Securing your servers, users and customers online
Anything facing the Internet is a potential target for anyone who wants to gain access or disrupt your data operations. If it’s here, people will try to get in or make it stop working.
That’s just the way it is and I’m sure you’re aware of it.
There’s different methods for the attacks actually, they could be a DOS attack, a DDOS attack , SYN Floods, Man In The Middle, 0day attacks , to name a few
The motives behind any of these could be a number of things such a hacktivism, former employees or even current ones, script kiddies just fooling around, organized crime, extortion, theft of company secrets and so on.
Just take your pick really.
Here’s a thingy I wrote about the anatomy of a hacking attack
You need to make a SWOT analysis and have a Business Continuity Plan (BCP) in place for the different scenarios actually.
It sounds expensive (and, yes, it can be) but the day you servers are under attack, you’ll be happy you took the time to create one.
Trust me. So will your CEO be. Maybe he’ll also read this post about hacking yourself ..
You should also consider having a Incident Management Plan and process in place ..
Kind of prequels to this post , I’ve also written a few about securing data centers from various aspects:
A few of the different techniques then .DOS, DDOS , Brute force, Synflood. MitM etc
The methods of taking down a server vary.
As with everything else in the real world, there are different tools to get the same job done, it’s basically a matter of taste and skill and how much time the attackers have on their hands.
If you’ve pissed of a state , you’re probably going to have an extremely bad day since they do have extensive resources to keep you “offline” for as long as they want really.
So, don’t go around pissing of states or at least, use the Dark Web for that.
For instance there’s SYN flooding , basically equivalent to old school prank calling,
Send a network packet to the server announcing you want to “speak” , the server responds but no one is there to continue the “conversation” .
If you do this a few hundred thousand times, the server will have quite a few “phone calls” to attend to and therefore can’t actually be bothered with picking up the “phone” for the legitimate “calls” thus making a DOS attack meaning “Denial of Service”, the server can no longer service what it’s meant to service, that being your users or customers.
DOS and DDOS Attacks
A DDOS (Distributed Denial of Service) attack is kind of the same thing , the main difference being that its spread out over an extremely large number of computers around the world doing the same thing , making it very difficult to manually block each and every one of them in the firewall manually.
These computers are usually part of something called botnets and the users of these computers are rarely aware even of them being a part of it. In this scenario you need to contact a lot of people and get it sorted, for instance your ISP, the server guys and firewall guys and you need to have a look at the BCP.
What do we do when this happens and so on.
Do we move the servers, up the bandwidth, go out of business, wait until it passes and so on ? You need to have a plan in place for it.
MITM, Man in the Middle
Using MITM (Man In The Middle) attacks is also popular method if you haven’t secured your server and your communications with valid SSL certificates.
Quite a few actually use self-issued certificates on the websites and on their OWA site and that’s not a good thing.
When someone who knows what they’re doing connect to a site that has a self issued certificate the first thing that comes to mind is ..”hmm .. these sysadmins are cheap and lazy and I’m fairly sure they just set this server up using default values.. let’s have a look, eh?” .. )
The problem is that there’s actually no real way for the connecting computer to validate that the site it is connecting to actually is the site it’s hoping for.
It might as well be someone claiming to be that site since the certificate used can’t be validated by a third party (the “Trustad Authorities”).
This way , phishing attacks (“phising” is when you “phish” for a users valid credentials to use them later at the users real websites)
It’s absolutely no guarantee even if you do use a valid certificate since also the “Trusted Authorities” can be hacked and therefore all of their certificates can be compromised (yes, it’s already happened a few time in the past year, GoDaddy, Verisign and even Microsoft themselves realized they had a bug in how Windows Update actually validates that it is connecting to the Windows Update site and nowhere else.)
Brute force attacks
Another method of rendering you server useless is to use a brute force attack on the usernames (sometimes also known as a “dictionary attack” ) .
If you know the naming convention of the usernames used at the company (quite often as easy as the email addresses of the employees or compaynameusername) you can keep on pounding the server with valid usernames and wrong passwords , hopefully rendering the user accounts to become locked out all the time by triggering the Account Lockout Policy. An easy entry point to this is the .. *tadaa* .. yes, you guessed it, the Microsoft Exchange Webmail/OWA interface (or for instance a Sharepoint login interface) .
