Practical Assessment 0523 Build the environment 1. Installing two forest domain controllers for the root domain muduri.com. Role Name FQDN IP address OS Primary DC SDC01 Sdc01.muduri.com 192.168.31.1/24 Windows Server 2012 R2 Secondary DC SDC02 Sdc02.muduri.com 192.168.31.2/24 Windows Server 2012 R2 2. Installing mail server for the forest. Role Name FQDN IP address OS Mail server EXS01 Exs01.muduri.com 192.168.31.3/24 Windows Server 2012 R2 1
3. Installing Microsoft Exchange Server 2013 on the mail server. Setting up mailbox and groups for testing Send connector 2
Distribution groups and dynamic distribution groups 4. Allowing remote access to the exchange server. Create a new user named remote for remote access purpose; Grant necessary permission to the user; Enable remote access on the exchange server, and allowing the designated user remote ; Add port forwarding rules on the firewalls; Strick remote user behaviour through group policy. 3
Add firewall and setting up the DMZ 1. Installing IPCOP for as the gateway for the internal network. Role FQDN IP internal IP to DMZ OS Gateway NING-IPCOP.muduri.com 192.168.31.254/24 192.168.30.1/24 IPCOP 1.4.20 2. Installing pfsense firewall for the Role FQDN IP to DMZ IP public OS Firewall ningfw.muduri.com 192.168.30.254/24 172.16.10.30/24 pfsense 2.1 Topology Five vulnerabilities of this scenario 1. Spam mail flood to the mail server cause a lot problem. This is a common attack, which dramatically consuming the resource of the mail servers and costly bandwidth. 2. Attack on open ports. Attackers can conduct port scan on the public IP. Once ports were identified, attacks will target on these ports. Some port conventionally for some known protocols would be risky. 3. Denial of Service (DoS) attack. Dos attack keep on requesting connection to port or services, it will exhaust the available connections of the server. Consequently, the valid communication would be blocked. 4. Directory harvest attacks (DHAs). Attackers sending emails to the targeted organization from spoofed mail address. The email server will send back Non-Delivery Reports, if the address is invalid. Then the attacker would eventually know which addresses are valid within that organization. Some attacker will conduct DHA to gather valid email, then use this valid information for other attacks. In this case DHAs would also occupy large amount of resources. 5. Risks caused by domain users. 4
Some valid user could also cause problem through inappropriate behaviours. For example, if some user send email with large attachment, the mail server will be out of storage soon. Some insecure behaviour of domain users would also inject malware to the mail system. Namely these three we are going to address. Simple password Removable disk carries malware Large attachment Block the vulnerabilities 1. Add and enable Malware filter On the ECP console, go protection-malware filer, add rules. 2. Disable unnecessary ports on both server and firewalls, On the internal and perimeter firewall, block unnecessary ports. On the internal and perimeter firewall, change the Remote Desktop Protocol port into other available ports. In my case the port has been translated from 3389-3398-3399. I changed RDP port number through group policy, so that we can change the port through modifying one policy. 5
Both firewalls accepted Snort published rules for internet security. The Suricata was installed on the pfsense firewall. 3. Limiting mailbox(es) On the ECP, go to server-database, modify the limitation of mailbox database to meet the limits. On the ECP, go to recipients-mailbox, choose a user or user group, 6
On the ECP, go to mail flow-organization transport setting, modify the limits of all mailbox. 4. Domain user policies Blocking USB disk 7
Password complexity 24 May 2017 8