http://itproforum.lk/blogs/paddy/atom.aspxCommunity Server2006-04-17T12:01:00Z/blogs/paddy/archive/2006/12/05/1001.aspx2006-12-06T07:10:00Z2006-12-06T07:10:00ZCheck my personal blog for the article http://neoo2005.spaces.live.com/?_c11_BlogPart_blogpart=blogentry&_c=BlogPart&_c02_owner=1&handle=cns!71EBEF49A1659406!146<div style="clear:both;"></div><img src="http://itproforum.lk/aggbug.aspx?PostID=1001" width="1" height="1">Paddyhttp://itproforum.lk/members/Paddy/default.aspx/blogs/paddy/archive/2006/11/27/980.aspx2006-11-28T00:45:00Z2006-11-28T00:45:00ZIn order to access exchange OWA users needs to type the URL http://servername.domain.com/exchange, and i had a csutomer who wants to have just main URL for exchange OWA access (http://servername.domain.com), if you try to change the IIS default directory pointing to exchange virtual director OWA stops working, so I found a small script to redirect the main page to exchange VD without users typing the entire URL, with this users can just type the http://servername.domain.com and it will redirect the main page to exchange login page Create a ASP page using this script ================================================== // ============================================== Note :remove those forward slashes in fron of %>, And save the asp page in wwwroot or any ware your default web folder is, and set the default page pointing to this page If your using SSL just change the port 80 to port 443 Padman if you dont see the code here please visit my blog @ http://neoo2005.spaces.live.com/ <div style="clear:both;"></div><img src="http://itproforum.lk/aggbug.aspx?PostID=980" width="1" height="1">Paddyhttp://itproforum.lk/members/Paddy/default.aspx/blogs/paddy/archive/2006/04/17/273.aspx2006-04-17T19:01:00Z2006-04-17T19:01:00ZAn audit of the ISA 2004 server may reveal that it has not been hardened and that some attention has to be paid to this. This article will take the security professional through a step by step process of hardening ISA server 2004, focusing on the procedures necessary to assist in creating and sustaining a secure ISA Server 2004 environment. This involves the assessment of three categories which include securing the ISA Server computer, securing the ISA configuration and lastly securing the operation of ISA. One of the main functions of using (ISA) Server 2004 is to protect your network or other resources from attack by malicious users, ISA Server does an extraordinary job, yet it is recommended to take exceptional care in hardening the ISA Server computer in order to optimize this functionality and securing itself and access to the ISA resources itself. Hardening is the process by which one is able to enhance protection of the ISA firewall computer configuration as well as the operating system on which it is being run. Third party Pentesting Penetration testing is an excellent way to discover holes in your system This audit should be done by an experienced well versed third party organization and background checks on such an organization are essential. In fact think about what would happen if a street hacker were to do your pentest and find a vulnerability, would he tell you or secure a backdoor for himself? Only the paranoid survive. Do not just trust an organization, do reference checks and background checks, it could save your organization. Then pentest should uncover certain details that will help the organization when devising its security strategy. Hardening the windows infrastructure One needs to consider how ISA server functions and harden the operating system in view of that. Look at services, drive permissions and local accounts and utility access and available programs. More information about this process is available at: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/hardeningwindows.mspx there is a document called Isaharden.doc follow the link for additional information. Step 1: Securing the ISA Server Computer The initial step should be to analyze the obvious, which is to determine whether the ISA server computer is physically secure. Physical security can be translated in basic security; the lack of this type of security can result in serious consequences, particularly because a malicious person could cause physical harm and modification to the ISA server itself by having unauthorized physical access. Authorized physical access is also a concern if the authorized personnel are not well trained and modify hardware and physical characteristics without control. Further detail will be covered below. Configurations can be applied to assure the physical safety of the computer. Once this is verified the security professional can begin to consider other underlying issues. The recommendations involved in securing the ISA server computer are: Physically securing the computer This is an obvious but very important aspect to analyze, as not having a physically secure computer is a high security risk, which could potentially lead to unauthorized access of the server and tampering there of, influencing the integrity of the ISA and potentially the network and any resource attached. To avoid this latent threat one must ensure that the ISA Server computer is located in a physically secure environment which is always maintained and controlled with emphasis on secure controlled access to authorized individuals only. Additional physical security measures like CCTV and logged physical access control is best practice. Auditing who has entered the secure location and proving that the individual has entered is just as important as the technical control itself. Managing the updates Service packs are applications that are released after the public discharge of a certain software product. If a product that has been released is found to have a flaw, a hot fix is developed for that product and when the hot fixes are put together they form a service pack. The product does not function as it was intended without its service packs. Some service packs add functionality and rectify functionality that may have logic or circumstantial flaws. Security patches are also released occasionally to patch up software areas that have vulnerabilities and that programmers have not secured. Typically ISA server is not vulnerable to these flaws and it is a common misconception that it is, because ISA is installed on Windows it is vulnerable, when it really is not. ISA firewalls all traffic to and from the local host. It does this by installing a lower level network communication LSP type software that intercepts all traffic. All traffic will be scanned by the ISA engine and only if the traffic is allowed can the vulnerability be exposed and exploited. Millions of users make use of the Windows platform daily and a multitude of these users are programmers and people with advanced technical skill. Some of these people like to stress test and find vulnerabilities within the Windows platform. When a vulnerability is found it may be days or even weeks before software vendors write an effective patch that is publicly released. This is especially true for alternate software that does not have the type of financial backing and support that commercial proprietary software has. The chance that your machine will be scanned and the vulnerability found is higher than you imagine. Whilst working at an extremely large ISP, the security manager showed me a brand new installation of an operating system on a desktop computer unpatched. Within ten minutes the computer had been scanned by other infected hosts and a worm had infected the computer. Solution: Keep all machines on the network updated and check with Microsoft and other vendors on a scheduled basis for service releases to software that you may be running. You may wish to automate this process but testing of patches and results thereof need to be verified. Underestimating this function can cost your organization many hours of down time equating to losses. If you do not want to become a statistic, ensure that your machines are properly patched. Determining domain membership: This only need be considered if the ISA server is going to be set up as a member of a domain. ISA server should never be run as a domain controller although it can and on SBS (small Business server) some modifications make this possible. In some high security configurations, complete domain isolation may be a consideration. Remember that once a computer is part of a domain, it has access to the domain even though it may be to verify accounts, it still constitutes a threat. An intruder will look for a computer that can do the dirty work, like do lookups on a domain to verify user accounts and or authenticate. Account considerations: Ensure that if you are using Windows NT and above that your administrative account is secure. Renaming the account to something ordinary is good practice then recreating another account named administrator. Giving that account the most restrictive privileges will give any intruder a challenging time if he does manage to gain access to your “bait” administrative account. However an intruder that understands how the account information is displayed will quickly figure out the accounts with the highest privilege. Account authentication across a network, like from the ISA server to the domain controller, if not properly secured can be a major vulnerability. For this reason, in high security environments, it may make sense to have an exclusive network card for authentication to the domain so that traffic does not traverse the typical network that can be sniffed. In this environment, confidentiality of the user identity presents the major risk and if the dedicated network card can not be used, encryption should be looked at. Certain accounts on the ISA server are not needed and this can be easily checked and audited. It is strongly recommended that the unneeded accounts be removed and not disabled. This should be done before ISA is installed. I strongly recommend that no other accounts are added at a later stage as this can introduce a physical security risk The ISA server system policy Below are key ISA server system policy elements that need to be monitored and carefully configured to ensure a secure ISA system. Network Services: these services are regulated by the system policy and should be carefully controlled in terms of access and what services are allowed. Authentication Services: this defines how ISA authenticates. This is where and how you can ensure that the authentication is done through the appropriate sever, and also where the extra network cards come in. Remote Management: This element defines who can administer your server. Be very careful who you allow access to the ISA server as mis-configuration of this element will result in compromise. It is recommended that a static IP address mapping be used here or a defined user group for remote admin, think carefully about remote admin. Firewall Client Share: if you need this feature then I would rather setup a share on another server. Note only the internal network has access to this feature in any case and it can be controlled from the system policy. Diagnostic Services: Only for authorized personnel, alternatively only for your segmented administrative network. This may be a private network that is used by the IT professionals. Managing roles and permissions: Care must be taken when assigning permissions to the ISA Server computer and its related components because ISA Server controls access to the network. This can be accomplished by careful determination of the configuration and the logon rights, relative to authorized professionals who log on to the ISA Server. ISA Server enables this by allowing the application of administrative roles to users and groups. Administrative Roles: When auditing this make sure that it is buttoned down. When defining the permissions for the ISA server, the security professional needs to pay special attention to the roles of the ISA Server administrator. ISA Server makes this process a simpler one by it utilizing a range of user roles which ultimately distinguish the roles of each user. The following user roles can be applied: ISA Server Basic monitoring: This role enables a professional to monitor the ISA Server computer and network activity, but does not allow one to configure specific monitoring functionality. This should be part of your hardening process as you can find additional aspects that need to be looked at whilst you monitor the ISA server. ISA Server Extended Monitoring: This role enables one to perform all monitoring tasks, including log configuration, alert definition configuration, and all monitoring functions available to the ISA Server Basic Monitoring Role. This role is for advanced interaction with the ISA server. ISA Server Full Administrator: This role allows one to perform any Server task, including rule configuration, applying network templates and monitoring. Reducing the potential attack surface One can further secure the ISA Server computer by reducing the attack surface. This can be obtained through the following: Remove or disable unnecessary applications and services on the ISA Server computer. This begs the question of Antivirus. It is needed but you need to make sure it is carefully tested and that it is server class AV, reason being most vendors have personal firewalls and other modules that tamper with ISA’s functionality. Disable any ISA Server features that are not in current use. Disable any system policies associated with services not being utilized to manage your network. Limit the applicability of the system policy rules to required network entities only. Step 2: Securing the ISA Configuration To ensure that the ISA configuration is secure the ISA professional must validate the configuration after an upgrade, for example when moving from ISA 2000 to ISA 2004, as different versions incorporate different policies. The