Us Tekkies might be good at tekkie stuff but we do lack imagination when it comes to naming stuff. And we are lazy 🙂
It’s not that difficult to find out what mail server a company is using (easiest way is to use the NSLOOKUP command and search for the MX record, start a telnet session to the server and see what it presents itself as . It’s usually in cleartext what kind of server you “talking” to )
Once you know this , you also know a few other things automatically.
By default , there are two valid usernames in a Windows Active Directory (I will stick to 2008+ AD here)
First, it’s the older naming that quite a few still uses. This is the COMPANYNAME\USERNAME naming convention .
These usernames can be difficult to guess , it could be the users first name (COMPANYNAME\SAMUEL) or the the first characters of the first name and surname (COMPANYNAME\SAMSOM) an employeenumber etc
It’s basically more or less a question of how large the company is.
The larger the company, the longer the username probably but also , much more standardized in naming since otherwise it becomes an administrative nightmare for the system administrators and we are a lazy bunch really. We want to be able to find our user quickly and and easily in order to support them and keep track.*grin*
The easier approach is to attack the user account using their mail addresses.
Quite a few sysadmins don’t realize that the mail address is also a valid logon name since they are used to thinking of logins using the the old naming convention.
Since they also want to provide access to webmail , and usually, 97 times out of a 100 (no, I just guessed a number, I have no statistics to support it, it’s just a gut feeling, ok ? ) they don’t require any special VPN software for their user to access the webmail (OWA) interface since the whole idea is to let users easily connect to their mail, wherever they are.
This means that the OWA interface is reachable for the entire world to try and login into and thus leaving you open for DOS, DDOS, brute force attacks and so on .
SPAM and overload
There’s also so the various methods of overloading our server with SPAM and viruses.
It’s not unusual to use the secondary MX record (which is used for failover in case the usual mail server has some issues) for your mail domain actually. Most companies that have secondary MX in place have a more or less effective defense on the primary MX but the secondary is often forgotten and is a popular way to over flood a server with various SPAM.
Quite often , they’ve set it up in the way that the primary MX might point to the secured, external provider or the secured, primary mail server interface and the secondary points directly to the mail server, thus not taking the way through the washing and security mechanisms in place but instead be delivered directly to the mail server.
Or, what if a sends an email with a zip file that consist of 1 billion zeros and the digit 1 ? The antivrus will try to unpack it , reads it into memory and then what ? Fills it up ? I don’t know, an old friend of mine had that idea actually but we never tried it out.
It is a cool idea though 🙂
There’s of course also all the Phising , malware etc constantly being sent to users..
A few countermeasures then.
So , what can be done then?
Should you close down the OWA / webmail interface?
Stop using email?
Revert to faxing?
No, of course not
Here’s a few pointers on what I’d suggest on securing and managing your Exchange servers.
It’s not all the tricks in the book and I’m sure I’ve missed out on quite a few ones really but it’s a start I guess.
Just, remember, there is no such as thing as absolute security.
Less is more
Minimize the attack surface behind a good firewall that can deal with the SYN Floods and port scans and stuff.
Be cautious not to open up anything more than what’s absolutely necessary to and from the outside world.
Use local firewalls also!
If you’re using an external “mail cleaning service”, don’t allow port 25 from any other IP/IP ranges than them. If your users are to use your Exchange Server for relaying , set up a connector with SSL and SMTP authentication on other port and enable logging on it.
Also, best practices is to use a DMZ (Demilitarized Zone) for any of your serevr facing the Internet although when I start to think of , I’m not sure if that’s necessary.
There’s different opinions on the matter really. The idea is to have the attacker not being able to come in further into you network, should they succeed in gaining control over the server on he DMZ.
Unfortunately, I’m fairly sure that somewhere on those servers there are administrator passwords and stuff that’s useful knowledge for further access into your network.
SSL – Keep it Encrypted
Get valid, proper, shiny and bonafide certificates for your communications. It’s not costly (dude. it’s even free these days) and not complicated to implement.
It’s mainly the hassle of you having to remember when to renew them, otherwise stuff will stop working when they expire. You also do need to remember to disable old cryptos and so on (link in Swedish though) .
Have a look at Letsencrypt for most of your SSL certificate needs.
It’s free (yay!) , works fine and is supported by most and it’s even your CEO’s favorite price tag.
Brute force prevention
Use an automatic brute force prevention software ( I can recommend you some that can block attacks on RDWeb, RDP, Exchange Webmail, FTP, Citrix., basically anything that uses Windows Authentication or help you set it up if you like)
You simply need this to get rid of the attacks where username/password is hammered onto you servers (brute force attacks/dictionary attacks) . (I’ve written an earlier entry on why firewalls, VPN, account lockout polices and so on aren’t enough here:
Account Lockout Policies
Enforce an Account Lockout Policy and enforce complex password.
