Exchange Server 2010 : Components of a Secure Messaging Environment (part 1) - Hardening Windows Server 2008

To properly protect a server from attack, administrators should implement multiple layers of defense, each reinforcing the other, and each specializing in repelling certain types of attacks. Firewalls, network perimeters, accessibility options for users, security policies, and more are integral components that must be well designed and properly implemented to be effective.

A phrase coined by the military, “defense in depth,” is used to describe this strategy. Defense in depth increases a server’s security by creating multiple layers of protection between the server and potential attackers. An attacker who successfully maneuvers through the first line of defense finds himself faced with a second challenge, one requiring different skills and tools to bypass, and then a third, and so on.

Hardening Windows Server 2008

Exchange Server 2010 is designed to run on Windows Server 2008 or Windows Server 2008 R2. No matter what steps you take to secure your Exchange Server 2010 servers, if the underlying operating system (OS) is not secure, the Exchange Server installation is vulnerable to attack. Therefore, it is critical that you secure Windows Server 2008 by utilizing a combination of your organization’s security standards and industry best practices.

Layered Approach to Server Security

When discussing security measures, whether server-level or transport-level, protective measures work best when they are applied in layers. For example, if a thief were to attempt to steal your car, it might not be very challenging if all they had to do was break the window and hot-wire the vehicle. However, if you were to add a car alarm, or install an ignition block that requires a coded key, the level of difficulty is increased. Each of these obstacles takes additional time, as well as additional skill sets, to overcome.

This same principle applies to both server- and transport-level security methods. By applying multiple layers of security, you can effectively decrease the likelihood of a malicious user successfully tampering with your systems.

Many security features are already built in to Windows Server 2008. Among these are the following:

• Kerberos authentication— Windows Server 2008 uses the Kerberos authentication protocol to provide a mechanism for authentication between a client and a server, or between two servers.

• NTFS file security— Utilizing the NTFS file system provides improved performance and reliability over traditional file allocation table (FAT) file systems. NTFS has built-in security features, such as file and folder permissions and the Encrypting File System (EFS).

Windows Server 2008 also includes built-in security tools and features to help secure your environment. Among these are object-based access control, automated security policies, auditing, Public Key Infrastructure (PKI), and trusts between domains.

Physical Security Considerations

The first layer of security for any server, and one that is often overlooked, is preventing physical access to the computer. It takes very little skill or knowledge to simply unplug a computer or to remove it from the network; however, this could have a serious impact on your environment even if the intruder was not able to access your data. In addition, just as security professionals have tools and utilities to assist with the defense of computer systems, hackers have tools and utilities to assist them with their attacks. If a hacker can get physical access to a server, he can use a variety of methods to circumvent basic password security.

At a minimum, servers should be physically secured behind locked doors, preferably in an environmentally controlled area.

Some common physical security methods are the following:

• Configure the server BIOS so that it will not boot from a floppy disk drive or CD-ROM.

• Password protect the BIOS so that it cannot be reconfigured.

• Lock the server case to prevent access to the BIOS jumpers on the motherboard.

• Enclose the server in a locked cage or locked room that has limited access.

Restricting Logon Access

All servers should be configured so that only administrators can log on physically to the console. By default, Exchange Server 2010 does not allow any members of the domain users group local logon privileges. This prevents non administrators from logging on to the server even if they can gain physical access to the server.

Auditing Security Events

Auditing is a way to gather and keep track of activity on the network, devices, and entire systems. By default, Windows Server 2008 enables some auditing, but there are many additional auditing functions that must be manually turned on to be used. This control allows your system to easily be customized to monitor those features that you desire.

Although the primary use of auditing methods is to identify security breaches, this feature can also be used to monitor suspicious activity and to gain insight into who is accessing the servers and what they are doing. Windows Server 2008’s auditing policies must first be enabled before activity can be monitored.

Auditing Policies

Audit policies are the basis for auditing events on a Windows Server 2008 system. Bear in mind that auditing can require a significant amount of server resources and can potentially slow server performance, especially if the server does not have adequate memory or CPU bandwidth available. Also, as more and more data is collected by auditing policies, it can require a significant amount of effort to evaluate. Administrators should be cautious, as gathering too much data can sometimes be overwhelming, effectively diminishing the desired benefits. As such, it is important to take the time to properly plan how your systems will be audited.

Audit policies can track successful or unsuccessful event activity in a Windows Server 2008 environment. These policies can audit the success and failure of events. The types of events that can be monitored include the following:

• Account logon events— Each time a user attempts to log on, the successful or unsuccessful event can be recorded. Failed logon attempts can include logon failures for unknown user accounts, time restriction violations, expired user accounts, insufficient rights for the user to log on locally, expired account passwords, and locked-out accounts.

• Account management— When an account is changed, an event can be logged and later examined. Although this pertains more to Windows Server 2008 than Exchange Server 2010, it is still very relevant because permissions granted in Active Directory can have an effect on what data or services an individual has access to in Exchange Server.

• Directory service access— Whenever a user attempts to access an Active Directory object that has its own system access control list (SACL), the event is logged.

• Logon events— Logons over the network or by services are logged.

• Object access— The object access policy logs an event when a user attempts to access a resource such as a printer or shared folder.

• Policy change— Each time an attempt to change a policy is made, the event is recorded. This can apply to changes made to user rights, account audit policies, and trust policies.

• Privileged use— Privileged use is a security setting and can include a user employing a user right, changing the system time, and more. Successful or unsuccessful attempts can be logged.

• Process tracking— An event can be logged for each program or process that a user launches while accessing a system. This information can be very detailed and take a significant amount of resources.

• System events— The system events policy logs specific system events, such as a computer restart or shutdown.

The audit policies can be enabled or disabled through either the local system policy or Group Policy Objects (GPOs), which can be accessed using the Group Policy Management Console (GPMC).

Keeping Services to a Minimum

Depending on the role that an Exchange Server 2010 server will fulfill, not all services that are installed by default are necessary for the server to function. It is considered a best practice to limit the number of entry points (services) into a server to only those required. Any services that are not necessary for the system to operate properly should be disabled. Although this can be done manually on a server-by-server basis, it can also be performed using a customized security template to ensure all servers in your environment are configured properly.

Locking Down the File System

Files stored on a Windows Server 2008, including mail databases, are only as secure as the permissions that are assigned to protect them. As such, it is good to know that Windows Server 2008 does not grant the Everyone group full control over share-level and NTFS-level permissions by default. In addition, critical operating system files and directories are secured to disallow their unauthorized use.

Despite the overall improvements made, a complete understanding of file-level security is recommended to ensure that your files are properly protected.

Using the Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) is a tool that identifies common security misconfigurations and missing hotfixes. This information is gathered via local or remote scans of Windows systems. MBSA allows administrators to have the ability to scan a single Windows system and obtain a security assessment, as well as a list of recommended corrective actions. In addition, administrators can use the MBSA tool to scan multiple functional roles of a Windows-based server on the network for vulnerabilities. This allows administrators to ensure systems are up to date with the latest security-related patches.

The MBSA can be downloaded from the Microsoft website at www.microsoft.com/mbsa.

Implementing Industry Standards and Guidelines

As discussed previously, Microsoft has gone to great lengths to provide secure and reliable products. Moreover, it has worked closely with companies, government agencies, security consultants, and others to address security issues in the computer industry.

In addition to Microsoft security standards and guidelines, it is advisable that organizations use recommended best practices compiled by the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA). Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their websites (http://www.nist.gov and http://www.nsa.gov, respectively).

Using the Security Configuration Wizard

The Security Configuration Wizard (SCW) is an attack-surface reduction tool for Windows Server 2008 RTM/R2. The SCW guides administrators in creating security policies based on the minimum functionality required for a server’s role or roles.

