Raw mode admin.exe /r allows you to see all the properties of objectson the Exchange Server.. This is possible only if we’re dealing with one Exchange Server inour site see the Microsoft
Trang 1Raw mode (admin.exe /r) allows you to see all the properties of objects
on the Exchange Server This is useful for examining properties in detail
We can also use the Administrator program in raw mode if, for some
reason, we need to change the service account after setting up ExchangeServer This is possible only if we’re dealing with one Exchange Server inour site (see the Microsoft Knowledge Base article, “Q152808 - XADM: How
To Change the Service Account” at http://support.microsoft.com/support/kb/articles/q152/8/08.asp) We can also create new performance monitorsfor Exchange in raw mode
Disable an ActiveX Control
Microsoft Windows allows an ActiveX control to be disabled completelyunder Internet Explorer and Outlook/Outlook Express A “kill bit” can beenabled under the Windows Registry that causes the ActiveX control to notrun at all This is different from revoking the “safe for scripting” option,which could still run the control, depending on what your settings are Itsounds good, but unfortunately their solution is not quite complete in myview, as we shall see
WARNING
Any changes you make to the Registry could cause irreparable harm toyour operating system Only advanced users should attempt to editRegistry settings
1 Bring up the system Registry by selecting Start | Run and then
typing REGEDIT.
2 Browse through the tree to the following sub-tree:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
3 At this stage you will see a group of characters that representClass IDs (CLSID) of the ActiveX controls This is where Microsoft’ssolution falls apart, in my view You must now find the CLSID thatcorresponds to the ActiveX control you wish to disable According
to Microsoft, “To determine which CLSID corresponds with theActiveX control that you want to disable, you must first remove all
of the ActiveX controls that are currently installed, install the trol that you want to disable and then add the “Kill Bit” to its
con-www.syngress.com www.syngress.com
Trang 2CLSID.” Thanks, Microsoft! Now that you have (ahem) found theCLSID, you can change the value of the “Compatibility Flag” datato: 00000400
The full documentation can be found at:
http://support.microsoft.com/support/kb/articles/q240/7/97.asp
For Experts Only (Advanced features)
Web Pages on Mobile Code Security Topics
The World Wide Web Security FAQ
Everything you wanted to know about Java, JavaScript, VBScript, andActiveX security topics:
www.w3.org/Security/Faq/wwwsf7.html
Hostile Applets on the Horizon
This somewhat outdated Web site contains many examples of hostileapplets, including several mentioned in Chapter 6
www.rstcorp.com/hostile-applets/HostileArticle.html
Self Destruct Applet
Beware of this page! It will automatically cause your browser to crash byusing a Java applet
www.cs.nps.navy.mil/research/languages/DynApplet.html
File Scanning Applet
This page uses an applet to scan to see if certain files exist on your harddrive Newer versions of Netscape and Internet Explorer will make youaware of what it is doing
http://batbox.org/hole.html
Sending E-mail with an Applet
This page uses an applet to send e-mail to another user Newer versions
of Netscape and Internet Explorer will make you aware that it is sendinge-mail
www.nyx.net/~jbuzbee/mail.html
www.syngress.com
Trang 3JavaScript Security Analysis
The Stanford Computer Security Office has produced an analysis of rity holes with JavaScript
secu-www.stanford.edu/~dbrumley/Me/javascript.htm
ActiveX Security Check Page
A handy page that highlights which ActiveX controls you have installed,and what security threats they might pose
www.tiac.net/users/smiths/acctroj/axcheck.htm
Outlook Web Access (OWA)
One of the features of Exchange Server 5.5 that makes it such a greatproduct is its Outlook Web Access (OWA) feature This feature allows
Exchange users to log on to an Exchange Server and access their mail via
a Web browser As long as the NT Domain that the Exchange Server is incan authenticate the user, the user can log in to a Web page interface andaccess their e-mail as if they were in the office
This capability is available when Exchange and Microsoft InternetInformation Server (IIS) are set up to work together to offer Web-based ser-vice to end-users The user launches a browser and enters the URL fortheir OWA login page They enter their Exchange alias and their NT user-name and password to be logged on to the server and are then able to sendand read e-mail in their Exchange account
OWA is most secure if combined with Exchange Key Management orMicrosoft Certificate Server to provide Public Key security A CertificationAuthority could be installed to issue user certificates for secure Web accessand e-mail to end-users You could map certificates to their corresponding
NT user accounts to provide encryption services for OWA That way, userscan communicate securely using SSL on the Exchange Server even if theyare using a Web browser in a public place (Certificates and key manage-ment are discussed in Chapter 2.)