Yes, people will hate you but they will hate you even more if someone actually succeeds in hacking your users data.
Have a look at the link above about Account Lockout Policies though.
Do not have local users more than necessary on the Exchange Server itself.
MFA / 2FA
Someone pointed out that I didn’t mention MFA/2FA anywhere and yep.
An oversight simply.
As stated , not the Gospel of security or even checklists. Just a list 🙂
MFAs (multi Factor Authentication) are cool and can be a part of the puzzle.
The downsides are that users are (usually) dependent on an additional device to be nearby and charged So, forgetting your phone at home or it not being charged can hinder you a bit .. and calling the helpdesk / support might be hard to manage since they can’t call you back for verification.
In many of these solutions there are also licensing costs involved but still, they can absolutely be a part of the puzzle.
Of course it doesn’t solve any misconfigurations in the systems such as file permissions, user rights etc but as a first step.
File permissions, unnecessary files, default files
Verify all of the websites with the NTFS permissions when it comes to file access, remove the IISTART.html from the root and remove any default .HTML and .ASPX pages that don’t need to be there..
Don’t let he attackers realize you’re lazy and using default values everywhere.
I’ve seen so many servers withe default start page on IIS and that’s just not right.
Verify also you’re not open for relaying ( this is usually default nowadays) .Anything that is installed by default by the IIS , take good look at it and decide if it really needs to be there, If not remove it!
Also make sure your servers are set correctly in regards to SPF (yep, link in Swedish) and not to accept emails from your own domain from anywhere else than the servers you actually can control and validate.
Redirect all of the 404 and other serious html errors to somewhere else. Google, your worst competitor, your mother-in-law, 127.0.0.1 (that’s actually a fun one, you redirect the traffic to the attacker instead) .
Well, anywhere really , just get rid of the traffic from your own site.
A lot of 404 errors could mean that someone is trying to find out stuff about your server and if you have any default installed scripts or pages in place that can be used to gain access to your server or just checking out where to point an overload attack for instance by having 100 000 computers download the same picture .
Antivirus of course.If you’re not using one today, well.. maybe you shouldn’t be reading this at all but you should be out looking for another job really.
I hear there’s good money in flipping burgers.
I’ve used most of them , some are good and some .. well , just aren’t. For the moment I do use Fsecure or Trend a lot.
I’m not a big fan of McAfee due the fact they’ve released a few .. not so good updates the recent years that crashed servers around the world.
I’m sure they have a great product, it’s the product testing and quality verification that needs improvement.
Just remember , the same thing goes for antivirus as for 0day attacks, if you antivirus provider hasn’t released any protection against that virus you just got into your system , there’s not that much you can do about it, more than start cleaning your server once you the antivirus updated or even restore your server to a state prior to the virus.
These days there are also a few other approaches to finding viruses such as Sentinel One that’s not signature based.. Very cool actually.
Still, an antivirus is not the single point of protection.
Common sense is the best antivirus protection in the world.
Online SPAM filters etc
Also, as a complement, use an online service also that filters all of your incoming and outgoing mail from viruses and SPAM and also have you secondary MX records point to it.
Usually these services also hold you mail in queue if they cant’ be delivered, buying you time to change the IP addresses or server if you are under attack and not losing any mails.
Set up DNS Blacklisting and DNS GREY Listing.
It’s not very complicated to do really and you do get rid of a lot of unwanted traffic.
Don’t use the “validate reverse DNS” options since a lot of companies haven’t actually set it up correctly so you’ll just risk not getting email from them.
The idea is good but it doesn’t work in real life.
Enable logging on the connectors and basically enable logging on everything. READ!! the log files.
Don”t just turn on logging and let it be.
At least once a day , have someone read the (or script queries against the log files ) and see what’s really going on. Search for anything out of the ordinary.
Remember to check your mail queues on a regular basis If you’re starting to have loads of undelivered mail to and from various domains you could actually have a DNS server that’s under attack , not being able to service your Exchange server with required information .
On the subject of DNS servers. There’s absolutely no point in having your DNS servers reachable through the firewall thus enabling attackers to flood it with DNS queries and UDP floods.
Also, you external DNS server needs to be secured!
Have a word with your ISP or whoever is running the external DNS server and see what they’ve got in place.
