299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 254 254 Chapter 10 • Protecting Against Viruses Cleaning Up After a Virus Outbreak You might wonder what to do if you should learn one day that your antivirus product’s signature isn’t up to date, and your users mailboxes are suddenly bombarded by some kind of malicious e-mail virus. Well, if you’re lucky, the vendor will quickly provide a signature update, and you might have the opportunity to scan all mailboxes on your Exchange server and have the virus scanner remove any infected messages from the mail- boxes. But what do you do if that isn’t an option? ExMerge comes to the rescue.You probably know ExMerge as a utility to export and import mailboxes to or from .pst files during Exchange server migrations, but ExMerge can be used for a lot more, including being used as a virus cleanup utility. BY THE BOOK… Administrators frequently use the ExMerge.exe tool to back up mailbox data or migrate it from one mailbox to another. ExMerge is designed to copy mailbox data into a personal folder file (.pst) that can then be imported to another mailbox. However, you can also use ExMerge to extract specific messages from mailbox stores to .pst files and then delete the .pst files instead of importing them into new mailbox stores. In this section you’ll see step by step how it’s possible to strip a spe- cific e-mail–borne virus from your user’s mailboxes using the ExMerge utility. Let’s begin: 1. Start by grabbing the most recent version of ExMerge 2003 from www.microsoft.com/exchange/downloads/2003.asp. 2. Place a copy of ExMerge in the C:\Program Files\Exchsrvr\Bin folder. 3. Make sure you have the proper permissions to access your users’ mailboxes. (Read more in MS KB 262054, “XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000,” at support.microsoft.com/?id=262054.) 4. Execute Exmerge.exe, then click Next. 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 255 Protecting Against Viruses • Chapter 10 255 5. Select Extract or Import (Two Step Procedure), and click Next (see Figure 10.2). Figure 10.2 ExMerge Extract or Import (Two Step Procedure) 6. Choose Step 1: Extract data from an Exchange Server Mailbox, and click Next (see Figure 10.3). Figure 10.3 Choose to Extract Data from an Exchange Server Mailbox 7. Specify the names of your Exchange server and domain con- troller (see Figure 10.4). 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 256 256 Chapter 10 • Protecting Against Viruses Figure 10.4 Specify Exchange Server and Domain Controller 8. Click Options, then choose the Import Procedure tab (see Figure 10.5) and select Archive data to target store. Be sure to read this option carefully before continuing. Figure 10.5 The Import Procedure Tab 9. Now it’s time to tell ExMerge what messages need to be ExMerged from the mailboxes. Select the Folders tab.You will be prompted with the warning box shown in Figure 10.6. 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 257 Protecting Against Viruses • Chapter 10 257 Figure 10.6 ExMerge Warning Box 10. Click Ye s in the warning box.You will see the Folders tab (see Figure 10.7). Figure 10.7 The Folders Tab 11. In the Folders tab, you have the option of specifying which folders in each mailbox should be processed. When you have made your selection, you can continue. Click the Dates tab (see Figure 10.8). Figure 10.8 The Dates Tab 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 258 258 Chapter 10 • Protecting Against Viruses 12. In the Dates tab, you can select a date range, if you know the specific date your Exchange mailboxes started to be infected. Now click the Message Details tab (see Figure 10.9). Figure 10.9 The Message Details Tab 13. The Message Details tab is probably the most important one, since this is where you enter the message subject and attach- ments to look for.This example specifies a few of the message subject lines relating to the Bagle.E worm. Click OK, then click Next.You’ll be presented with the Microsoft Exchange Mailbox Merge Wizard. Make your mailbox selections and click Next (see Figure 10.10). Figure 10.10 ExMerge Mailbox Selections 14. Choose Default Locale of the mailboxes, then click Next. 15. Now specify the destination folder of the stripped messages’ .pst files (see Figure 10.11). Click Next, then click Next again. 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 259 Protecting Against Viruses • Chapter 10 259 Figure 10.11 ExMerge Specify Target Folder 16. ExMerge now starts to ExMerge any messages matching the criteria we defined earlier (see Figure 10.12). Figure 10.12 ExMerging Data Matching Criteria 17. When the operation has completed successfully, click Finish. ExMerge has now filtered any messages matching the criteria we specified earlier.These messages can be found in the folder we specified in Figure 10.11. One thing that’s important to remember is that using this method will only filter any matching messages from your users’ mail- boxes, so if any of your users use local .pst files, they will not be checked. 