Using SendMail To Refuse E-mails with
the Love Letter Virus
The Web site http://sendmail.net/?feed=lovefix provides instructions forimplementing a Sendmail macro for refusing copies of mail that might havethe infamous Love Letter virus You should not install this rule unless youare confident that you can undo what you change in the configuration file
www.syngress.com www.syngress.com
Trang 4and test to be sure the result is as you intended Also note that this macroworks only with Sendmail version 8.9 or higher.
The rule published at sendmail.net is as follows:
HSubject: $>Check_Subject D{MPat}ILOVEYOU
D{MMsg}This message may contain the LoveLetter virus.
SCheck_Subject R${MPat} $* $#error $: 550 ${MMsg}
RRe: ${MPat} $* $#error $: 550 ${MMsg}
(In the above code, the white space represents tab characters.) Theselines can be placed in the sendmail.cf file following the predefined rulesthat control the format of headers
Taken line by line, an explanation of this rule can give hints to howsuch rules operate:
HSubject: $>Check_Subject
For Subject fields in the header, invoke a rule to check the subject forspecific values:
D{MPat}ILOVEYOU
Define the symbolic value Mpat to represent the string ILOVEYOU
D{MMsg}This message may contain the LoveLetter virus.
Define the symbolic value MMsg to represent the message returnedwith the rejected mail:
R${MPat} $* $#error $: 550 ${MMsg}
Rewrite subjects matching the predefined pattern in the subject withthe 550 error message and the predefined message:
RRe: ${MPat} $* $#error $: 550 ${MMsg}
Most Sendmail rules are not much more complex than this example
The challenge is to understand the symbolic references that these rulesheavily employ
www.syngress.com
Trang 5Troubleshooting and Optimization Tips
Troubleshooting Exchange Server problems can sometimes be difficult Thekey to homing in on the source of a problem is to have a troubleshootingprocess or method The first place that an administrator should look tohelp point the way is the Event Log In order to monitor Exchange Serverbehavior through the Event Log, you must enable logging of the importantevents via the Diagnostics Logging tab (see Figure A.4), which gives thestatus of certain processes on the server
Another important utility is the Performance Monitor The PerformanceMonitor can be used to chart the performance of different components ofExchange Server, such as the IMS, the MTA, and the Directory EnablingMessage tracking is also an excellent way to monitor performance Theobject of Exchange is to get messages to and from people Message trackingallows us to monitor message queues to determine whether e-mail is
moving along to and from these people, as it should
Okay, now you’ve seen how to monitor performance How do youimprove or maintain it? Simply run the Exchange Performance Optimizertool (see Figure A.5)
www.syngress.com www.syngress.com
Figure A.4MTA Diagnostics Logging tab shows which events to monitor inthe Event Log
Trang 6This tool calculates and reconfigures Exchange so that it achieves thebest possible configuration for the tasks it needs to complete The
Performance Optimizer should be run periodically to maintain mance You should run the Performance Optimizer after hours so thatusers are not disconnected when the services shut down At times, theOptimizer may recommend that you move certain components to otherpartitions or disks in order to achieve peak performance—in light of that, it
perfor-is always good practice to ensure that you have plenty of dperfor-isk space on theExchange Server
www.syngress.com
Figure A.5Exchange Performance Optimizer tool
Trang 8ACL See Access Control List
Acrobat Reader (Adobe), 224
Add-ons, 351 See also Third-party
add-ons
Address Book, 35–36, 41 See also
Exchange Server; PersonalAddress Book
Provider, 35
Adobe, 215, 219 See also Acrobat
