While Messengers And Social Networks Are Gaining Traction, Some Experts Believe That The Use Of E-Mail Has Changed, E-Mails Are Still The Main Communication Channel For Official And Official Correspondence.

Secure Email Servers, For this reason, content stored on enterprise email servers has become more important than ever, and the issue of email server security should not be overlooked.

Email Server Security Challenges

Ensuring the security of email servers is one of the most important things that organizations should pay attention to because emails are still one of the most widely used communication mechanisms that host important information. As a result, if business confidential data stored on these servers is exposed, the serious economic damage will be done to businesses.

In addition, email servers must operate continuously so that users can access them at all times. If the servers fail for any reason, they can lose customer information and cause serious problems for the business. To prevent servers from malfunctioning, data loss, and other adverse events, you need to think about securing and configuring email servers so that you can quickly identify and fix vulnerabilities.

Potential vulnerabilities

When we talk about security breaches, we mean that there are one or more patched vulnerabilities that hackers could exploit. Indeed, it is impossible to deal with all the vulnerabilities, but we can reduce their number. To do this, we must follow security guidelines when configuring email servers to minimize the problems that we will address.

In this article, we no longer intend to mention the need to pay attention to installing operating system security patches and applications because we have talked about them in detail in previous issues of Network Monthly.

Unauthorized access

One of the most common attacks on email servers occurs when hackers circumvent authentication mechanisms to access users’ data. The first step to deal with this issue is to adopt strict policies for selecting strong passwords used to access the server.

This prevents passwords from being detected under the influence of pervasive search attacks, which is a common way to bypass the authentication mechanism. Another way to protect servers from user password hacking attacks is SMTP-based authentication.

Challenges related to data leakage

One of the most important goals of hackers is to gain access to users’ personal information. When an email is sent over the Internet, it goes through various paths and hops, most not secure. It is technically possible to interpret passwords, usernames, and even the content of messages. Incoming and outgoing emails should be encrypted to prevent such problems. To do this, the IMAP, POP3 and SMTP protocols must be encrypted using SSL / TLS certificates.

Spam

One of the common problems associated with emails, especially corporate emails, is the problem of spam. Spam Challenges are divided into two groups: sending spam to the user’s email client and sending spam to other clients based on the Open Reply technique. To prevent the Open Relay problem from occurring, the mail relay parameters of the server must configure correctly.

Content filtering mechanisms should use to prevent these problems. These filters are installed on an email server or a proxy application to protect access to the server. This program can be a firewall, proxy server and similar examples.

Another solution is to use a blocklist of spam servers. For example, blocklists based on DNS NDSBL, SPAM URI RBL SURBL, or local instances that contain spammers’ IP addresses are significantly prevented from receiving spam in the mailbox of mail servers.

Malware problems

Email servers and clients are constantly exposed to malware threats. When an email server becomes infected with malware, not only is the stability of the system compromised, but the clients that use it are also under serious threat. Other problems that malware poses are the loss of comprehensiveness and privacy of personal data and the spread of malware through email clients. To solve this problem, you need to use protection mechanisms against malware such as anti-virus.

Service Deprivation Attack (DoS)

The deprivation of service attacks caused by corporate email servers is completely destructive and prevents clients from sending or receiving emails. The above problem seriously damages the reputation of an organization. To prevent this problem, you should try to minimize the number of connections to the SMTP server as much as possible and limit the number of connections to the server at specified intervals and the number of simultaneous connections.

Server stability and performance

When we talk about maintaining server performance, we must think about implementing a load balancing mechanism in a server attack and malfunction. Most organizations use a backup server in this case. For email servers, the above process is done through two MX records for each domain. Email servers offer SMTP authentication options.

If the above option is enabled, you must have a username and password to send an email to the server. Enabling this option is important because it protects the server against sending out repeated requests.

In this case, uninterrupted server performance is guaranteed. Another important option that needs to be set up and configured properly is Mail Relay. The above option allows you to specify through which IP addresses the server can send an email. This is used to prevent large numbers of messages from being sent to destabilize the server. Another powerful solution available to maintain server performance is the Reverse DNS system mechanism.

The above filter can use to compare IP addresses with hostname and domain. In addition, the server can use against malicious emails based on this strategy.

Preparation of required documents

The first step is to figure out what, why and how it should address. These three questions are vital and should be answered carefully during the review and audit process, focusing only on the most important details.

