Email Security Issue - How to prevent intruders
- Hi,
We are a charter school located in Los Angeles, Recently we've had an intruder come into our e-mail server and e-mailed our entire Global Address List, through one of our student's account. She was totally unaware of it happening.
After looking through some of the security logs in the event viewer, it looks like the intruder that was logging in registered as a Workstation Name that was not in our domain, and the IP address as well was not in our subnet.
Just wanted to ask, what can we do to prevent this from happening again.
We've limit our Global Address List to only students and staff,
We've used the Best Practice Analyzer Tool to patch up as much as we can,
We've turned on a bunch of new audits.
We've changed all passwords and enforced our staff and students on a password policy; we didn't have one before.
We are thinking about having OWA go through SSL, after the district enables us the secured port.
But what else can we do to prevent this from ever happening again, or how can
we have the ability to track down the intruder next time?
Thanks
Answers
A good beginning is implementing SSL, enforcing a password policy and auditing account logon events (success and failure). As a next step you could look into:
* restricting user access to OWA
* requiring certificates for authentication
* adding strong two-factor authentication
Books could be written about this subject. Actually Henrik Walther has written one: Securing Exchange Server 2003 & Outlook Web Access: Chapter 5 on MSExchange.org. This chapter should be good start (I'm assuming your using Exchange 2003):
http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
Using certificates for authentication can be considered more secure because a user cannot gain access to the mailbox simply by knowing the user name and password. The certificate option prevents key loggers or other malware on a client machine capturing keystrokes to identify user account and passwords.
How to Configure Certificate Based Authentication for OWA - Part I
http://msexchangeteam.com/archive/2008/10/07/449942.aspx
How to Configure Certificate Based Authentication for OWA - Part II
http://msexchangeteam.com/archive/2008/11/12/450094.aspx
The AuthAnvil Web Logon Agent offers companies the ability to add strong two-factor authentication to web applications running on Microsoft’s Internet Information Server (IIS). It provides a simple and consistent authentication experience in front of any web application or portal installed into IIS, including Outlook Web Access (OWA), Remote Web Workplace (RWW), MSCRM and SharePoint. And it offers identity assurance by requiring users to provide their AuthAnvil passcode before they can access the underlying web application or portal.
http://www.scorpionsoft.com/products/authanvil/weblogon/
Read also: The Five Failings of Password Security Exploring the problems with weak static passwords, and how you can handle it. http://www.scorpionsoft.com/
Scorpion Software has a very good reputation in the SBS community and they have won the prestigious "Best Canadian Commercial Security Product" award at SecTor Conference http://blog.scorpionsoft.com/blog/2009/10/sector-2009-award.html
Jon-Alfred Smith MCTS: Messaging | MCSE: S+M- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 06, 2009 9:01 AM
- Proposed As Answer byOliverMoazzeziMVPWednesday, October 28, 2009 9:28 PM
- Hi,
Ensuring you have a decent Password Policy in place with minimum complexity requirements and password expiration goes a long way.
Unfortunately not securing OWA via SSL means that any students connecting have the potential to have their traffic 'sniffed' and their usernames and passwords taken.
You can also implement RSA two factor authentication but you may find that is a little OTT in this instance.
Archiving Firewall logs is also good practice, as it allows you to trawl them to potentially help track down any culprits - although be advised some use proxy servers or even compromised machines before doing any mal-deeds.
Oliver- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 06, 2009 9:01 AM
- Proposed As Answer byOliverMoazzeziMVPWednesday, October 28, 2009 9:28 PM
All Replies
A good beginning is implementing SSL, enforcing a password policy and auditing account logon events (success and failure). As a next step you could look into:
* restricting user access to OWA
* requiring certificates for authentication
* adding strong two-factor authentication
Books could be written about this subject. Actually Henrik Walther has written one: Securing Exchange Server 2003 & Outlook Web Access: Chapter 5 on MSExchange.org. This chapter should be good start (I'm assuming your using Exchange 2003):
http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
Using certificates for authentication can be considered more secure because a user cannot gain access to the mailbox simply by knowing the user name and password. The certificate option prevents key loggers or other malware on a client machine capturing keystrokes to identify user account and passwords.
How to Configure Certificate Based Authentication for OWA - Part I
http://msexchangeteam.com/archive/2008/10/07/449942.aspx
How to Configure Certificate Based Authentication for OWA - Part II
http://msexchangeteam.com/archive/2008/11/12/450094.aspx
The AuthAnvil Web Logon Agent offers companies the ability to add strong two-factor authentication to web applications running on Microsoft’s Internet Information Server (IIS). It provides a simple and consistent authentication experience in front of any web application or portal installed into IIS, including Outlook Web Access (OWA), Remote Web Workplace (RWW), MSCRM and SharePoint. And it offers identity assurance by requiring users to provide their AuthAnvil passcode before they can access the underlying web application or portal.
http://www.scorpionsoft.com/products/authanvil/weblogon/
Read also: The Five Failings of Password Security Exploring the problems with weak static passwords, and how you can handle it. http://www.scorpionsoft.com/
Scorpion Software has a very good reputation in the SBS community and they have won the prestigious "Best Canadian Commercial Security Product" award at SecTor Conference http://blog.scorpionsoft.com/blog/2009/10/sector-2009-award.html
Jon-Alfred Smith MCTS: Messaging | MCSE: S+M- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 06, 2009 9:01 AM
- Proposed As Answer byOliverMoazzeziMVPWednesday, October 28, 2009 9:28 PM
- Hi,
Ensuring you have a decent Password Policy in place with minimum complexity requirements and password expiration goes a long way.
Unfortunately not securing OWA via SSL means that any students connecting have the potential to have their traffic 'sniffed' and their usernames and passwords taken.
You can also implement RSA two factor authentication but you may find that is a little OTT in this instance.
Archiving Firewall logs is also good practice, as it allows you to trawl them to potentially help track down any culprits - although be advised some use proxy servers or even compromised machines before doing any mal-deeds.
Oliver- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 06, 2009 9:01 AM
- Proposed As Answer byOliverMoazzeziMVPWednesday, October 28, 2009 9:28 PM
Since the Workstation Name and IP Address registered in the security log, could we say that a computer was brought onto campus and connected to the network? or would that same Workstation and IP Address could have still registered the same in the security log if done elsewhere?
Also, if a proxy was used, are there anyways of preventing them?
Thanks for the replies.- If you allow unauthenticated access to your network for basic protocols (80 - web browsing for instance), then yes.
You can get perimeter devices that block known open proxies - but it costs $ - just like two factor auth.
Oliver Where can I disallow unauthenticated access?
ThanksThat's not an Exchange question, and really depends on how your network is setup for access. Do you know how it is setup?
Oliver
Oliver Moazzezi | Exchange MVP, MCSA:M, BA (Hons) Anim | http://www.exchange2007.com http://www.exchange2010.com http://www.cobweb.com |