Firewall policy should also be validated, that is if a firewall policy is created by the ISA professional and the default policy is not utilized. The firewall policy should be checked to identify whether the correct traffic is being allowed through and to confirm that no unnecessary ports are open. ISA Server, by default, implements a default firewall policy rule named Default Rule. This policy rejects access by all unauthorized users to all networks. ISA can also be used as a virtual Private network (VPN). It is imperative to make certain that the ISA server is secure when being used as a VPN server as it must be protected against any unauthorized entry into the network. To secure the ISA server when it is being utilized as a VPN server the following can be undertaken: Layer Two Tunneling Protocol over the Internet Protocol security connections Control the operating systems being used by the remote VPN clients by allowing usage of only certain selected ones Use the ISA Server Quarantine Control feature. By utilizing this feature it allows for time to verify the users accessing the network and corrections to unauthorized users can be undertaken before potential attack occurs. Another concern when using ISA Sever as a VPN Server is that it is not secure against attack by viruses which infect the ISA Server through the virus infected VPN client. This potential attack can be prevented through various means of virus protection methods. This procedure incorporates the implementation of monitoring, to detect irregularities and the design of notifications as e-mail messages to notify the ISA professional of the potential attack. If an infected VPN client computer is acknowledged it can be resolved by excluding the user from the VPN clients authorized to connect through one of two approaches, restricting VPN access by user name or by IP address. The VPN should be authenticated to ensure better security. This is achieved through the use of various authentication protocols. Another feature incorporated by ISA server, which secures the ISA configuration, is that it allows the ISA professional to control the amount of connections being made to the server at any moment. The connection limit can be adjusted to suit the specific client requirements and thus once the limit which was predetermined is reached, any subsequent connections will be denied. It is recommended that the smallest number of connections be allowed to maintain a secure environment. Step 3: Securing the operation of ISA The third step is to determine how to deploy the network infrastructure secured by the ISA Server. Remote network access Restrict dial-in access to trusted and authorized users and limit the functionality of the users from remote locations. Policies can be designed in such a way that user activity will be traced. When accessing a network remotely, a VPN is a secure method that can be used and trusted. Data that travels over a VPN connection is much less susceptible to interception than normal PPP connections over the PSTN networks. In high security environments, put systems in place that require credential validation for any resource that is accessed remotely. Client side certificates can be used and strong password authentication methods should be applied. Remote access remains one of the weakest links in network security if incorrectly implemented and, in many cases, is just the break intruders are looking for. Antivirus Virus software settings need to be set to the most restrictive. This ensures that any form of malicious virus activity is not tolerated. When selecting your AV software test it with your ISA server configuration and ensure that the AV software is server class. Intrusion detection / prevention. Intrusion detection is a vital part of hardening the windows network and various intrusion detection products exist that can aid an organization in detection of unwanted intruders. For a comparative analysis on IDS look in www.windowsecurity.com Services installed Services run on most windows machines as registered processes. These services are what intruders attempt to find vulnerabilities within. Disabling any unused services is good practice and leaves less for the intruders to find exploits within. It also puts less strain on the hardware and requires less monitoring. File system File systems should be installed on secure machines with the highest form of file security. NTFS is a strong secure file system that let the administrator and user control access to files that have respective assigned permissions. The data on the drive is not as vulnerable as it would be if it were on a Fat partition. In the same breath, a few companies have developed software that will be able to read file on NTFS partitions if permissions are assigned or not. By default, NTFS is needed for the ISA Cache file, I would recommend the highest security file system settings when installing ISA. Bios Assign a password to the Bios. If an intruder gains physical access to the ISA server and wants to change the boot order of drive within the server computer he will first log into the bios and change the order to boot off of the CD-ROM. The utilities that let a user gain access to the machine are typically on a CD-ROM. By assigning a password to the Bios it adds a small added level of security. If the user can not gain access to the inside of the computer because it is physically restrained, the bios can also not be reset and the bios then remains locked. Please note that some bios manufactures have master passwords that override any previous entered passwords. It is a good idea that, when choosing the hardware, a vendor that doesn't have master password capability is chosen. This is a common physical access attack, so restrict the access or consider getting an ISA server appliance that only allows remote access. Booting drives When assigning the drive to boot, ensure that only the C: drive has the booting capability as other drives like CD, floppy disk and flash disks drives provide an avenue for attack. Intruders may need to install or load third party applications and by booting around the operating system this may be possible. Many security professionals secure the operating systems and overlook the underlying booting and removable disk options. Backups In any organization business continuity should be part of the disaster recovery strategy and backups will be part of this ISA server security strategy. All ISA configurations should be backed up and should be restored frequently on test systems. Backups are important and it is vital that the media is stored offsite. Storing backup media onsite will not help in a situation where a physical disaster destroys the site. Offsite storage is needed in situations that require an extra level of data security. <div style="clear:both;"></div><img src="http://itproforum.lk/aggbug.aspx?PostID=273" width="1" height="1">Paddyhttp://itproforum.lk/members/Paddy/default.aspx