Wednesday, January 19, 2005

How about a magic "Tarpit" ride?

Well, I guess security attacks come from every angle. You have to make sure you're covered at every angle right?

I suppose that's time to let you in on a secret (if you can call a publicly available KB Article a secret :) ). Tarpitting is the act of slowing an attacker down so they can't accomplish their task in a short period of time. Usually if an attacker can't do something quickly, unless you're a target, they are going to give up.

So, let's all do an update to help prevent the enumeration of Exchange Server 2003 e-mail addresses.

So to help you prevent look-up on your email addresses, let's get started:

  1. Call PSS (it's a free call for an update) and request they send you the updated from article ID: 842851

  2. Open Server Management, Advanced Management, First Storage Group, Global Settings, Global Settings.

  3. Right-click on the Mail Delivery node and select Properties.

  4. on the Recipient Filtering tab click Filter Recipients who are not in the Directory.

That enables the filter, now we need to set the timeout inorder to delay the false requests. To do this, we'll have to set this registry key:

Key:HKLM\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters
Value Name: TarpitTime
Type:DWORD

For the value, set the number (in seconds) the SMTP server will delay response to the request to send email to a non-existing user. I have mine set to 10 seconds, which is what I would recommend.

We're almost done, the filter is all ready, now we just need to enable it.

  1. Back in Server Management, open Advanced Management, First Storage Group, Servers, {ServerName}, Protocols, SMTP.

  2. Right-click on Default SMTP Virtual Server and choose Properties.

  3. On the General Tab click on the Advanced button.

  4. Make sure (All Unassigned) is selected and click Edit.

  5. Click Apply Recipient Filter, and Ok your way out.

  6. The last step, is open a command prompt (start->run->type "cmd")

  7. In the command prompt, reset IIS using the "iisreset" command

That's it! Now your server will delay 10 seconds, each time it tries to send email to an address that doesn't exist in your AD.

What's wrong, don't believe me?
Try these steps to prove it's working:

  1. Telnet to port 25 (run the command "telnet {servername} 25"

  2. In the window that comes up, type "helo".

  3. After the response, type "mail from: foo@bar.com".

  4. After that response, type "mail to: foobar@{yourdomain}.com". Notice that it takes about 10 seconds to respond with "Invalid Address"... That is if you don't have anyone named foobar at your company. :o)

Pretty cool eh!? It will take quite a bit longer now to enumerate the addresses on your server using a dictionary attack.

2 comments:

Anonymous said...

Sean,

In version of 1.0 of KB842851, download of 885881 hotfix was available for download and date of Smtpsvc.dll was 16-Sep-2004. Now in version 5.0 Microsoft has pulled the download and is available through PSS and the date of Smtpsvc.dll is 22-May-2004.
Is it different from previous version and does it mean that those of us who have already applied it must reapply it.

Thanks in advance for your comments,

IK

Sean Daniel said...

Hrm, I'm not sure, I could chase it down, but the easiest way is to try the steps above, and see if the 10 second timeout happens, if it doesn't, you'll need to get the latest version from PSS.