Detecting and Responding to Security Threats

 < Day Day Up > 

Exchange Server 2003 forms part of the core infrastructure for any organization that deploys it. Threats to Exchange Server 2003 security must be taken extremely seriously if only because few administrators would want to explain to the CEO that the server that has just been compromised would have been safe if a patch issued earlier in the year had been correctly applied.

Email is the most likely way for viruses to infect an organization. Although worms were prevalent in the past, the advent of firewalls means that the most likely way for malicious code to enter the organization is via an email message. Viruses that send out copies of themselves via user address books can quickly bog down an unprotected server, consuming processor cycles and filling up the mail queues. This section deals with patching vulnerabilities, Exchange's new antivirus features, and closing of mail relays.

Searching for Vulnerabilities

The Microsoft Baseline Security Analyzer (MBSA) is a free tool that can be downloaded from the Microsoft Web site at www.microsoft.com/mbsa. The MBSA tool can be used to scan the local and remote computers to determine what security vulnerabilities exist and which hotfixes and service packs need to be applied. The MBSA tool replaces the HFNetChk tool, a command-line utility for Windows NT 4.0 and Windows 2000 Server that performed a similar function. The MBSA tool not only scans the operating system looking for vulnerabilities, but also scans certain applications, such as Exchange and SQL Server. Scans can cover an entire subnet or can be limited to specific computers on the network.

Before a scan begins, the MBSA tool connects to the Windows Update servers to retrieve the latest list of hotfixes and service packs. Using this list as a guide, the MBSA tool scans each computer to determine which hotfixes and service packs have been installed. After the scan is complete, the administrator will be informed of any hotfixes or service packs that are available for the products checked. The MBSA tool does not automatically install such hotfixes. This must be done at a later time by the administrator. We discuss hotfixes and service packs in the next section.

The next version of the MBSA tool, most likely released by the time you read this book, will include full Exchange Server 2003 support. Version 1.1.1 of the tool, current at the time of this writing, only supports Exchange Server 5.5 and Exchange 2000 Server. To use the MBSA tool, the account that you use must be a member of the local admins group on both the computer on which you run the MBSA tool and on the computer you are scanning. This is to ensure that nefarious third parties cannot remotely scan a network of which they are not an administrator, searching for vulnerabilities that could be used to gain illicit access.

Product Updates

In a perfect world, products would be released that contained absolutely no security vulnerabilities. However, the world is not perfect, and few products are released without requiring patching at a later stage. In the preceding section, we discussed the MBSA tool, which can be used to audit all computers on the network to determine which ones require hotfixes to be installed.

Currently, Software Update Services (SUS), a free add-on that can be used to manage updates for Windows 2000 Server, Windows XP, and Windows Server 2003, does not support Exchange or SQL Server. SUS can be used to keep the Windows Server 2003 or Windows 2000 Server host platform up to date with service packs and hotfixes, ensuring that only Exchange Server 2003 needs to be kept up to date.

Microsoft updates come in two forms, hotfixes and service packs. Hotfixes are released as issues arise. For example, if an exploit has been found that allows a user to take control of a server, it is likely that exploit will be patched very quickly with a hotfix. On a less regular basis, service packs are released. Service packs are huge collections of hotfixes. Rather than having to install every hotfix ever released, an administrator can install the latest service pack and then only those hotfixes that have been released since then.

Hotfixes cannot be installed via software installation services in Active Directory. Hotfix deployment can be managed by using startup scripts. The same thing applies to service packs. In general, you should prepare a shared folder hosting the relevant hotfixes or service packs and then write a logon script to verify that these hotfixes and service packs have been deployed correctly. You should only need to do this for Exchange-specific updates. Updates to the operating system are best managed automatically via the SUS product.

SUS is a free add-on to Windows 2003 that can be used to automatically deploy updates to Windows XP Professional and Windows Server 2003 computers on the network. Windows 2000 clients are supported if special client software is installed. Another alternative is to use Systems Management Server (SMS). SMS provides far more options with regard to managing and deploying updates to computers on a network. SMS includes support for earlier versions of Windows than SUS does (such as Windows NT 4.0) and provides many other network management options. SMS is a full product and is not freely available as SUS is.

Protecting Against Viruses

You can protect against viruses at three layers. For the best protection, a solution should be implemented at each layer. The layers are as follows:

  • Firewall layer Antivirus products exist that can strip suspect attachments before they reach the mail server when they first enter the network via the firewall. As there is only one firewall, only one set of virus definitions needs to be kept up to date.

  • Mail server layer Before they reach clients, messages reside on the mail server for an indefinite amount of time. Antivirus software installed on the mail server can also remove malicious code before it reaches the client. Virus definitions need to be kept up to date on each mail server. As there are usually only a few mail servers in any organization, this is a task that an administrator needs to include in his regular maintenance schedule.

  • Desktop layer Antivirus software installed on desktop computers provides the last line of defense against viruses. This software should strip or block attachments before they can be opened by users. The desktop layer is the most difficult to keep up to date because there are many more desktops to keep up to date than there are mail servers or firewalls.

To assist at the mail server layer, Microsoft has updated the virus scanning API (VSAPI 2.5), a programming interface.

At the mail server layer, three types of virus scanners are available. Each type of scanner has its benefits and its drawbacks.

  • File level scanners scan files in memory or on the hard disk according to a schedule. File level scanners also scan files when they are used. File level scanners have been known to lock Exchange log and database files causing problems. To avoid problems with file level scanners, configure them to avoid the Exchsrvr\Mdbdata, Exchsrvr\Mtadata, Exchsrvr\server_name.log, and Exchsrvr\Mailroot virtual server folders.

  • MAPI scanners log on to each mailbox and scan it for viruses. They have the advantage of being able to find email born viruses and do not interfere with Exchange logs and database files. The disadvantage is that MAPI scanners do not analyze outgoing traffic and do not prevent a user from opening a message that contains an unrecognized virus.

  • ESE scanners examine the Information Store and the Extensible Storage Engine. Microsoft does not support this software and warns that it might risk database damage.

Ensuring Exchange Does Not Relay Messages

The vast majority of unsolicited commercial email is sent via mail servers that have been unintentionally configured as open relays. An open relay is a mail server that allows email to be sent or forwarded from it, regardless of the domain and IP address of the person sending the message. Open relays are often blacklisted. This means that many other servers on the Internet will refuse to accept even email that is legitimate if it is sent from a known open relay.

On Exchange Server 2003, all users and computers are blocked from relaying messages except those that are able to properly authenticate. To edit the relaying restrictions, you need to navigate to the SMTP virtual server of each Exchange Server computer and edit the properties. To edit the properties, navigate to the Access tab, and under Relay Restrictions, click Relay, as shown in Figure 9.11. From here, you can add particular hosts from which you will allow relaying. In some cases, such as when organizations are merging, you will want to allow relaying from a very specific set of hosts.

Figure 9.11. The Relay Restrictions dialog box.

graphics/09fig11.jpg


     < Day Day Up > 


    Implementing and Managing Exchange Server 2003 Exam Cram 2 Exam 70-284
    MCSA/MCSE Implementing and Managing Exchange Server 2003 Exam Cram 2 (Exam Cram 70-284)
    ISBN: 0789730987
    EAN: 2147483647
    Year: 2004
    Pages: 171

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net