?

Log in

[icon] Needing help with security with Windows SBS2003 server and Exchange - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.

Security:
Subject:Needing help with security with Windows SBS2003 server and Exchange
Time:05:33 pm
Current Mood:annoyed
Can someone help me with some basic security on my SBS2003 server, with particular regards to e-mail security. I am not idiot but I have not done server or LAN support for a living since NT 4.0 and 95. I spent the last 10 years doing Cisco Networking and Telecom work. I installed and ran a Win 2K server with exchange for a year or so and now SBS 2003 for a few years just to keep some skills up.

I only host a few personal websites and one e-mail domain with just a couple e-mail accounts. I also have a POP3 connector to pull e-mail in from an ISP for an old e-mail address. I run it in my basement on a DSL with static, public IP addresses with a Cisco router acting as my firewall. I am also running Symantec Corporate Antivirus 8.1 and I have Windows Intelligent Messaging Filter configured. I believe I am up to date on all my service packs and updates. I have done basic thing like using hardened passwords and disabled the default administrator account. I admit that I have not changed my passowrd in a while but I changed them today.

One of the main things I am concerned about is unauthorized users sending mail through my server. My girlfriend and I am really the only people that would normally send mail from one of several machines that would all be on the same local IP subnet. I primarily use Outlook to manage my mail, but I have also used, outlook express, netscape, thunderbird and OWA. The main symptom of how i know is that I have a security problem is that I when i go to Exchange System Manager and look at the Queues for my server, I see about 40 SMTP connectors set up for domains that I do not manage or support. All but one have at least one message waiting in the queue. I have frozen them for now, but more will keep getting added and I have know idea how people are able to do it. When I get my daily reports, I have seen that often I get dozens of failed attempts of trying to log into my server via Terminal Services/RDP.

What can I do or or look at to see how my system is compromised and what people are doing or trying to do on my server. What are some other things I can do to improve security on my server and harden it against attacks. Whenever I try to google for tips, I find really in depth instruction that I don't understand or are for more complicated installations. I have done some things in the past to tighten up things and have screwed up my server. So more often then not, i choose to do nothing then risk messing things up.
comments: Leave a comment Previous Entry Share Next Entry


zastrazzi
Link:(Link)
Time:2007-08-13 12:08 am (UTC)
First up, ensure you have authentication turned on in Exchange otherwise it will blindly accept mail from anywhere on your network. Which means if an internal system becomes infected you could have a problem.

Check your relay options, that's usually the biggest gotcha.

Only slightly related, I'd also block port 25 outbound except for the Exchange server.

If possible, you may also want to restrict port 25 inbound to those hosts/networks you expect to see mail from. This isn't usually a normal move, but it can be effective.

I normally would steer people away from Exchange as a solution primarily because it's significant load on a server and is a nightmare to configure properly. It's also not nearly as feature rich as exim/postfix.

If you're interested in either exim or postfix, you could either install vmware and a linux distribution of your choice (centOS, ubuntu, redhat) or possibly run them within cygwin. Both of these linux MTA's have a LOT of security features that are relatively easy to enable, and excellent documentation online and in the manual pages.

You might also want to look into implementing SPF or DKIM as an antispam measure. A quick google should turn up a lot of results on how to configure it for whichever MTA you stick with.

(Reply) (Thread)


sugarbeet
Link:(Link)
Time:2007-08-13 02:07 am (UTC)
I will look into the Authenication. I had forgotten about that. Thanks.

I don't "think" I have an open relay, but I get conflicting info from web based test sites. I also "think" I am restricted to mail anly allowed from my subnet, but I have not tested that.

I use exchange because it was it was what I have always been familiar with. My server just runs the web and mail server and only runs at about a 5% load based on my daily report emails.

Everytime I try to learn Linux, I get frustrated before I get everything working right and then put it off until I forget most that I have learnd. I have been thinking about trying my luck with Ubuntu, since I have not tried that one.

I am not sure what SPF or DKIM is, but I will go check it out.

thanks.
(Reply) (Parent) (Thread)


zastrazzi
Link:(Link)
Time:2007-08-13 02:28 am (UTC)
If you get a few tests that say you aren't an open relay, they are likely correct. Some MTA's will appear to accept an email for delivery, and then garbage the transaction. Some of the tests will then 'fail' because you accepted the message for delivery because they don't know that you are then discarding the message.

Configuring an MTA in linux can be a bit of a learning curve, but it makes a heck of a lot more sense than the Microsoft solution once you've learned it. Upgrades are also not nearly as painful and likely to result in breakage. The nice thing about a linux config is that you can just create a backup copy of the config file before making changes. Not really possible with Exchange ;)

SPF is Sender Policy Framework. It essentially does a dns based check to see if the sending domain has an SPF dns record, and if the sending host is permitted to send mail for that domain. If you don't have an SPF record for your domain(s) I'd recommend setting one up.

Then it's just a question of configuring Exchange (or an other MTA) to check SPF records.

http://old.openspf.org/wizard.html

http://www.dkim.org/
(Reply) (Parent) (Thread)


sugarbeet
Link:(Link)
Time:2007-08-13 04:23 am (UTC)
Cool. Thanks again for your help!
(Reply) (Parent) (Thread)


zastrazzi
Link:(Link)
Time:2007-08-13 04:26 am (UTC)
No worries. I was a data center administrator for a few years before my current incarnation as a network security consultant ;)
(Reply) (Parent) (Thread)

[icon] Needing help with security with Windows SBS2003 server and Exchange - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.