Defense on the Internal Network
The thought in many administrative groups within an organization is that as long as the environment is protected from attacks that exist outside the walls of the internal architecture, there is little need to protect against what may originate from within. In reality, each component along the interconnected pieces of the mail flow architecture can create a weak point.
As we will discuss in the following sections, it is just as important to defend on the internal network as it is in the perimeter network.
Messaging Server Defenses
Just as the servers deployed into the perimeter network must be configured with security in mind, the same thing holds true for the messaging servers in the internal network. The internal SMTP messaging server role in Exchange 2007 is called the Hub Transport (HT) server. HT servers are designed to perform all internally required routing functions.
Some items included in the scope of an HT server include collecting the message, examining the message, and then routing the message to the specified mail server that houses the user's mailbox. HTs will also make the determination as to whether a specific namespace is Authoritative or not before passing the message on through the routing process to come up with the messages’ next hop.
IP filtering should also be considered when allowing for authenticated relay or even in anonymous scenarios.
Client Defenses
Defenses must be planned for all the way down to the client access mechanism. While client machines will not typically be the target for something, such as a DoS attack or an SMTP Auth attack, they can still fall victim to as well as be the source of malicious e-mails containing viruses, malware, Trojans, and other nuisances. By deploying an antivirus/antimalware product to the workstations in your environment, such as Microsoft Forefront Client Security, you help to ensure that all pieces of the architecture are doing their part to keep your environment attack free.
Supporting Services
Remember that Exchange services depend on infrastructure services such as AD and DNS in order to function properly. Even though we will not discuss in detail on how to protect against attack in these components, it is critical to understand that they should be deployed in a secured configuration and monitored as well. For additional information on how to defend AD and DNS against unwanted attacks, please refer to Chapter 2, “Active Directory – Escalation of Privilege.”
If a company wants to engage in public Internet-based e-mail traffic, which originates from their own namespace being hosted on premise, then when they are building their infrastructure they must account for a public Internet facing SMTP service. Internet facing SMTP services are responsible for sending/receiving e-mail messages to and from other mail servers on the Internet, which makes them targets for many of the different mail service attacks.
Summary
As a messaging administrator, you must remain aware of potential messaging system attacks. By understanding the characteristics of attacks that may be executed against your systems, you are better prepared to identify them and respond to them in a defensive manner.
One of the factors that helps to make your job easier is that Exchange Server has evolved over time to be installed defensively straight out of the box. Since by default you are more protected than ever before, attackers have had to become increasingly more creative in their attack approaches. We have discussed many common attacks that should be considered viable threats to your environment and the proper steps to be taken to help ensure the security of your messaging services infrastructure.
Understanding the mail flow architecture that occurs between disparate mail systems helps to ensure an understanding of the many different possible attacks that may be executed against a Microsoft Exchange deployment. By equipping yourself with the knowledge of how the mail service attacks function, you can better prepare yourself for preventing against attacks such as directory harvest attempts, mail relay, and SMTP Auth attacks.