• What: Make a list of all the data, including usernames, contact lists, attachments, and other items that you think are needed to track vulnerabilities. The list can be divided into several different checklists. It is best to prioritize each item on the list to make it easier to identify more serious problems.
• How: Using the list of components you have prepared, identify the tools and applications you can monitor and review. Next, you need to specify a way to check and control each element of this list. Expand the list of potential vulnerabilities using the list of vulnerabilities, and include controls to investigate the existence of these vulnerabilities.
• Why: You need to specify the reason, priority and extent of coverage of each control operation so that you can identify the most important items. At this point, you need to remove duplicates from the list.

You can use NIST SP 800-45 checklists when preparing the checklist. After preparing the list, specify the scope of work and the necessary resources. Once you have prepared a report on the current state of server security, you should first evaluate the highest priority issues and examine their problems.

Analyze identified problems

In the analysis process, the risks should evaluate based on the following equation.

Impact × Probability Exposure to risk

 (Impact × Likelihood × Exposure)

Give each of the above points between 1 and 5. The number 5 indicates that a simple problem cannot bypass, and the number one indicates that the item on the list is not a serious security challenge.

The explanation of each of the parameters listed in the above equation is as follows:

• Impact: The impact of an accident or problem depends on the components that are at risk. In some cases, this effect may be weak (for example, server performance is disrupted for 100 milliseconds), and sometimes it may be strong (loss of database information). If the checklists are prepared correctly, it is possible to identify better the effects based on them.
• Probability: refers to how reproducible the problem is and how simple it is to repeat. A clear example of this is filling the server memory with UDP packets through an open TCP port.
• Risk: The above parameter indicates how difficult it is to diagnose the problem and occur during normal server operation? Being at risk can be from impossible (several unlikely problems occurring simultaneously) to unavoidable (using words like Password as the management account’s password) or server failure due to receiving more than 1000 emails simultaneously.

After evaluation, all identified problems are sorted by the degree of risk-based formula (impact × probability risk). In the next step, any event that is riskier than the specified value should be investigated. This assessment helps to identify events (vulnerabilities (cyber threats such as data loss), defects (loss of loyal customers due to spam). And less important problems so that vulnerabilities and shortcomings can be prioritized to address them.

 Repair vulnerabilities

Typically, there are three solutions to the so-called vulnerabilities:

1.  Use a newer version of the software or replace the software with another safe software.
2.  Install third-party software that can fix the problem.
3. Disable problematic features.

The important things to look out for are the level of risk, the budget involved, and the resources needed to make the terms. Each of these factors has a major impact on the timing of remedial action and prioritization. So it’s best to fix simpler and easier problems to solve, rather than postpone them. Typically repairing complex vulnerabilities is a time-consuming process that takes several days, so it’s best not to sacrifice small but dangerous problems for complex vulnerabilities. It is recommended to group vulnerabilities that can fix with a simple modification. This will save you money in the long run.

A Case Study of Cyber ​​Security

• MS Exchange Server

Exchange Server is one of Microsoft’s most widely used email servers currently offered and is only installed on the Windows Server operating system. In addition to standard protocols such as SMTP, POP3 and IMAP, the software can support specific protocols such as EAS and MAPI. To get an overview of security measures related to managing and identifying vulnerabilities around email servers, in this section, we will take a look at Exchange Server from a security perspective. The most important components of Exchange Server are:

• Edge Transport Server: This component monitors the process of sending and receiving emails. The above component works best when an organization’s communication infrastructure is divided into a protected internal network, an unprotected environment, and a civilian area (DMZ). Typically, the above component is launched in the civilian area and Mailbox in the private network. Edge Transport Server provides an additional layer of protection for messages to expose the server to fewer external attacks. Edge Transport is an optional component that can be installed or not installed when installing Exchange Server.

• Database Availability Group: A component that provides high availability and retrieval of data on the server. DAG is one of the main components of Mailbox that ensures the availability and retrieval of data after various events.

• Spam Protection: The spam protection component interacts better with some anti-spam tools installed internally in the communication network. The Spam Protection component can enable directly on the Mailbox server.

• Malware protection: The above component is available to network administrators through the Malware agent on the Mailbox server. This feature is enabled by default in Exchange 2016.

• Outlook Web Access: A web-based email client that allows access to all the features needed to manage emails without fully installing the desktop email client.

• In addition to these key components, Exchange Server uses some of the proprietary services and protocols as follows:

• Exchange ActiveSync: A protocol for matching email to mobile devices.

• Exchange Web Services: A set of multi-platform application programming interfaces that provide client applications access to emails, contacts, and other information.