Patching / updating
Patch you servers with all of the security patches that are released. Do it as quickly as possible. There’s is absolutely no defense against 0day attacks.
A 0day is a security bug in the software of the server your running and they vary on how much impact they may have. The name comes from that it is day 0 of it’s public release and the manufacturer, in this case Microsoft, hasn’t released any patch against it leaving you vulnerable no matter what you do.
Some of them are even just a nifty way of adding stuff (specific strings ) to the URL or the service the attacker wants to reach and bypassing all of the built in security by “fooling” the server.
Whatever they do, keep track of when they surface and see what can be done to mitigate them.
Disable services that don’t need to be running, DHCP client and stuff. Although they’re not reachable from the Internet , they quite often are reachable from the inside and should you have an attacker on the inside of your network or a virus infected computer , you might be having a bad day.
Minimize attack surfaces, once again
Keep the server resources to actually servicing what they’re supposed to instead of having unnecessary stuff in RAM / CPU .
This is of course valid for any servers, Citrix, terminal servers, domain controllers, Sharepoint and so on.
I’m fairly sure you’ve set the ActiveSync functionality for your users since it is an effective and easy way for them to synchronize their iPads, iPhone, Androids and so on .
Beware that you also remember to periodically check the various devices associated with the users.
If you’ve got a user synchronizing more than 10 devices at the same time from different parts of the world, well.. either he or she is really into gadgets or their user validation information may have leaked (username / password)
If someone quits the company, be sure to use the mechanism for clearing the remote device from calendar entries, contacts and email using the built in mechanism in the Exchange server (it’s really easy to do ) . And, of course, if a user reports they’ve lost the devices, same thing, Clear the old device and unpair it from the Exchange server.
Unfortunately, users don’t always tell you when they’ve lost stuff .
They just buy a new gadget, set it up, synchronize and don’t think twice about the old one and what i actually contains.
Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)
A bit off topic but it has to do with BCP mentioned earlier.
Be sure , please, be supersure even , you have adequate backups , containing multiple generations of data and have at least three or four of theses complete generations stored offisite in some way. Using an online backup service or just moving your tapes/disk manually out of the building. Test your DR Plan (Disaster Recovery plan (link in Swedish, sorry) at least once a year to verify that your backups contain all you need if something happens.
Be sure o have an updated technical description of how to restore your entire environment.
- In which order?
- Onto what hardware/virtual machines?
That’s six quite easy questions that sum up what that technical restore plan should contain.
It should be able to be read even be outside consultants in case of your entire IT department got killed in a freak barbecue accident the night before.
Keep it simple but detailed.
Include all necessary background info such as server configurations, IP plans, passwords and where the data is stored. a Network map explaining dependencies might also be useful.
Don’t use in house mumbo jumbo and nicknames describing various systems and stuff.
Write your DRP (link in Swedish, sorry ) from the perspective that you’re gone (in the freak barbecue accident) and the person reading it has never ever heard of your internal system before.
If you don’t have all of these things in place, the day something really happens you will regret you didn’t take the time to do it. Trust me. I’ve worked as a Disaster Recover Technician and Consultant at SunGard Availability Services in Sweden for 8 years .
I’ve seen grown men cry…
Unless it’s not for the unexpected death of their favorite dog or a lost game for their favorite sports team , it’s just not a pretty sight and makes everyone a bit uncomfortable.
Monitoring and inventory
Also a bit off topic but still important. Be sure to have a good monitoring on the hardware aspects of your server and operating system aspects (running services, disk space used and so on ) .
Personally I’m fond of Spiceworks för monitoring server health, licenses and inventory but it all boils down to resources and taking the time to set it up.
As long as you have some working monitoring and someone who actually deals with the alerts that come up.
Newsletters. Stay informed
Sign up for the Microsoft Security Bulletin newsletter (and all similar that has to to do with your environment).
Stay up to date and up to speed on what’s going on out there.
Being a sysadmin is not a 9-5 job, it’s a lifestyle.
The ones who do all of these things will be better protected once they’re attacked.
And onto the unmasked commercial part then ..
I do have a few ideas on how to mitigate most of theses scenarios so …
if you’re up for it, you’ve got a good feeling about me as a tekkie .. well ..
just drop me an email or use the contact form to the right and we’ll take it from there?
Considering the wonders of technology, it doesn’t matter if your’e on the other side of the world or next door (which in my case happens to be in Stockholm, Sweden)
Most things can be sorted and dealt with remotely but I do love to travel 😉