December 6, 2024

Exchange Security at Microsoft

Presented by Konstantin Ryvkin of Microsoft’s internal Messaging Group.

Two key aspects that were identified.

1. Need to identify exactly what you are trying to protect2. Need to identify what you are trying to protect it from

4 areas of security

1. Exchange environment security2. Windows Server and Exchange Server security3. Exchange communications security4. Messaging Client Access Security

E-mail is more than just AV/AS

Statistic:Month of December 04, of approx. 50,000,000 + message submission attempts to microsoft.com domain, only about 1,500,000 were legitimate!

Multi-layered defense is the key.Combination of Connection Filtering, Sender and Recipient Filtering, and Intelligent Message Filtering implemented.

Exchange SMTP Gateways – Connection Filtering, Sender/Recipient Filtering, Anti-spam filteringExchange Hubs – Attachment Filtering AntivirusExchange Mailbox servers – no filtering taking placeClients – Attachment blocking antivirus, Anti-spam

Two SMTP Virtual Servers approach for handling e-mail. Different SMTP servers handle inbound and outbound e-mail traffic. Makes gathering statistics/metrics much easier.

Connection Filtering:
RBL blocking – low overhead on the server itself.

Recipient Filtering:
NDR generation and delivery is expensive. Enabling “filter recipients not in the directory” rejects invalid recipients before the message payload is transmitted.

However, this can result in directory harvesting attack, so….
you implement tarpitting. Tarpitting delays responses to subsequent invalid recipients, so it slows down the potential attacker significantly. KB 842851 addresses how to implement this.

Implement Restrictions on who can send to sensitive or large distribution groups. Enable accepting messages only from “authenticated users” – this prevents anonymous sending to DL from internet. Also implement only accepting mail from certain groups/users.

To protect against spoofing:
Enable “resolve anonymous e-mail” under authentications settings (on SMTP Virtual Server)
Implement SPF/SenderID records.

To harden the Windows platform, implement Group Policies based on the role of the server.
i.e. set up different policies for Front-end serves, Gateway Servers, Mailbox Servers, Clustered Servers.
Server computer accounts are placed in appropriate OU’s and GPO’s applied to OU’s. New servers have appropriate GPO applied based on role.

Securing Exchange data in transit:
HTTPS for access from the Internet to OWA (require SSL)
IPSec between all internal servers
RPC envcryption between server and clients
TLS encryption between Exchange and external SMTP Gateways.

Summary:
Remain current with software and update versions at all levels
Security at multiple levels – defense in depth
Establish layered e-mail hygiene defenses
Secure Exchange servers by role
Be cognizant of security for upgrade scenarios
Bring Exchange Front Server out of perimeter network. Use reverse proxy solutions for secure Exchange publishing (ISA).
Use only secure authentication methods. Enforce e-mail data encryption where needed.

This was a great session as an overview of what methods are available to help secure mail servers. More importantly, it portrayed how Microsoft uses the built-in features to achieve messaging security. I’d contend that Microsoft has a much more complex messaging infrastucture than many companies and that implementing many if not all of these would not take that much work for many companies.

[Via A Collection of Random Thoughts]

Jason Benway

Christ follower, husband, father, IT geek, and Xbox gamer

View all posts by Jason Benway →