• RPC over HTTP, MAPI over HTTP: These proprietary protocols allow email clients to communicate with the Exchange Server.

Given that Exchange Server plays a key role in managing emails, it must be properly configured and evaluated regarding security settings and anti-malware because malware infection affects the server and the clients who use it. Puts. In this step, we intend to review the process of testing and evaluating a concept server based on the policies mentioned at the beginning of the article.

Software test

Exchange Server security testing is best done based on organizational considerations and current environment infrastructure settings. Typically, an organization’s communication infrastructure may be based on the following scenarios:

• Scenario 1: The company has an internal network with Internet access. An MS Exchange Server with basic settings and no Edge Transport Server installed.
• Scenario 2: The company has an internal organizational network located within the civilian area and accesses the Internet through this area. The two Exchange servers, together with the accessibility group of the reproducible database and the Edge Transport Server installed in the civilian area, form the communication structure of this organizational network.
• As you can see in Scenario 1, the network is vulnerable to cyber-attacks. However, some companies use the above architecture due to cost savings. Before starting the test, the infrastructure should configure according to the application-defined for it, and the test should be performed in such a way as to identify hazards.

Personal data leakage protection test

In the above test, the connections between the Exchange Server and the email clients are interpreted. The above operation should perform based on the following checklist:

1.  EAS, MAPI, IMAP and SMPT email protocols are configured on the email server.
2. The email client must be installed and tested on the OWA web client, mobile and desktop (Atloc, Thunderbird).
3. Hardware configuration performs to simulate a middle man attack (MITM) between server and client, and then Wireshark, tcpdump, and Fiddler use to analyze the data.
4.  Data is transferred between client and server via IMAP, MAPI, EAS or SMTP protocols.
5.  The middle man attack interprets network packets, and attempts are made to identify unencrypted data.

Spam protection test

An example Exchange Server protection test against spam is based on the following scenario:

1. It is best to set up several local email servers to send spam to the tested Exchange Server.
2. . Send some spam to Exchange Server and use the available scripts to create spam.
3.  Once spam is sent, the inboxes that are targeted should be checked to see if spam has been sent to them.

It is best to perform this test for cases where anti-spam filters for Mailbox and Edge Transport Server are enabled and disabled. This helps to evaluate the effectiveness of anti-spam mechanisms.

Test for protection against malware-infected emails

It would be best if you had several malware-infected attachments to perform a test to protect against emails infected with malicious attachments. The Standard Anti-Virus Test File is best to perform the first test using an EICAR file called Eciar. This file is not originally malware and does not contain any malware. However, most antivirus software identifies it as a malicious file. In this test, it is best to use files that have been created for a specific purpose. For example, use special dynamic library (DLL) files that do not contain malicious code, but antivirus detects them as infected files.

Then perform the test based on the following steps:

1.  Disable Malware Protection on Exchange Server.
2.  Send several malware-infected emails to different clients.
3.  On recipient clients, search for emails to find malware.
4. Repeat the same scenario for the case where the Malware Protection Agent is enabled on the server. In addition, repeat the test if this factor is enabled for Edge Transport Server.
5.  Now compare the results.

User password test

To test the reliability of users’ passwords, we can use Hydra, which is in the Kali Linux distribution. The above software allows us to identify weak passwords based on the pervasive search attack vector. In this test, the attack is performed through SMTP, IMAP and POP3 protocols.

Test for protection against deprivation of service

To test for protection against deprivation of service attacks, you should simulate traffic to test the stability of Exchange Server services in the event of such attacks.

In addition, it is better to simulate various network failures. You can use software such as WANem for this purpose. In the above test, check which Exchange Server is more resistant to attacks and how fast the recovery process occurs when an attack occurs. When performing the test, consider the above accessibility and check if the database accessibility component of the Exchange Server is enabled. In addition, is there another server intended for backup?

Results

Once you have done these tests, you should classify the results in Table 1 to make the vulnerability repair process easier.

 Report Exchange Server test results

 

last word

This article has examined email server security and shows the important points you should pay attention to when performing security tests. In addition, we provide an overview of attacks that target email servers, briefly analyze them, and show you how to identify and repair vulnerabilities.

Finally, as a case study, we examined the security status of Exchange Serve, a popular server based on the Windows platform. Finally, it should note that the purpose of preparing the above article was to show that server security should consider in the early stages of planning to install a server because planning to deal with potential threats prevents serious damage to the reputation. Enter the organization.