Re: WIndows 2003 SMTP

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 8 Feb 2005 21:31:17 -0500

On Tue, 8 Feb 2005 17:34:55 -0500, Mulnick, Al <Al.Mulnick@xxxxxxxxxx> wrote:
> Thanks for the explanation.  I was just checking for the background and
> trying to understand where you were coming from.

I would have done the same. :)
> K3 = W2K3 Server; sometimes I get lazy and shorten it. :)

Got it!

> I suppose it's worth mentioning that security to me is not about the device
> by itself.  Let's face it, there's always *something* more secure out there
> in terms of devices.  To me it's a process and concept that spans all 8
> layers of the OSI stack. If any of them are open or un-cared for, then it
> degrades the security of the device.

I agree 100%. <Starting dream sequence...> Now, if we could just get
everyone responsible for devices plugged into a network to think that
way and take action.

Some quick and dirty tips for everyone else:

Layer 1 (Physical) - Lock-up your servers and the NOC, don't let
unauthorized and non-compliant computers plug into your network. Scan
for unauthorized wireless AP's.

Layer 2 (Data Link) - Use switches and NIC's with 802.1x
authentication if you can. Use MAC filtering. Keep a DB of known
MAC's. Monitor new ARP requests. DHCP handout restrictions.

Layer 3 (Network) -  IPSec on workstations and servers (block
unessential ports), firewall networks, VLAN networks, harden TCP/IP
stack, run a sniffer frequently, etc.

Layer 4 (Transport) - TCP & UDP, setup your firewalls properly,
disable access to unessential ports.

Layer 5 (Session) -  Use SSH instead of telnet. Use SSL. Keep an eye
on your SNMP traffic.

Layer 6 (Presentation) - Umm.. make sure you have good encryption.

Layer 7 (Application) - Keep your software up-to-date and watch for
newly discovered vulnerabilties (if you don't have time to patch that
instant, implement the workarounds), encrypt network transferred data
were possible, audit file permissions, install centrally managed
anti-malware (viruses, worms, spyware, etc.), convert all email to
plain text, use strong passphrases instead of passwords, setup
password protected screensavers, don't give users admin rights,
disable unessential services, scan all (HTTP, POP3, SMTP, FTP, etc.)
for malware, ban inappropriate websites, limit website browsing, use
IPS & IDS, lock down IE zones, disable activeX, deploy Internet facing
servers with operating systems and services that are secure (relative
to MS boxes) by default, block malicious (.cpl, .scr, .exe, .vbs,
etc.)  email attachments, don't let users install unapproved software,

-------Extended OSI Model---------

Layer 8 (Humans) - Educate, train, enlighten, and enforce. "Do Not:
open unexpected or suspicious or non-business related email
attachments; click on URL's to non-business related sites; open or
reply to spam; etc..."

> There's plenty of fixes and hacks for just about any OS in use, so I 
> personally see no
> other way to deal with it. The level of effort is a risk-management and 
> technical issue - no
> argument there.  Some are definitely easier to get secure and BSD is one of 
> those.

Right, and like I say, for the services with Internet exposure, I
typically choose the operating system and application platform which
takes the least effort to secure.

> I was just curious if you were advocating set it and forget it security or
> were just pointing out the difference in the level of effort to get to an
> acceptable security stance.

I advocate security through properly configured layers of protection,
obscurity, user education, constant testing, and taking into
consideration all OSI layers and the fact that your security is only
as good as your weakest link.

I also setup my layers as if the others before it did not exist. For
example, lets say I come into an environment where these nice brand
new servers are all setup behind this $10,000 top of the line Cisco
PIX firewall, and to no surprise, those responsible are convinced the
servers are secure because they are behind one of the best firewalls
in the biz. Well, Joe User goes to this cool website his buddy
forwarded to him and all a sudden the LAN becomes infested with this
new worm, and subsequently those "secure" servers become the next
victim and all the data is deleted.

So, in this case, what would I have done differently at the server
level to prevent this? 1) Made sure it was patched 2) Disabled all
unessential services 3) IPSec unessential ports 4) lock down anonymous
connections 5) removed unessential accounts 6) renamed admin account,
strong passphraes. etc.... all as if the firewall was not there and
all the users on the network were hooligans spreading viruses.

> Thanks Danny.  Been interesting.

Indeed. I am signing off for the night though. Too much IT talk for tonight.



Other related posts: