Microsoft Exchange – prevent network attacks

Microsoft Exchange Servers are a common target for threat participants , Not only do they provide multiple entry points , And because they are binding to Active Directory Provides opportunities for persistence and domain upgrade . adopt Exchange Breaking connections to an organization's domains can be a trivial task , Especially in the absence of many security controls .

The following figure illustrates a real-world attack carried out by a threat participant , The aim is through abuse Exchange service 、Exchange API And standards Outlook Function to achieve complete domain intrusion .

Stopping these attacks requires a series of measures that the organization should implement , To reduce passing Microsoft Exchange The risk of security vulnerabilities in the connection . These measures include ：

• Disable unnecessary services
• Enable two factor authentication
• Enable LDAP Signature and LDAP binding
• Apply key security patches and workarounds

Disable unnecessary services

Microsoft Exchange The following services are enabled by the default installation of ：

• Outlook Web visit (OWA)
• Switching network services (EWS)
• Exchange ActiveSync (EAS)

All these services create an attack surface , A threat participant may discover legal credentials by performing 、 Access user mailboxes and perform domain upgrade attacks .Outlook Web Access Enable domain users to access their mailboxes from outside . however , If business requires , Should be evaluated Exchange Web Service and Exchange ActiveSync.

Exchange Web Services allow client applications to interact with Exchange The server communicates . If EWS Unable to meet specific business needs , Access should be disabled . from Exchange The command line management program will disable access to all mailboxes by executing the following command .

Get-Mailbox | Set-CASMailbox -EwsEnabled $false

ActiveSync The protocol allows domain users' mobile devices to communicate with Exchange Mailbox synchronization data （ mail 、 The calendar 、 Contacts and tasks ）. If the enterprise does not need this Agreement , It should be disabled .

Get-Mailbox | Set-CasMailbox -ActiveSyncEnabled $false

Authentication should also be disabled , To reduce the attack surface threatening participants during password injection attacks .

Enable two factor authentication

Most and Microsoft Exchange Related attacks require that the attacker has obtained the user's domain credentials （ Code spray 、 Phishing, etc ）. For all exposed services （ Such as Outlook Web Access、Exchange Web Service and ActiveSync） Enable 2 Factor authentication will prevent threatening participants ：

1. Access user mailboxes and collect sensitive data
2. Conduct internal phishing attacks with a higher success rate
3. Through arbitrary Outlook Rules implement network persistence
4. Destruction domain

Even two factor authentication will provide an additional layer of security , It should also be seen only as the first line of defence . There are other remedies that need to be taken to prevent the execution of the attack .

Apply key patches and workarounds

Microsoft It is recommended to delete the following registry key , In order to prevent against Exchange The network loopback address of the server is proposed NTLM Authentication request . This action will prevent the implementation of the attack , Enable threat participants to add forwarding rules to the target mailbox or add infected accounts as principals . The impact is to retrieve emails and impersonate users , This will allow for internal phishing attacks .

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /f

The abuse of Exchange Push Subscription The domain can be upgraded .Microsoft Patches have been released , By reducing the impact on Active Directory To repair various versions of Exchange Server issues .

• KB4471391 – In exchange for 2019
• KB4471392 – In exchange for 2016
• KB4345836 – In exchange for 2013
• KB4487052 – In exchange for 2010

This technique requires effective Exchange The credentials , And rely on EWS To perform authentication . Ban Exchange Web service (EWS) Authentication of will prevent attacks .

Again , Disable cross organizational Exchange Web Service mailbox access will produce the same results .

Get-Mailbox | Set-CASMailbox -EwsEnabled $false

Threat participants will not be able to pass Exchange Authenticate to send API call , They will receive the following error in their terminal .

Benjamin Delpy stay Twitter This paper proposes a method of MaxSubscriptions Set to zero to mitigate the vulnerability . This setting will prevent Exchange Send any EWS notice .

Need from Exchange The command line manager executes the following commands ：

New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EWSMaxSubscriptions 0
Restart-WebAppPool -Name MSExchangeServicesAppPool

Attempts to use... Will not be allowed Exchange API call （ push subscription ） To perform domain upgrade .

Completely disabled EWS Authentication will also be done NTLM Relay attack , These attacks will be targeted to gain access to the user's mailbox without cracking the password hash .

perhaps , If authentication is required , Can be Microsoft Exchange Configured to deny all incoming domain accounts NTLM Traffic .

This will lead threat participants to exploit NTLM Relay as a technology to obtain mailbox access rights and perform malicious operations failed .

The rules

Nick Landers stay 2015 Annual discovery , For remote location （WebDAV or SMB share ） Execute arbitrary code and gain persistent access to the user's host , May abuse Microsoft Outlook（ Rules and alerts ） The function of .Microsoft Released a patch ( KB3191893 ), It solves this problem by creating registry entries . A value of zero disables Outlook The rules .

Outlook 2016
HKEY_USERS\<SID>\Software\Microsoft\Office\16.0\Outlook\Security\EnableUnsafeClientMailRules

Outlook 2013
HKEY_USERS\<SID>\Software\Microsoft\Office\15.0\Outlook\Security\EnableUnsafeClientMailRules

application Microsoft The patch will permanently disable any client mail rules .

Outlook home page

Outlook The home function can be used to inject pages that will perform any payload on the user's system . Browse the mailbox folder or restart Microsoft Outlook Will trigger the payload . The discovery of this technology belongs to Etienne Stallans, And the implementation of this attack requires user credentials .

Microsoft Patches have been released ( KB4011162 ), This vulnerability is resolved by removing the home page feature from the inbox properties .

Enforcement LDAP Signature and LDAP Channel binding

And Microsoft Exchange Various attacks related to abuse and Active Directory Existing trust relationship , To modify permissions and gain elevated access . To prevent these attacks, you need to enable LDAP Signature and LDAP binding . at present , This setting is disabled by default , but Microsoft Plan to release a security to update （2020 year 1 month ）, Enabled LDAP Signature and LDAP binding . Administrators can manually make changes by modifying the group policy management editor .

Clients can be enabled through group policy or local security policy LDAP Signature .

You can enable... By creating a registry key at the following registry location LDAP binding ：

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters

value 2 Indicates that channel binding is always enabled .

LdapEnforceChannelBinding=2

Generalization

Apply on time Microsoft Security patches and implementation of workarounds will improve the organization's understanding of Microsoft Exchange Resilience to targeted cyber attacks . The following figure summarizes the patches and mitigation fixes described in this article .

The following table relates the functions abused by threat participants , They can use the relevant Microsoft Patches and CVE What does numbering accomplish .