299_CYA_EXCHG_10.qxd 4/23/04 11:37 AM Page 260 260 Chapter 10 • Protecting Against Viruses Your A** Is Covered If You…  Know how to differentiate the existing types of viruses and other malicious programs from each other.  Use a multilayered defense system to protect against e- mail–borne viruses.  Use a multiple virus scanning engine product.  Educate your users about the potential risks of e-mail use.  Implement a strict attachment-blocking policy.  Take time to understand how you can clean up after a virus outbreak. 299_CYA_EXCHG_11.qxd 4/23/04 11:38 AM Page 261 Chapter 11 Auditing Exchange In this Chapter Auditing Exchange usage is essential. If you are not currently auditing your Exchange system, you might not even realize you are having security problems. Still worse, you could discover that you have a security problem but not be able to track it down. Auditing will help you in these tasks. The auditing process breaks down into a couple of categories: Windows 2000/2003 event auditing and Exchange 2000/2003 diagnostics logging. In this chapter we examine the following topics: ■ Windows 2000/2003 auditing ■ Auditing Changes to the Exchange Configuration ■ Exchange Diagnostics Logging ■ Microsoft Operations Manager and Exchange 2003 aware of some of the options you have in regard to auditing your Windows 2000/2003 and Exchange 2000/2003 systems. By the time you reach the end of this chapter, you will be 261 299_CYA_EXCHG_11.qxd 4/23/04 11:38 AM Page 262 262 Chapter 11 • Auditing Exchange Windows 2000/2003 Auditing The Event Log Service takes care of all Windows 2000/2003 auditing. You probably know the Event Log Service pretty well, so we won’t go into any details here describing it or show you how it works. Instead, let’s look at a few tips on what you should audit in regard to Exchange 2000/2003. BY THE BOOK… The Event Log Service records all types of events on the system (server). The service consists of several different logs: the Application log, the Security log, the System log, the Directory Service log, the DNS Server log, and the File Replication log. Dealing with Exchange 2000/2003 auditing, the interesting log is the Security log, which audits everything specified in the Audit Policy in the Local or Domain Policies. One of the essential security auditing tools that you need to take advantage of is the built-in Windows 2000/2003 event auditing that you can turn on through the Local Security Policy or collectively for an entire organizational unit (OU) of computers through an Active Directory Group Policy Object. Figure 11.1 shows the typical audit policy events that it’s a good idea to configure. Figure 11.1 Audit Policy Events for Exchange Servers 299_CYA_EXCHG_11.qxd 4/23/04 11:38 AM Page 263 Auditing Exchange • Chapter 11 263 The events that we typically choose to audit notify us when someone accesses the server, when someone makes security or account- related changes to the server, and when someone restarts the server.Table 11.1 shows the events that we typically tend to log, along with an expla- nation of each. Table 11.1 Recommended Audit Policy Events Policy Explanation Audit account logon events Audits logons using domain accounts. Audit account management Audits changes to accounts, such as reset passwords or group membership changes. This audit event does not always generate the detail we’d like, such as whether an account is enabled or disabled—just that the account is changed. Audit logon events Audits logons using accounts that are local to the member server. Audit policy changes Audits policy changes such as changing the audit policy. Audit system events Audits events such as system shut- down or restart. Although we prefer not to configure an audit policy that logs every single activity that occurs on a server, we also shy away from minimal auditing or auditing that examines only failures. Each additional audit policy you place on the server increases the load on the server by some amount, and it increases the size of the security log files. If you are truly concerned about logging events that could affect the security of your system, you will log not only events in which someone has tried and failed to accomplish something; you will also look at events in which someone has tried and succeeded.This has been our philosophy for some time and it has served us well, though some people think we are a bit paranoid. For more information on Windows event auditing, we recommend you check the following Microsoft KB articles: ■ 299475, “Windows 2000 Security Event Descriptions (Part 1 of 2),” www.support.microsoft.com/?id=299475 ■ 301677, “Windows 2000 Security Event Descriptions (Part 2 of 2),” www.support.microsoft.com/?id=301677 ■ 314955, “How to Audit Active Directory Objects in Windows 2000,” www.support.microsoft.com/?id=314955 [...]