Hiding in Plain Sight
posted by Jeff @ 12:06 PM
2 Comments
Links to this post
The EXPTA {blog}
Random musings of an IT Systems consultant
Monday, June 23, 2008
Friday, June 20, 2008
Using Exchange 2007 Header Firewall
Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:
Received: from ex01.companyabc.com (10.12.1.81) by edge.companyabc.com (12.5.1.168) with Microsoft SMTP Server id 8.1.278.0; Fri, 20 Jun 2008 15:17:46 -0700Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id 8.1.278.0 tells me that edge.companyabc.com at public IP 12.5.1.168 is running Exchange Server 2007 SP1.
You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:
Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing
Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.
For Exchange 2007 implementations that do not use Edge servers, use the following:
Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-RoutingAgain, replace "companyabc to Internet" with the name of the Internet bound send connector.
Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.
Labels: Microsoft Exchange 2007, Security, tip
Subscribe to my feed
posted by Jeff @ 6:26 PM
0 Comments
Links to this post
Monday, June 9, 2008
Pre-Conference Session with Marcus Murray
Monday I attended the pre-con session, "Step-By-Step Guide to Hack-Proofing Your Microsoft Network" by Marcus Murray. Marcus is a security rock star! Very funny and engaging.
Last year he scared the hell out of me when he demonstrated how easy it is to compromise a system and domain. Since then, I've unplugged the network cables from all my servers as a security precaution, but I'm sure that would only slow him down a little.
The session was very good, but it was a little slower paced than I was expecting and hoping for. The basic security concept is "you can't fix stupid." If the users have elevated rights (by that, I mean running with more permissions than they need to have to do their work) it's very easy to compromise their machine and use it as a springboard to the rest of the network.
The takeaway is this: You must kill your users. Kill zem all.
Subscribe to my feed
posted by Jeff @ 10:02 AM
0 Comments
Links to this post
Friday, June 6, 2008
New Certifications
May 2008 was a busy month for me.
In addition to writing a book, I passed five exams in the first three weeks and earned my MCITP:Enterprise Messaging Administrator (the premier Exchange 2007 administrator certification) and three MCTS certifications (SCOM 2007, ForeFront and Exchange 2007).
That makes 34 exams in a row that I've passed without failing, including my CISSP. Yes!! The streak remains unbroken!
I've put together a certifications page that lists the current certifications that I hold, which I'm rather proud of.
Tomorrow I'm off to TechEd and I can't wait! I'll be blogging at least once a day while I'm there. Check my blog all week. If you're going to TechEd yourself, I might meet you at the TechEd Blogger Ultra Lounge. See you there!
Labels: certifications, Exchange, Forefront, Microsoft, Microsoft Exchange 2007, SCOM, Security, Vista, Windows
Subscribe to my feed
posted by Jeff @ 1:00 PM
1 Comments
Links to this post
Monday, March 3, 2008
Automatically Reset the FTP Service in Windows Server 2008
One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.
Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.
As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.
To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:
- Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task
- Name the task, "Reset FTP Service" and click Next
- Choose When a specific event is logged as the Task Trigger, click Next
- Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next
- Select Start a program and click Next
- Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next
- Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish
- In the Properties window select Run whether user is logged on or not and Run with highest privileges
- Click OK
- Enter the User name and Password for running this task
This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.
Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.
Labels: Hacking, IIS, scripts, Security, tip, troubleshooting, Windows Server 2008
Subscribe to my feed
posted by Jeff @ 10:05 AM
2 Comments
Links to this post
Tuesday, February 12, 2008
New File Extensions Blocked in Outlook 2003 SP3
After several months of testing, a client recently deployed Service Pack 3 for Microsoft Office 2003 to nearly 10,000 clients via WSUS. They have a scripted routine that they follow during testing of patches and updates to ensure that there are no interoperability issues, but of course, you can't test everything. I mean, how are you going to know that a certain update will prevent an HP 4200 printer from feeding from the secondary paper tray? And yes, I've actually seen that happen.
Well, shortly after deployment they start getting complaints that emails with links to Public Folders (XNK files) can't be opened on Outlook 2003. Could it be that Microsoft actually did this on purpose? After an hour or so of re-reading all the scattered documentation for Office SP3, including Information about certain file types that are blocked after you install Office 2003 Service Pack 3 and the Downloadable list of issues that the service pack fixes, I couldn't find anything that documented this change.
I opened a case with Microsoft and found that not only are XNK extenstions blocked, but several others are as well. Here's an unofficial list of the extensions blocked by Outlook 2003 SP3 (I apologize for all the blank space that Blogger inserts before this table, please scroll down):
| File Extension | File Type |
| .ade | Access Project Extension (Microsoft) |
| .adp | Access Project (Microsoft) |
| .app | Executable Application |
| .asp | Active Server Page |
| .bas | BASIC Source Code |
| .bat | Batch Processing |
| .cer | Internet Security Certificate File |
| .chm | Compiled HTML Help |
| .cmd | DOS CP/M Command File, Command File for Windows NT |
| .com | Command |
| .cpl | Windows Control Panel Extension (Microsoft) |
| .crt | Certificate File |
| .csh | csh Script |
| .der | DER Encoded X509 Certificate File |
| .exe | Executable File |
| .fxp | FoxPro Compiled Source (Microsoft) |
| .gadget | Windows Vista gadget |
| .hlp | Windows Help File |
| .hta | Hypertext Application |
| .inf | Information or Setup File |
| .ins | IIS Internet Communications Settings (Microsoft) |
| .isp | IIS Internet Service Provider Settings (Microsoft) |
| .its | Internet Document Set, Internet Translation |
| .js | JavaScript Source Code |
| .jse | JScript Encoded Script File |
| .ksh | UNIX Shell Script |
| .lnk | Windows Shortcut File |
| .mad | Access Module Shortcut (Microsoft) |
| .maf | Access (Microsoft) |
| .mag | Access Diagram Shortcut (Microsoft) |
| .mam | Access Macro Shortcut (Microsoft) |
| .maq | Access Query Shortcut (Microsoft) |
| .mar | Access Report Shortcut (Microsoft) |
| .mas | Access Stored Procedures (Microsoft) |
| .mat | Access Table Shortcut (Microsoft) |
| .mau | Media Attachment Unit |
| .mav | Access View Shortcut (Microsoft) |
| .maw | Access Data Access Page (Microsoft) |
| .mda | Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) |
| .mdb | Access Application (Microsoft), MDB Access Database (Microsoft) |
| .mde | Access MDE Database File (Microsoft) |
| .mdt | Access Add-in Data (Microsoft) |
| .mdw | Access Workgroup Information (Microsoft) |
| .mdz | Access Wizard Template (Microsoft) |
| .msc | Microsoft Management Console Snap-in Control File (Microsoft) |
| .msh | Microsoft Shell |
| .msh1 | Microsoft Shell |
| .msh2 | Microsoft Shell |
| .mshxml | Microsoft Shell |
| .msh1xml | Microsoft Shell |
| .msh2xml | Microsoft Shell |
| .msi | Windows Installer File (Microsoft) |
| .msp | Windows Installer Update |
| .mst | Windows SDK Setup Transform Script |
| .ops | Office Profile Settings File |
| .pcd | Visual Test (Microsoft) |
| .pif | Windows Program Information File (Microsoft) |
| .plg | Developer Studio Build Log |
| .prf | Windows System File |
| .prg | Program File |
| .pst | MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) |
| .reg | Registration Information/Key for W95/98, Registry Data File |
| .scf | Windows Explorer Command |
| .scr | Windows Screen Saver |
| .sct | Windows Script Component, Foxpro Screen (Microsoft) |
| .shb | Windows Shortcut into a Document |
| .shs | Shell Scrap Object File |
| .ps1 | Windows PowerShell |
| .ps1xml | Windows PowerShell |
| .ps2 | Windows PowerShell |
| .ps2xml | Windows PowerShell |
| .psc1 | Windows PowerShell |
| .psc2 | Windows PowerShell |
| .tmp | Temporary File/Folder |
| .url | Internet Location |
| .vb | VBScript File or Any VisualBasic Source |
| .vbe | VBScript Encoded Script File |
| .vbs | VBScript Script File, Visual Basic for Applications Script |
| .vsmacros | Visual Studio .NET Binary-based Macro Project (Microsoft) |
| .vsw | Visio Workspace File (Microsoft) |
| .ws | Windows Script File |
| .wsc | Windows Script Component |
| .wsf | Windows Script File |
| .wsh | Windows Script Host Settings File |
| .xnk | Exchange Public Folder Shortcut |
Nothing p$%#es me off more than undocumented changes in functionality. At this point in time, this information is not documented ANYWHERE on Microsoft's website.
I certainly don't mind Microsoft fixing security holes, but for crying out loud, DOCUMENT IT!!! How do they expect us to roll out critical patches and updates if they change functionality and don't tell anyone? No one looks good when that happens.
Labels: Commentary, Exchange, Outlook, Security
Subscribe to my feed
posted by Jeff @ 8:09 AM
2 Comments
Links to this post
Tuesday, January 22, 2008
TechEd 2008 Registration is Open!
TechEd 2008, the premier Microsoft IT learning experience, opened today for registration. I signed up as soon as the website came live. As you may know, TechEd is divided up into two separate events this year, Tech·Ed U.S. Developers (June 3-6, 2008) and Tech·Ed U.S. IT Professionals (June 10-13, 2008).I'm thrilled to see that Marcus Murray is presenting a pre-conference seminar, "A Step-By-Step Guide to Hack-Proofing Your Microsoft Network." I wrote about Marcus at last year's TechEd, where he scared the living bejezus out of everyone in packed conference rooms. I can't wait to see what he's going to show off this year. I've removed the NIC from all my servers just to be safe. :)
As Brian Marble reported, TechEd 2008 will also be one of Bill Gates last public speaking engagements before he retires from Microsoft and embarks on his full time gig of giving money away. Bill and Melinda's philanthropy astounds me and warms my soul.
I'll be attending the Tech·Ed U.S. IT Professionals session. Let me know if you'll be going, too!
Subscribe to my feed