MS Exchange - Black box and white box Penetration Testing Approaches

MS Exchange - Black box and white box Penetration Testing Approaches

• The following four vulnerabilities, reported at https://support.microsoft.com/?kbid=2706690 affect various versions of Microsoft Exchange Server (source):
• WebReady document viewing could allow remote code execution, 2012
• Sent item is copied to the Sent Item folder of the wrong mailbox in an Exchange Server 2010 environment when an user is granted the Sent As Permission, 2012
• EdgeTransport.exe process repeatedly crashes on an Exchange Server 2010 server, 2012
• ItemSubjectField is empty For MailboxAuditLog, 2012 

• to be divided into: OWA, Spam, black box and white box testing. 
• Spam/message hygiene http://www.msexchange.org/articles-tutorials/exchange-server-2000/security-message-hygiene/Secure_Your_Mail_Server_GFI_MailSecurity_for_ExchangeSMTP.html
•  

• Port scan
• self-signed certificates in use?
• Placement of the server in the network infrastructure: Microsoft recommends placement of the server behind an ISA server (Internet Security and Acceleration Server is the successor to Microsoft's Proxy Server 2.0 and is part of Microsoft's) and ironically not in a perimeter in your firewall.
• Send malware to yourself
• test anti-spammer filters (e.g. send viagra stuff - lol) this sw is included with HTS (Hub Transport Service Load Balancer)
• Brute force account passwords
• Do not install Exchange Server  on a domain controller
• Preparing for such a test, I would start with
  
  • Microsoft Security Assessment Tool 
  • Microsoft Baseline Security Analyzer
• NTLM hashes are easy to break, and there is a flaw with the RPC over HTTP proxy feature that makes it so you have to use either Basic (plain text) or NTLM (not NTLMv2) authentication. If they did not set up the proxy to use HTTPS you can sniff the hashes and use rainbow
  tables to extract a password.
• Is SSL enabled in the OWA version?
• You should also look at Exchanges' new security features which are included during installation and customization:
• Sharepoint integration
• Controlling file shares
• File control and access restrictions
• User access and control restrictions
• Security and Exchange Active Sync for mobile users on Phones and PDAs
• In your pentest use metasploit framework's exploits for exchange server
• security configuration wizard:  link1 and link2
• What is the Mail server patch level?
• Enable RPC encryption in Exchange 2010
• Check that attachment size is restricted (source)
• Run the Exchange Best Practices Analyzer. After you’ve finished securing Exchange 2010, run the Microsoft Exchange Best Practices Analyzer (ExBPA). It will help verify that your Exchange deployment adheres to Microsoft’s best practices as well as alert you to certain security settings that still need to be implemented or adjusted.
• (imho optional) Deploy Information Rights Management in Exchange 2010 One of the best ways to protect Exchange mail is to enable Information Rights Management (IRM). IRM lets you or your users control what message recipients can do with messages they receive from your organization. For example, you can prevent users from forwarding, modifying, printing, or copying and pasting email messages. You can also use IRM to protect supported file attachments.
• (imho optional) Configure ActiveSync mailbox policies in Exchange 2010.
  If you plan on supporting mobile devices in your Exchange Server organization, ActiveSync mailbox policies are essential. You can use them to ensure that mobile devices adhere to your company’s security standards. For example, you can use ActiveSync mailbox policies to enforce password policies, enable or disable specific device hardware and to control whether or not attachments may be downloaded to mobile devices.
  One setting that deserves special attention is the Allow Non-Provisionable Devicessetting. If you select this option, you allow mobile devices to synchronize with Exchange even if those devices do not support all your ActiveSync Mailbox Policy settings.
  It might seem like you should never allow non-provisionable devices, but it’s worth noting that the only mobile devices Microsoft considers fully provisionable are those running Windows Mobile 6.x; even Windows Phone 7 devices are not considered fully provisionable.
  
• Limiting access, least privilege, file system and ACLS, Block Legacy Clients, Patching, Antivirus, Backups, Message hygien, Throttle connections, test for relay,  Only enable required services, Use authentication only over SSL   source

Other Useful guidelines:

• Ms Exchange server 2003 security hardening guideline: http://www.microsoft.com/en-us/download/confirmation.aspx?id=8055 
• see also the hardeining guidelines links in here
• Exchange 2010 Security Guide
•  Security Configuration Benchmark For Microsoft Exchange Server 2007 Link very good for configuration review too (white box)
• Windows Server 2003 Hardening List
• Securing Microsoft Exchange Server 2007
• Entering the following in google: ("microsoft exchange" OR "ms exchange" OR "ms xchange") ("penetration testing" OR "pen testing" OR "pen test" OR "hardening") guidelines
• Exchange risks(summary) you should not overlook original
•  Hardening Exchange Server 2007. Part 1  Part 2 and Part 3
• Exchange 2007 Leasson Learned in the first 100 days
• How to secure Exchange Server 2010 post deployment  link
• Microsoft Exchange 2010 Deployment guide
• Pentest Mail Servers in general:
• http://blog.cobaltstrike.com/2013/10/03/email-delivery-what-pen-testers-should-know/
• https://technet.microsoft.com/en-us/library/cc754997.aspx
• https://technet.microsoft.com/en-in/solutionaccelerators/cc835245.aspx