... Web server in an organiza­ tion allows users to benefit by accessing information, downloading files, and using Web- based applications Web servers are another popular hacker target We’ll discuss steps to secure a web server later in this appendix Web Server Protocols Microsoft’s Windows Server 2003 Web server product is Internet Information Services (IIS) 6.0, which is included with Windows Server 2003. .. possible to analyze and graph performance data to understand usage trends, perform accurate load balancing, and manage system capacity The following reports are available in the Exchange 2003 Management pack: ■ Health monitoring and operations report Get a summary of Exchange 2003 health and usage, server availability, and con­ figuration of Exchange 2003 servers, databases, and mailboxes ■ Server availability... Application Servers and Terminal Servers Application servers and terminal servers provide the ability for users to access applications over the network.These roles are two of the most commonly used server roles and are ones you’re likely to implement or manage in your network Planning Server Roles and Server Security • Appendix Application Servers Application servers allow users to run Web applications and. .. percentage of server availability for computers running Exchange 2003 during the specified time period.The percentage of availability and unavailability is listed along with the reasons that the servers were unavailable 2 69 270 Chapter 11 • Auditing Exchange ■ Usage and health report Get information about server usage and the health of computers running Exchange 2003 based on key Exchange and SMTP performance... Windows Server 2003 cannot be domain controllers Web Edition servers can be only stand-alone or member servers that provide resources and services to the network A Windows Server 2003 computer can be changed into a domain controller by using the Configure Your Server Wizard or by using the Active Directory Installation Wizard (DCPROMO) DCPROMO is a 275 276 Appendix • Planning Server Roles and Server. .. servers and clients, and they allow users of those operating systems to log on to Windows Server 2003 domains.They are supported in Windows Server 2003 for backward-compatibility with these older systems By implementing a WINS server, you allow clients to search for computers and other resources by computer name, rather than by IP address Web Servers Web servers allow organizations to host their own Web. .. parties and Microsoft) You can download a free manage­ ment package specifically developed for Exchange 2003 servers Read more about MOM and the Exchange 2003 management package at the following links: ■ Microsoft Operations Manager homepage: www.microsoft.com/mom ■ Download details, Exchange 2003: Management Pack: www.microsoft.com/downloads/details.aspx?FamilyId=5 6D036BF-8DD3- 499 3-BF07-07F99F1D5CC4&displaylang=en... distributed applications and Web applications available to clients ■ Terminal server This role provides Terminal Services for clients to access applications running on the server ■ Remote access/ VPN server This role provides remote access to machines through dial-up connections and virtual pri­ vate networks (VPNs) Planning Server Roles and Server Security • Appendix ■ Streaming media server This role provides... user is accessing the store Table 11.3 Exchange 2000 /2003 Security-Related Events Found in the Application Log Source ID Explanation MSExchangeIS Mailbox MSExchangeIS Mailbox 10 09 1016 MSExchangeIS Mailbox 10 29 MSExchangeIS Mailbox MSExchangeIS Public 1032 1235 IMAP4SVC 1000 IMAP4SVC 1010 IMAP4Svc IMAP4Svc 1011 1043 POP3SVC 1000 POP3SVC POP3SVC POP3SVC 1010 1011 1043 Mailbox access Mailbox access by... organization Securing the servers is an important part of any network administrator’s job ■ Understanding Server Roles ■ Planning a Server Security Strategy ■ Planning Baseline Security ■ Customizing Server Security In this appendix, we will first review server roles and ensure that you have an understanding of the many roles Windows Server 2003 can play on the network Then we will delve into how to plan a server . of Exchange 2003 health and usage, server availability, and con- figuration of Exchange 2003 servers, databases, and mailboxes. ■ Server availability report Find out the percentage of server. requirements. 271 299 _CYA_ EXCHG_App.qxd 4/23/04 2:01 PM Page 272 272 Appendix • Planning Server Roles and Server Security Understanding Server Roles When Windows Server 2003 is installed on. Exchange 2000 or Exchange 299 _CYA_ EXCHG_11.qxd 4/23/04 11:38 AM Page 265 Auditing Exchange • Chapter 11 265 2003 server. To understand where to enable auditing to follow Exchange organization