How Secure Is Your Exchange Server?

I was just finishing up the special security issue of Windows NT Magazine (October 99) and pondering the possible security holes in my Exchange server. Have you considered security issues in your Exchange Server deployment?

From a basic TCP/IP hacker point of view, Exchange Server certainly listens on its fair share of TCP and UDP ports. For basic NT services such as NetBIOS over TCP/IP and remote procedure call (RPC) communications, there's the customary port 137 (among others), which is particularly important in a Messaging API (MAPI) environment. Also, let’s not forget the popular hacker portal of SMTP port 25 that Exchange Server’s Internet Mail Service (IMS) is always listening on. Via port 25, attackers can use verify (VRFY) and name expansion (EXPN) commands to gain information about users, networks, and domains, as well as perform Unsolicited Commercial Email (UCE) attacks. In addition, if you have the Internet News Service for Exchange configured, Network News Transfer Protocol (NNTP) port 110 is also available for access; would-be villains are known to telnet in and test the limits of vulnerability. And let’s not forget Internet Information Server (IIS). If you use Outlook Web Access (OWA) with Exchange Server 5.5, several potential threats exist, such as the Active Server Pages (ASP) download problem, whereby an intruder can download the contents of ASP scripts using "::$DATA string," potentially exposing login names and passwords that might be hard-coded within the pages (a bad practice). Also, if you run OWA on a separate server from your Exchange server, NT LAN Manager (NTLM) authentication is not possible and passwords must be sent in the clear. Fortunately, OWA for Exchange 2000 Server combined with Windows 2000 (Win2K) Kerberos authentication will resolve this problem. Finally, let’s not forget your basic Denial of Service (DoS) attacks, where an intruder can flood certain TCP or UDP ports (e.g., SMTP port 25) on your Exchange server with traffic and prevent your system from servicing any legitimate requests.

My point here is not to create panic among Exchange Server administrators, but to cause you to think about security concerns. Keep in mind that most Exchange servers are not sitting out on the Internet boundary of your company; most are well-protected behind a firewall, or at worst case, in the De-Militarized Zone (DMZ) where SMTP, HTTP, and NNTP servers often reside. If you haven't recently looked at how well you've protected your Exchange server, you might find it worth your while as we get ready to roll the clocks (hopefully) over to Y2K. Use some of the many tools such as port scanners, vulnerability testers, log analyzers, intrusion detectors, and password crackers that are available for fee or free. In the business of basic Exchange Server administration, administrators often overlook some of these security areas. Spend some time assessing your deployment. You know what they say about "an ounce of prevention."

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish