How Hackers Work
Hackers start by learning that an e-mail server exists, which generic scanning tools can tell them. Coupled with the public information of your Domain Name System (DNS) records, hackers can quickly know a lot about your network.
Finding company information is easy for anyone. You can do it. Simply open a command prompt and type nslook. Set the type of the record you’re looking for to a mail exchanger (MX) record by typing set type=mx. Type a domain name. This example uses Microsoft.com. Figure 19-1 shows the results.
Figure 19-1 Using the NSLookup tool to find the public MX records for Microsoft.com
Next, the hacker determines the platform of your SMTP server in one of two ways. In the first approach, the hacker can use Telnet to open a session to your server over port 25 and then read the banner. Under Exchange Server 2007, the banner no longer identifies the version of Exchange Server being run, but does still indicate that the server is running the Microsoft ESMTP service. By removing the version number, Microsoft makes it harder for hackers to determine the exact version of Exchange that you are using. Note, Exchange Server 2007 is the only version that, by default, lacks this identifying information. However, a hacker can still figure out what he wants to know. It will take a couple of service packs and another major version of Exchange before this default omission really begins to bear fruit. Figure 19-2 gives you a look at an ESMTP conversation that takes place with an Exchange Server 2007 server.
Figure 19-2 Opening a Telnet session to a server running Exchange Server 2007
Under older versions of Exchange Server, the exact version of the Exchange server being run is displayed (see Figure 19-3). The main version number, 6.0, means Exchange Server 2003. An Exchange 2000 Server registers with a main version number of 5.0. A SendMail server has its name and the version of SendMail software used by the company displayed in the header as well as the operating system (OS). Using this kind of information, a hacker can target his efforts by looking for exploits that will work for your specific system.
Figure 19-3 Opening a Telnet session to a server running Exchange Server 2003
The second way to determine your e-mail server platform is to send a bogus e-mail to your server. This is accomplished by sending a message to an unlikely e-mail address such as email@example.com. The nondelivery report (NDR) that is returned has the e-mail server information located somewhere in the NDR. The following sample is a message header sent to the lab Exchange server at contoso.com. Notice that the Exchange server version is included right in the NDR’s Sent by line:
Delivery has failed to these recipients or distribution lists: firstname.lastname@example.org The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator. -------------------------------------------------------------------------------- Sent by Microsoft Exchange Server 2007 Diagnostic information for administrators: Generating server: e2007-1.contoso.com email@example.com #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ## Original message headers: Received: from e2007-1.contoso.com ([192.168.0.91]) by e2007-1.contoso.com ([192.168.0.91]) with mapi; Tue, 5 Feb 2008 01:25:12 -0600 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary From: Cat Francis <firstname.lastname@example.org> To: "email@example.com" <firstname.lastname@example.org> Date: Tue, 5 Feb 2008 01:25:06 -0600 Subject: Test Thread-Topic: Test Thread-Index: AQHIZ8g79IUM/OhzKk2PKwL9+dATWg== Message-ID: <1772808B96DEC14094F0236A00882DD7A43089@e2007-1.contoso.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: <1772808B96DEC14094F0236A00882DD7A43089@e2007- 1.contoso.com> MIME-Version: 1.0
Note that, even with Service Pack 1 installed, NDR messages still report just Exchange Server 2007 as the server version. By looking at just the NDR, there is no indication that SP1 is deployed on the server.
Now that the hacker knows which e-mail server software you run, he or she checks known databases to find vulnerabilities to exploit. The known vulnerabilities for Exchange Server 2007 are listed in Microsoft’s Security Bulletins and can be found at www.microsoft.com/security/default.mspx. On older versions of Exchange, some of the vulnerabilities could involve Microsoft Internet Information Services (IIS) because IIS managed the SMTP service for Exchange. In Exchange Server 2007, SMTP is a core part of Exchange itself, which helps to reduce the attack potential on your server. Other vulnerabilities may involve Microsoft Outlook Web Access (OWA), again because of the involvement of IIS managing the HTTP connectivity to the Exchange server. At a minimum, be aware of any vulnerabilities that exist for Exchange Server 2007 and test and install the updates when they are released.
Generally speaking, the e-mail administrator can expect the following kinds of attacks:
Buffer overflows Buffer overflows send a larger quantity of data to the server than is anticipated. Depending on how the overflow is executed, it could cause the server to stop working or it might run malicious code from the attacker.
Data processing errors These are not common currently, but the concept is that a small program is sent directly to the server and the server runs it. More common today is sending these programs to a network though e-mail as attachments. Depending on their function and purpose, these programs can be viruses, Trojans, or worms (discussed at length later in this chapter).
HTML viruses These do not require user intervention to run unattended scripts.
Custom programs written to run against port 25 (SMTP) The more common types of programs that attack port 25 include e-mail flooding programs or programs that contain their own SMTP engine that use the port for their own malicious purposes.
Denial of Service (DoS) A Denial of Service attack is an attack on a network that is undertaken in an effort to disrupt the services provided by a network or server.
Cross-site scripting Cross-site scripting is a vulnerability whereby an attacker places malicious code into a link that appears to be from a trusted source.
Spam and phishing expeditions Spam, or junk mail, is a well-known e-mail malady and affects just about everyone that uses the communication medium. A particular type of spam, called a phishing e-mail, attempts to lure unsuspecting users into clicking on unsafe web links. These links point to web forms that ask the user to provide sensitive personal information.
Here are some broad actions you can take to guard against the attacks just described, plus others:
Physical access to the server Lock the doors, and use some type of biotech authentication.
Viruses, Trojans, and worms Use antivirus software and regularly scan your servers and workstations. Use the Exchange Server 2007 Edge Transport server role on at least one Exchange server.
Loss of data Perform regular backups.
Unauthorized use of user accounts Conduct user training on information security policies and require complex passwords.
Denial of Service attack Harden the TCP/IP stack and the router.
Platform vulnerabilities Install all software patches and engage in service that offers minimization. Microsoft has released excellent free software for updating its patches on your servers. This software is called Windows Server Update Services (WSUS).
The rest of this chapter is intended to help you secure Exchange Server 2007 against these types of attacks. However, a brief discussion of physical security of your Exchange server is in order.