Securing Trade 2000.


62 views
Uploaded on:
Category: Fashion / Beauty
Description
Securing Trade 2000 Reliable Trades and the Craft of doing it without anyone else's help Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com Summation Concentrated on single backend Trade Server with front-end OWA server Hacking Trade Checking Counting
Transcripts
Slide 1

Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it without anyone else\'s help Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com

Slide 2

Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating Attacking The Exchange Application Secure Administration System Policies Malware OWA Known Vulnerabilities Other Fundamental Considerations IIS 5.0 Windows OS Network Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 3

What is not secured A great deal! Connectors and Replication Internet POP3/SMTP customers like Outlook Express Backups Monitoring and status notices PKI Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 4

Security Policy Organizational security strategies ought to be set up to guide day by day activities. Never begin arranging without having a “management supported” arrangement set up. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 5

Secure Network Diagram Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 6

Hacking Exchange 2000 Why Hack Exchange? Learn host design data Learn of concealed Public Folders Glean User record names and email addresses Information Gathering Network port output Server specification NetBIOS LDAP RPC User and arrangement identification LDAP with Null session NetBIOS will Null session Pilfering shares Tracking logs Launching an assault Aiming for administrator access Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 7

Hacking Exchange 2000 LDAP uncovered Users and Public Folders escaped the Exchange Address Lists Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 8

172.16.2.10 995/tcp - POP/SSL 172.16.2.10 1048/tcp 172.16.2.10 1049/tcp 172.16.2.10 1053/tcp 172.16.2.10 1055/tcp 172.16.2.10 1089/tcp 172.16.2.10 1104/tcp 172.16.2.10 1107/tcp 172.16.2.10 1198/tcp 172.16.2.10 1200/tcp 172.16.2.10 1247/tcp 172.16.2.10 1249/tcp 172.16.2.10 3372/tcp 172.16.2.10 3389/tcp - MS Terminal Server 172.16.2.10 4277/tcp Scan completed at Fri Feb 22 00:55:48 2002 Time taken: 65535 ports in 318.138 secs (206.00 ports/sec) D:\tools>fscan - p 1-65535 - z 128 trade FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan began at Fri Feb 22 00:50:30 2002 172.16.2.10 25/tcp - SMTP 172.16.2.10 80/tcp - HTTP 172.16.2.10 119/tcp - NNTP 172.16.2.10 135/tcp - RPC/DCE endpoint mapper 172.16.2.10 139/tcp - NetBIOS session administration 172.16.2.10 143/tcp - IMAP 172.16.2.10 443/tcp - HTTPS 172.16.2.10 445/tcp - Microsoft SMB/CIFS 172.16.2.10 563/tcp - NNTP/SSL 172.16.2.10 593/tcp - HTTP RPC endpoint mapper 172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 993/tcp Port Scan XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 9

Port and Process Mappings Useful devices: FPORT.EXE (from www.foundstone.com ) TLIST.EXE/S (from Windows 2000 establishment CD \Support catalog) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 10

FPort v1.31 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Securing the website world Pid Process Port Proto Path 1028 inetinfo - > 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost - > 135 TCP C:\WINNT\system32\svchost.exe 8 System - > 139 TCP 1028 inetinfo - > 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 8 System - > 445 TCP 1028 inetinfo - > 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost - > 593 TCP C:\WINNT\system32\svchost.exe 1028 inetinfo - > 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo - > 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 264 lsass - > 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass - > 1033 TCP C:\WINNT\system32\lsass.exe 600 msdtc - > 1048 TCP C:\WINNT\System32\msdtc.exe 860 MSTask - > 1049 TCP C:\WINNT\system32\MSTask.exe 1044 distraught - > 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe 1044 frantic - > 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe fport.exe Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 11

tlist.exe/s 0 System Process 8 System 172 SMSS.EXE 200 CSRSS.EXE 224 WINLOGON.EXE 252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi 264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs 368 termsrv.exe Svcs: TermService 512 svchost.exe Svcs: RpcSs 540 SPOOLSV.EXE Svcs: Spooler 600 msdtc.exe Svcs: MSDTC 748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS 764 LLSSRV.EXE Svcs: LicenseService 808 regsvc.exe Svcs: RemoteRegistry 840 LOCATOR.EXE Svcs: RpcLocator 860 mstask.exe Svcs: Schedule 944 WinMgmt.exe Svcs: WinMgmt 1000 dfssvc.exe Svcs: Dfs 1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC 1044 MAD.EXE Svcs: MSExchangeSA 1076 mssearch.exe Svcs: MSSEARCH 1524 STORE.EXE Svcs: MSExchangeIS 1556 EMSMTA.EXE Svcs: MSExchangeMTA 2360 CSRSS.EXE Title: 2384 WINLOGON.EXE Title: NetDDE Agent 2464 rdpclip.exe Title: CB Monitor Window 2508 explorer.exe Title: Program Manager 2560 mshta.exe Title: Windows 2000 Configure Your Server 2580 svchost.exe Svcs: TapiSrv 2652 mdm.exe Title: OleMainThreadWndName 2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist/s 976 notepad.exe Title: fport - Notepad 768 TLIST.EXE Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 12

Exchange 2000 Some Security related changes from 5.5 to 2000 SMTP transfer impaired Rights to the Mailbox Admin is DENIED access to letter drops (as a matter of course), yet effectively changed “Exchange Domain Servers” gathering full get to %COMPUTERNAME%$ full get to No more Service Account Your LSA Secrets are safe… Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 13

Exchange 2000 Secure Administration – Lock it down Security Checklist: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/instruments/w2ksvrcl.asp Disable superfluous administrations and ports Enable Auditing Rename nearby Admin account and empower an in number watchword ACL and screen basic Registry keys Watch occasion logs for fizzled login endeavors Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 14

Exchange 2000 Secure Administration - Roles Administrative Roles Exchange Administrator Exchange Full Administrator Exchange View Only Administrator XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054) http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054 Delegation Wizard Use to include/alter Admin parts Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 15

Exchange 2000 The All-Powerful Exchange Domain Servers Group XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 16

Exchange 2000 Secure Administration – Security Permissions Page Registry Hack To demonstrate the security tab in System Manager HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) XADM: Security Tab Not Available on All Objects in System Manager (Q259221) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 17

Exchange 2000 Securing File Shares Security of Shares Tracking Logs: %COMPUTERNAME%.log Contain client data, for example, email addresses and usernames. Everybody or Authenticated Users can read as a matter of course Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 18

Exchange 2000 Secure Administration - TURN OFF WHAT YOU DON’T NEED Disable pointless administrations and conventions For both Exchange and Windows Do you require POP3? IMAP? HTTP? Do you require the Alerter administration? Courier? DHCP customer? Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 19

Exchange 2000 System Policies System Policies Server strategy Mailbox approach Public Folder arrangement Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

Slide 20

Exchange 2000 Malware - Virus, trojan and worm assurance Use SMTP substance channel for Internet email Use a different host or a firewall for SMTP transfer Catch approaching/active malware somewhere else, and diminish your Exchange server of the heap Virus insurance in the Information Store Well, some infections start inside of so r

Recommended
View more...