ReaderAdvanced Maryland AutomatedNetwork Disk Archiver (AMANDA), 392
Advanced users, 48AIX (IBM), 320
Aladdin Networks See eSafe
version 2.2Allman, Eric, 368, 369Altavista address, 36Altivore, 20–21
AMANDA See Advanced Maryland
Automated Network Disk ArchiverAmazon, 431
America Online (AOL), 144version 5.0, 128
Anonymity, creation, 142Anonymizer, 142
Anti-spam blacklists, 370Anti-spam functionality, 430Anti-spoofing functionality, 430
Trang 9Attachments, 82–85, 89–93, 201 See
also Electronic mail attachments;
Malicious attachments; PrettyGood Privacy
encryption, 54opening, 405scanning, 23, 28, 357–359overview, 404–408security, 38, 48–53size, 407
type, 407–408Attachment-scanning software, 403
Attacks, 431–433 See also Back door
attacks; BubbleBoy; Clients;Denial of Service; Life Stages;Love Letter; Mail Delivery Agent;Melissa; Physical attacks;
Sniffing; Trojan horse; Virusesanalysis, 12–14
case study, 14–15detection, 431–435
history See Electronic mail
knowledge, 343–347learning, 14–15precautions, 208–210types, 4–7
Authentication, 3–4, 172, 428 See also
Simple Authentication andSecurity Layer; UNIX
Trang 10Certificate, 216
consideration See Lightweight
Directory Access Protocol
B2B See Business to business
Back door attacks, 6
Black hat hackers, 4
BlackICE Defender 2.1 (Network Ice),
236–248
configuration, 239–248
e-mail, 248
installation, 236–238
Blue screen of death (BSOD), 432
Bombing See Electronic mail
Boot records, virus scans, 180
Bridgehead server, 335, 357Brute force attack, 136
BSOD See Blue screen of death
BubbleBoyattack, 10, 13worms, 17Buffer, 11overrun, 219Buffer overflow, 11, 370–373, 378anatomy, 370–371
avoidance, 134–135illustration, 371–372
Bugs, 219 See also PHF bug; System fixes, 27, 314 See also Linux
Bugzilla, 314Business to business (B2B), 2Buy.com, 431
C
CA See Certificate Authority
Cable modem, 387Carnegie Mellon University, 374, 383Carnivore, 20–21
CAUCE See Coalition Against
Unsolicited Commercial E-mailC/C++, 5, 22, 23, 37
CCC See Chaos Computer Club
cc:Mail, 424
CDO See Collaborative Data Objects CERT See Computer Emergency
Response Team
CERT CC See Computer Emergency
Response Team CoordinationCenter
Trang 11Certificate, 54 See also Digital
certificate; Encryption Certificate;
Security Certificate; Signing
Certificate
Certificate Authority (CA), 54
Certificate Manager, 78
CGI See Common Gateway Interface
Chain e-mails, deletion, 405
Challenge-Response Authentication
Mechanism (CRAM), 390
MD5, 388, 389
Chaos Computer Club (CCC), 219
CheckPoint See Firewall-1
Clean-cut DOS version, 153
Clear text signed message, 54
Clients, 3 See also Internet Messaging
Coalition Against Unsolicited
Commercial E-mail (CAUCE), 21
Code-based attacks, 121, 133–139
Collaborative Data Objects (CDO), 33,
37, 40disabling, 53library, 34removal, 39Collaborative Data Objects (CDO)]calls, 36
COM See Component Object Model
Commodore 64, 203Common Gateway Interface (CGI), 141scripts, 133–135
Communication agent, 185Company LANs, 126Company network, 405Compiled database keywords, 355, 401Compiler, 37
Component Object Model (COM), 5, 16Computer Emergency Response Team(CERT), 374
Computer Emergency Response TeamCoordination Center (CERT CC),372
Advisory, 373Confidential information, 277Confidential materials, unauthorizedtransmission, 430
Configuration Wizard, 254
Connections See Hosts
Contact Items folders, 36Content
control, 398, 400encryption, 54
scanners, deployment See
Server-side e-mail content ners
Trang 12filters/scan-scanning See Electronic mail;
Cracking, 121 See also Accounts
programs See Passwords
CRAM See Challenge-Response
Cryptosystem See Public key
Customer support, level, 188
Cyrus IMAP, 384, 387, 393, 395
Cyrus-style IMAP server, 387
D
Daemon, 3, 378nodes, 432
DAO See Direct Database Access DAT files, 151–153, 162 See also
VirusScanData
