Installing VPN access on Windows Server 2016

Carnival Boy

How does an SMTP protocol attack work?

scottalanmiller

@Carnival-Boy said in Installing VPN access on Windows Server 2016:

How does an SMTP protocol attack work?

Same as any other protocol based attack, you use the protocol to attack the server. Are you familiar with buffer overflows? That entire attack category is done over the protocol in use (SMTP, HTTP, SIP, whatever.)

All external hacking is done this way.

scottalanmiller

Here is an old one that Exchange used to have, just as an example...

https://tools.cisco.com/security/center/viewAlert.x?alertId=8254

scottalanmiller

Here is one for some crappy third party SMTP server, again, just examples of historical, well known SMTP attack vectors that have been found, and closed.

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24780

Carnival Boy

I need an example that's not from 2004!

scottalanmiller

@Carnival-Boy said in Installing VPN access on Windows Server 2016:

I need an example that's not from 2004!

Why? If you know what the vector is, you know that the age of the example can't matter.

scottalanmiller

Or do you believe that the entire concept of hacking has been solved and doesn't exist today?

Carnival Boy

@scottalanmiller said in Installing VPN access on Windows Server 2016:

Or do you believe that the entire concept of hacking has been solved and doesn't exist today?

Oh, just forget it.

scottalanmiller

@Carnival-Boy said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

Or do you believe that the entire concept of hacking has been solved and doesn't exist today?

Oh, just forget it.

Okay, so we've established, it's important to have proxies in front of services for good security and SMTP is a common, well known attack vector that is easily mitigated and even MS recommends this for exactly that reason. Moving on...

scottalanmiller

Same reason we always have something like Nginx sitting in front of less battle tested servers like Node.js system calls. Nearly zero effort for a massive increase in stability and security. Things work without doing it, but it's considered the standard implementation pattern and approach.

Dashrender

@Carnival-Boy said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

Or do you believe that the entire concept of hacking has been solved and doesn't exist today?

Oh, just forget it.

There's nothing to forget.

If you want security in depth, you need not only the security provided in Exchange, you also put a SMTP proxy in front to get another layer.

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

scottalanmiller

@Dashrender said in Installing VPN access on Windows Server 2016:

I also have a reverse proxy in front of Exchange for ActiveSync and OWA.

What do you use for a reverse proxy?

scottalanmiller

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

JaredBusch

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

I also have a reverse proxy in front of Exchange for ActiveSync and OWA.

What do you use for a reverse proxy?

His is ancient. ISA

JaredBusch

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

You cannot put Nginx in front of Exchange for free.

scottalanmiller

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

I also have a reverse proxy in front of Exchange for ActiveSync and OWA.

What do you use for a reverse proxy?

His is ancient. ISA

Wow, when did they end that? 2006? I can't remember the last version number, but it was some time ago.

I used it a lot back when it was Proxy Server 2.0!!

scottalanmiller

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

You cannot put Nginx in front of Exchange for free.

What feature from the paid version is needed?

JaredBusch

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

You cannot put Nginx in front of Exchange for free.

What feature from the paid version is needed?

I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.

Because I tried to put Nginx in front.

scottalanmiller

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

You cannot put Nginx in front of Exchange for free.

What feature from the paid version is needed?

I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.

Because I tried to put Nginx in front.

Have you tried this recent guide?

http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/

JaredBusch

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@JaredBusch said in Installing VPN access on Windows Server 2016:

@scottalanmiller said in Installing VPN access on Windows Server 2016:

@Dashrender said in Installing VPN access on Windows Server 2016:

The same goes for normal port 80/443 stuff. The default settings of Exchange's implementation on IIS is by some considered lax. Install a much more locked down HTML proxy in front of it that prevents specific commands not needed by Exchange, plus a web server that has different flaws than Exchange IIS has, and you've again created a defense in depth.

Exactly, put Nginx in front of OWA, as an example, and the degree to which it is harder to try to brute force an attack on OWA is extreme. Plus it can make HTTP Header handling more flexible.

You cannot put Nginx in front of Exchange for free.

What feature from the paid version is needed?

I do not recall the name of the feature, but i had a thread on the subject on here 2 years ago.

Because I tried to put Nginx in front.

Have you tried this recent guide?

http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/

It relies on Nginx Extras and requires a Debian proxy.

I found this back in December in this thread: https://www.mangolassi.it/topic/7184/problems-with-exchange-2010-and-nginx-reverse-proxy/18