SCW reviews the computer configuration, including but not limited to, the following:

• Services— SCW limits the number of services in use.

• Packet filtering— SCW can configure certain ports and protocols.

• Auditing— Auditing can be configured based on the computer’s role and the organization’s security requirements.

• Internet Information Services (IIS)— SCW can secure IIS, including web extensions and legacy virtual directories.

• Server roles and tasks— The role (file, database, messaging, web server, and so on), specific tasks (backup, content indexing, and so on), and placement in an environment of a computer is a critical component in any lockdown process or procedure. Application services are also evaluated from products such as Exchange Server, SQL Server, ISA Server, SharePoint Portal Server, and Operations Manager.

The SCW is used to assist in building specific security-related policies and to analyze computers against those policies to ensure compliance. SCW actually combines many of the security-related tasks performed by several other Microsoft security tools. For instance, SCW can take existing security templates created from the Security Configuration and Analysis tool and expand upon the restrictions to meet an organization’s security policy requirements. In addition, SCW can analyze computers for any security updates that are needed, integrate with Group Policy, and provide a knowledge base repository.

Running SCW

The SCW is installed by default on all Windows Server 2008 installations and is located in the Administrative Tools section of the Start menu. When you run the SCW, you will have an opportunity to select what roles the server plays. Note that the SCW has already selected the roles that it is aware of, as shown in Figure 1.

Figure 1. Reviewing SCW roles.

The SCW continues, giving you the opportunity to select client features (such as domain name system [DNS], Dynamic Host Configuration Protocol [DHCP], or the Automatic Update Client), and installed options (such as a global catalog, Windows Firewall, or time synchronization). Finally, there might be an additional screen for additional services. After you have selected all of the appropriate features, you must confirm service changes.

The SCW continues through network security changes (locking down unused ports), Registry settings, and configuring policy auditing. After finishing, you have the option to apply the security policy to the computer immediately, or save it to apply to this server (or other servers) later.

Securing Servers with Security Templates

Security templates are a practical and effective means to apply security policies and configurations to Exchange servers. Although security templates are provided with Windows Server 2008, it is recommended to customize them prior to applying them using the Security Configuration and Analysis Microsoft Management Console (MMC) snap-in.

This not only ensures that computers are identically configured with the same security configurations, but it also is an easy way to configure appropriate security measures for those computers that are not managed using GPOs.

Keeping Up with Security Patches and Updates

One of the least glamorous, but most important, security measures an organization can take is to ensure all of their products have the latest security patches implemented in a timely fashion. Applying service packs, security updates, and hotfixes for the operating system, as well as applications such as Exchange Server 2010, are crucial to maintaining a secure environment. As security shortcomings are identified, these service packs and hotfixes close the holes, often before they become publicly known, effectively protecting your environment from malicious users.

Windows Update

Windows Update is a web service, accessed in Microsoft Internet Explorer (Tools, Windows Update) that scans a local system and determines if the system has all current updates installed. This tool is extremely useful on individual systems, but can be time consuming when used to update multiple systems within an organization.

Windows Server Update Services

Windows Server Update Services (WSUS), an upgrade from its predecessor Software Update Services (SUS), minimizes administration, management, and maintenance of small- to midsized organizations by allowing them to communicate directly and securely with Microsoft to gather the latest security updates and service packs. WSUS is available for Windows Server 2008 and for Exchange servers.

The primary differences between WSUS and its predecessor are as follows:

• Support for a greater number of products, including service pack updates

• The ability to target computers using Group Policy or scripts

• Reports on update installation status

• Performs basic hardware inventory

With WSUS, the updates are downloaded from Microsoft to a local WSUS server. They can then be distributed to a lab environment for testing, or to targeted production servers. After being tested and approved, WSUS can be used to automatically distribute the updates throughout your environment. By utilizing this service, updates can be downloaded from Microsoft once, and distributed locally, saving a significant amount of bandwidth when compared to hundreds (or thousands) of systems each downloading the updates themselves.