backup, 360–362, 392–393restoration, 363, 393DATA directory, 257Database Exchange (DBX), 154, 158
DBX See Database Exchange DDE See Dynamic Data Exchange DDoS See Distributed Denial of
Service
Debugging See Sendmail
DecNet, 369Decrypted digest, 64Decryption, success, 101Dedicated servers, 26Default security setting, 40Default settings, security, 38–39Definition files
deployment See Viruses updates See AntiVirus 2000; Viruses
Deleted items, 36Demilitarized Zone (DMZ), 332Denial of Service (DoS), 6, 314attack, 6, 29, 133, 144, 431, 433
See also Distributed Denial of
Servicesusceptibility, 317
Detection See Early detection DHCP See Domain Host Configuration
Protocol
Trang 13Dialog box, presentation, 136
Digital Subscriber Line (DSL), 239, 387
Direct Database Access (DAO), 222
Direct trace, 245
Display tray icon, 175
Distributed Denial of Service (DDoS)
attacks, 432, 433
Distribution package, 379
DLL See Dynamic link library
DMZ See Demilitarized Zone
DNS See Domain Name System
Domino Server (Lotus), 408, 424
DoS See Denial of Service
DOS networks, 300Download Scan, 157Drop box concept, 90Drop directory, 9
DS See Digital signature DSL See Digital Subscriber Line
Dynamic code, 48Dynamic Data Exchange (DDE), 222Dynamic e-mail, 196–197
dangers, 200–201usage, 197–200Dynamic link library (DLL), 193,
348, 350code, execution, 222
E
Early detection, 343–347eBay, 431
ECL See Execution Control List Electronic mail (E-mail) See BlackICE
Defender 2.1; eSafe version 2.2;HyperText Markup Language;Junk e-mail; Virus-infected e-mail; ZoneAlarm 2.1
accounts, 128addresses, 56, 78, 103, 207addition, 43, 66–67attachments, 82, 359
attacks See World Wide Web
history, 10–15bombing, 19communications, 116content
filters/scanners, deployment See
Server-side e-mail content ters/scanners
Trang 14Electronic mail (E-mail) clients, 58,
156, 232 See also HyperText
Transfer Protocol; Internet
Messaging Application Protocol;
Post Office Protocol 3
settings, 80
update See Outlook 2000
Electronic mail (E-mail) servers, 14,
28, 84, 296, 310, 327 See also
Local e-mail servers; NetscapeEnterprise e-mail serveroperating system, hardening, 27overview, 7–9
Electronic Signatures in Global andNational Commerce Act, 2eManager, 424
Embedded code, 48Embedded viruses, 171Emergency Disk
creation, 155Creation Wizard, 153Encrypted login, 140Encrypted messages, 100, 401
Encryption, 24–27, 112, 126 See also
Attachments; Content; Files;
Hash; Multipurpose Internet MailExtension; Passphrase; PrettyGood Privacy; Private key; Publickey; Transmissions
algorithm, 55, 79Encryption Certificate, 55End-users, 10, 15, 33, 37anti-virus software updates, 405Enterprise network, 407
Ephemeral ports, 306
Errata service packages See Red Hat
LinuxeSafe version 2.2 (Aladdin Networks),
232, 248–269configuration, 252–269display, 255
Trang 15GroupShield installation, 412introduction, 334
MAILsweeper, usage, 425–428securing, 334–341
Service Pack 3 (SP3), 347, 348, 412,425
Executable code, 40, 49Execution Control List (ECL), 232–233,
235, 283capabilities, 269Expiration stamp, 138Exploits, 33–39
Extra-menu, 157
F
False positives, 180, 235–236FAT32, 166
drives, 154volumes, 192
FBI See Federal Bureau of
InvestigationFederal Bureau of Investigation (FBI),20
File attachments See Electronic mail;
Pretty Good Privacysecuring, PGP usage, 109–113File Transfer Protocol (FTP), 3, 5, 302,322
connections, 18folder, 321server, 26site, 352usage, 384
Trang 16Files See Binary files
Filtering, 93–95 See also Content
fil-tering; Keywords; Messages;
Packet; Receiver; Sender
Fingerprints See Files
Firewall, 28, 228, 327 See also
Internet Service Provider;
Multi-homed firewall; Multi-interface
firewall; Raptor firewall;
Forward files, 372, 375
FREE See Forum for Responsible and
Ethical E-mailFreeBSD, 383
FTP See File Transfer Protocol
G
GATEWAY, 240Grey hat hackers, 4GroupShield (McAfee), 408–418configuration, 412–418Exchange software, 417
installation, 408–412 See also
Exchange Server 5.5settings, 418
GroupWise (Novell), 385GUI, 326
H
Hackers, 12, 128, 275, 430 See also
Black hat hackers; Grey hathackers; Malicious hackers;
White hat hackers
attack See ActiveX; Java; JavaScript;
Visual Basic Scriptfunction, 4–5
goal, 213limitations, 136sites, 134, 135types, 4
Hard drives, formatting, 17
Trang 17Hardening, 296 See also Electronic
Hot Fixes See Information Store;
Microsoft Hot Fixes; Service
setting, 91documents, 196, 203, 224editor, 198
e-mails, 48, 202composing, 198messages, 197enhancement, 196files, 80, 199insertion, 198formatting, 80HTML-based e-mail, 136, 139HTML-enabled message, 135HTML-formatted e-mail, 45, 46messages, 45–46, 91
pages, 37, 192, 203programmer, 211Hypertext Preprocessor, 133HyperText Transfer Protocol (HTTP), 3,
280, 305 See also Secure HTTP
connections, 18data, 306HTTP-based e-mail clients, 165packets, 127
proxy, 229request, 306
I
I Love You utility, 351
IBM, 215 See also AIX
ICEcap, 247
ICMP See Internet Control Message
Protocol
Trang 18ICQ, 13
IDS See Intrusion Detection System
IIS See Internet Information Services
Information Store See also Exchange
Information Store; Private
Information Store; Public
Input/Output, 161 See also Files
Integrated Services Digital Network(ISDN), 158
Intelligent scanning, 421Interactive code, 48Internal host, 431Internet, 8, 21, 203, 370advertisements, proliferation, 404architecture, 124–126
communicating, 252connections, 228economy, 120router, 124servers, 218blocking, 289–290settings, 288
worm See Robert Morris Internet
wormzone, 80Internet Connection Sharing, 231Internet Control Message Protocol(ICMP), 232
Internet Explorer, 46, 76, 77, 215,
222, 2584.x, 2195.x, 212cookie storage, 138version 4.0, 135version 5, 135versions, 225Internet Information Services (IIS)checks, 317
services, 302–303Internet Mail Service (IMS), 335, 336properties, 337
Internet Messaging ApplicationProtocol (IMAP), 5, 9, 10, 76, 367,
368, 381–391 See also Cyrus
IMAP; University of Washington
Trang 19servers, 121, 384 See also
Cyrus-style IMAP server
I/O See Input/Output
IOMEGA zip drive, 166
IP See Internet Protocol IRC See Internet Relay Chat ISDN See Integrated Services Digital
NetworkISINTEG, 352, 353
ISP See Internet service provider ISS See Internet Security Systems
ISSCAN.exe, 351
ISV See Independent Software Vendor
IT See Information Technology
programming, 342
Trang 20Jaz zip drive, 166
Joint Photographic Experts Group
generation, 65–67, 66length, 65
Keylogger program, 137
Keywords See Compiled database
key-wordsfiltering, 44
L
LAN See Local area network
last (commands), 325, 326lastlog (commands), 325, 326Layer 3 addresses, 231
LDAP See Lightweight Directory
Access ProtocolLevel 1
attachment, 51–52extension, 52Level 2 extension, 52Lexical scanning, 399Life Stages
attack, 10, 13worms, 17Lightweight Directory Access Protocol(LDAP), 69
authentication consideration, 389Software Development Kit, 389
Linux, 3, 215, 320, 380 See also Red
Hat Linuxadministrators, 315agent, 321
Trang 21Local area network (LAN), 5, 125, 429,
435 See also Company LANs
Logo screen display, 175
Lookup See Domain Name System
Macintosh, 12, 341, 382 See also
Eudora; Outlook Expressinterfaces, 109
MacOS, 95, 105, 114PGP functions, 106running, 111, 112Macro viruses, 32, 48, 340, 346protection, 49
security, 49Macromedia, 215
Macros, 37, 41, 355 See also Excel
security, 42
Mail See Secure mail
Mail Abuse Prevention System (MAPS),21
Mail aliases, creation, 395Mail attachments
automated virus scanning, 90–91opening, 83
warning, 61Mail bombers, understanding, 1Mail browser, 80, 87
Mail Delivery Agent (MDA), 7, 9, 10,
13, 27, 28attacks, 12Mail eXchange (MX), 9Mail folders, 36–37Mail messages, 82, 108, 387case study, 90–91
Mail options, 44–70
Mail server See Post Office Protocol