Monday, March 30, 2015

Exchange 2013 Hardening - Admin Center Externally Accessible

In Exchange 2013 the admin UI is web based instead of the traditional mmc interfaces in past versions. Although I have traditionally been apprehensive of web based interfaces,  Exchange Admin Center (EAC) in Exchange 2013 is actually very well designed and easy to use. For more details see this article.

After a recent deployment I realized that EAC seems to be accessible externally by default if Outlook Web Access (OWA) is setup. I started looking for a place to disable external access. Searching online I found several workarounds.

Method 1 - Disable EAC Altogether

This article from Microsoft explains how to turn off EAC functionality completely with the Powershell command:

Set-ECPVirtualDirectory -Identity "serverName\ecp (default web site)" -AdminEnabled $false


 

Logically you can re-enable EAC by changing the $false to $true. After each of these commands it takes several minutes for them to take affect. You can do an IIS reset if you're not worried about annoying users, but I'd advise waiting a couple minutes



It's worth noting that disabling EAC takes away some functionality for OWA users to set "Out of Office" messages, manage their mobile devices, and a couple other things. 



Method 2 - Using IP and Domain Restrictions in IIS



Another method several blogs talked about is using IP and Domain Restrictions in IIS to restrict access to the EAC virtual directory to specified IPs or subnets. There is a good writeup here, so I won't re-invent the wheel.



It's not a great security practice to use the Builtin Administrator account for any externally facing authentication because the lockout policy doesn't apply to it. An attacker could brute force the account without having to worry about locking it out. There's a good article here that says:



"Since the authentication is being handled by IIS the usernames are not 
being screened, and so a user encounters an HTTP 403 error when they are
 barred from using ECP but have been authenticated successfully (even if
 you remove the Administrator account from the ‘Organization Management’
 Exchange Security Group), so the brute-force attacker can saturate the 
server with logon requests and precisely determine when they have 
cracked the Domain Admin credentials."



Several people commented on the blog above saying you still get a 403 even when IP and Domain Restrictions are in place for the EAC virtual directory. I haven't tested this method myself yet, but I plan to and will update the post at that time. 



Method 3 - Microsoft's Suggestion



Microsoft says here they recommend installing a separate CAS server and configure it to only handle internal requests using the following command: 



Set-ECPVirtualDirectory -Identity "InternalCAS\ecp (default web site)" -AdminEnabled $True



However, in typical big vendor fashion this solution is not a very feasible option for most small/medium businesses.  




Which Option is Best?

Once again it's the balancing act of security vs. usability. You need to evaluate your organization's risk and determine whether the business value of tools like OWA or Outlook Anywhere outweigh these risks.












Posted by



at





No comments:
  


































          

        

          

        

Monday, March 9, 2015


          

        










Adventures with NULL Sessions - Are They Really Disabled?


















I ran into an interesting issue
recently where I was able to enumerate all domain users on a client's DC
because NULL Sessions were enabled. The client thought they had disabled NULL Sessions, but its seems they had one small misconfiguration. I ran the tool rid_enum and got results
similar to the screenshot below on one of the DCs.



















RID enum failed against the other DC and member servers, so I started looking
for settings that were different between the two DCs. I checked all the registry
keys below and they all looked the same.







HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1



HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM = 1



HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 0



HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess = 1




HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AdjustedNullSessionPipes = 3







I also checked the
following policies under Local Policies -> Security Options in the Local
Security Policy:





Network
Access: Allow Anonymous SID/name translation - Disabled

Network
Access: Do not allow anonymous enumeration of SAM accounts - Enabled

Network
Access: Do not allow anonymous enumeration of SAM accounts & shares - Enabled

Network
Access: Restrict Anonymous access to Named Shares and Pipes - Enabled







The culprit looked to be
the following registry key and local policy:





HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes



  



Network
Access: Named Pipes that can be accessed anonymously



















The vulnerable DC had
netlogon, samr, and lsarpc (which is the default I believe) listed in the policy/registry.
The unaffected DC had only netlogon and lsarpc. In my testing it looked like if
both lsarpc and samr were listed in the policy/registry I could enumerate
users. Adding the entries by themselves didn’t seem to work, but if they were
both listed, the enumeration was successful. After some additional research I
realized that NULL sessions were actually still accessible on both DCs. I
couldn’t glean much usable information using rpcclient with no credentials, but
I could nonetheless still connect and issue commands. 



















I removed all of the
entries from “Network Access: Named Pipes that can be accessed anonymously” on
both servers and retried to connect again. This time I got a “NT_STATUS_ACCESS_DENIED”
message. I realize this may cause some applications to break, so will make sure the client monitors things
closely. However, so far they haven’t seen any adverse effects. 







Interestingly, while
researching this I spun up a fresh VM of W2K8 R2 and made it a domain controller.
With all the applicable Local Security Policies and registry settings the same,
I wasn’t able to enumerate users on the test VM. It didn’t seem to matter which
“Named Pipes” were in the policy/registry.











Here are some additional
resources regarding NULL Sessions:











http://project500.squarespace.com/journal/2014/2/3/powershell-domainlockdown



https://project500.squarespace.com/journal/2014/3/13/powershell-enumerating-null-sessions-on-your-dcs



http://pen-testing.sans.org/blog/pen-testing/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions



http://carnal0wnage.attackresearch.com/2007/08/more-of-using-rpcclient-to-find.html



http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html



http://windowsitpro.com/windows-server/access-denied-understanding-anonymous-enumeration-policies



https://technet.microsoft.com/en-us/library/dd349805%28WS.10%29.aspx#BKMK_44










Posted by



at





1 comment:
  


































        

      









Subscribe to:
Posts (Atom)