipient will bypass

anti-spam content Does NOT bypass IP blocklists

Subscribing Edge Servers

A “Subscription” is created on the Edge box

The Subscription is imported on a HUB Server In the Site with best network connectivity to the perimeter

network The HUB will provision certificates to secure Edge to BH

connection Routing is configured

On an hourly schedule, the Hub Server publishes recipient data to Edge Server Data is hashed to prevent leakage

Forefront Security for Exchange Server 2007Incremental background scanning

Periodic scanning of the store with updated signatures provides another layer of security

Incremental Background Scanning combines security and performance considerations

Various background scanning options Scan all messages Scan only messages delivered in the past

1, 2, 3, 4, 5, 7, 30 days Scan only messages with attachments Scan only messages that have never been scanned before

AntivirusAntivirus stamp

X-header protected by the Header Firewall AV vendors stamp scan result and consult stamps

generated upstream to decide if to skip AV scanning on current server

Example:X-MS-Exchange-Organization-AVStamp-Mailbox: VSKing;5;0;info VSKing: AV vendor name  (8 characters) 5: Vendor version  (32-bit unsigned integer) 0 (VIRSCAN_NO_VIRUS): Virus status

(32-bit unsigned integer) Info: Optional Virus info (128 byte string)

Managing Exchange Anti-spam

Configuration Setting Actions for SCL levels Setting Remote Edge Server Lists Per-recipient/OU anti-spam configuration Ability to configure exceptions/bypassed recipients

Diagnostics and monitoring Spam Stamp Intuitive UI part of ESM for most common tasks Events, alerts, reporting via MOM ExBPA tool will help IT Pros keep up with best

practices

Configuring SCL thresholds

Set Actions based on the SCL level assigned to a message

Thresholds can be set on a per-recipient basis

Spam Quarantine

Messages over a set SCL are delivered to a Spam Quarantine Store Exchange 2007 mailbox

Send Again and Search Delivered as NDRs, allowing “send again” functionality Quarantine Viewed/Searched with Outlook / OWA Message is placed in the original format in the mail stream.

Quarantine is admin managed, no end-user view OWA/Outlook junk folder is for end users

Monitoring Antispam Activity

Performance counters Messages Per SCL level Total Messages sent to Quarantine, Deleted, Rejected Aggregated in Exchange 2007 Server MOM

Reports Hit Rate for Block Lists Top spam sender domain, top spam sending IP Top targeted domain/recipient

Connection Filtering

IP allow lists, IP deny lists Block or allow connections before accepting message

content Supports public deny and allow list providers Overrides all other spam features Received Chain Analysis - Can be configured to operate

behind mail relays Requires message headers be accepted

Microsoft IP Reputation Service Sender Reputation built from Hotmail Data Distributed via Microsoft Updates Packages

Internet Sender Authentication

Sender ID and DKIM (formerly Domain Keys) detect spoofing

Detecting spoofing helps detect spam and phishing

Sender ID and DKIM provide internet scale authentication for business-to-consumer messaging

Sender Id

Identify forged mail from Sender Id compliant domains Identifies likely sender with Purported Responsible

Address (PRA) algorithm Queries Domain Name Servers (DNS) for the Sender Id

record, which returns the list of acceptable outbound mail servers IP Addresses

Checks incoming IP against acceptable list Mail from other IPs considered a fail

Admins may configure to Reject message Tag and Pass - Contributes to Content Filtering Score

Protocol Filtering

Recipient filtering EdgeSync maintains the recipient list on the

Edge server Multi-forest deployments require that addresses

be synched to forest to which Edge servers are “subscribed”

Protocol analysis Learns locally from the connections and messages that are

seen on the specific server Builds server local reputation and blocking targeted spam

attacks. Based on average spam rating, open proxy checks,

protocol anomalies

Intelligent Message Filter v3.0

Machine learning Generates a Spam Confidence Level (SCL) value based

on Message Characteristics Authenticated domain reputation

Very good and very bad domains Catch spammers that use Sender Id

Spam signatures block specific spam campaigns. Effective against minispam

Outlook E-mail postmark validation Aka Presolved Puzzle Validation Increase deliverability of Outlook email

Intelligent Message Filter v3.0

Anti-phishing Most critical phishing attacks/complaints aggregated

from Hotmail and a number of 3rd party reputation services leveraged on Edge (via MU)

Phishing Confidence Level stamped on Edge, is used by OWA/Outlook 2007 to drive Junk Folder user experience

Links are disabled Content is “flattened”

Custom weight lists good and “naughty” words Affect the score set by the filter Used rarely for tuning

Client authenticating to ISA Forms Based Authentication:

username and password Two-factor authentication:

certificates or SecurID One-Time-Passwords

HTTP standards: Basic, NTLM, Negotiate

Authentication providers AD (Windows) when ISA is

a domain member AD (LDAP) when ISA is not

a domain member RADIUS – limited support

for groups RADIUS for One-Time-

Passwords RSA SecurID (w/ Authentication

Manager)

ISA 2006 Pre-Authentication

Mobile Mobile ClientClient

Web Web ClientClient

User DirectoryUser Directory

ISA 2006 ISA 2006 ArrayArray

Web ServerWeb Server

1

2

3

FBASecurIDClient CertificateBasicNTLMNegotiate

BasicNTLMNegotiateSecurIDKCD

AD (Windows)AD (LDAP)RADIUS ServerSecurID Server

ISA authenticating to Web

Server (eg. OWA, EAS) Basic/NTLM/Negotiate SecurID Kerberos Constrained

Delegation

Single Sign On No need for additional

sign-on to Web server Published web sites must

share DNS suffix and be published through the same ISA array

Client must support cookies

ISA 2006 Pre-Authentication (Contd.)

Mobile Mobile ClientClient

Web Web ClientClient

User DirectoryUser Directory

ISA 2006 ISA 2006 ArrayArray

Web ServerWeb Server

1

2

3

FBASecurIDClient CertificateBasicNTLMNegotiate

BasicNTLMNegotiateSecurIDKCD

AD (Windows)AD (LDAP)RADIUS ServerSecurID Server