If, even after the recent SoBig and Blaster attacks, your users insist on running Outlook or Outlook Express, Carla Schroder feels your pain. For the sake of your sanity, here's a list of tips and tricks you can implement to counter the mail client's 'Swiss cheese' approach to security.
I know, bringing this up now is like locking the barn after the horse has already been stolen. Still, as crazy as it sounds, once the smoking rubble of SoBig has been cleared away there may still be a few people who want to continue using Outlook or Outlook Express. For the overworked harassed system administrator that has to deal with the onerous mail client, here are some steps that can be taken to mitigate Oulook's indiscriminate friendliness with every bit of malware that wanders down the pike.
Securing MS Exchange
First of all, in my not-so-humble opinion, the only reason to use Outlook is for its groupware features, and only then when it's used on an Exchange intranet that is well walled-off from the outside world. Exposing Exchange directly to the Internet is a very bad idea.
An increasingly popular method of keeping Exchange away from the world at large is to build a gateway with Postfix. Postfix filters the bad stuff out and passes wanted mail to Exchange, which then distributes it to users. As a result, Exchange hides behind Postfix, protected and secure.
The best tutorial I've come across for Postfix is an excellent four-part tutorial on Security Focus, "Filtering E-Mail with Postfix and Procmail." The author, Brian Hatch, has done a marvelous job describing in depth Postfix's built-in filtering features, and also teaching procmail — procmail is mighty powerful, but learning to write procmail rules can drive even the best of sysadmins to drink. Finally, Hatch also teaches how to integrate SpamAssassin or Vipul's Razor into the works.
For anyone looking for an MS Exchange replacement, I recommend SuSE's OpenExchange. It's a great choice for those in need of strong groupware features, good performance, and immunity to the vast majority of email viruses. I personally think it is the best of all groupware/email servers. (See Resources for additional information on OpenExchange.)
It's best to nail viruses before they get anywhere near Exchange or Outlook. There are a number of solid anti-virus apps than run with Postfix. RAV Antivirus is my personal favorite, but its future is uncertain with Microsoft recently purchasing the virus scanner's parent company — the rumor is that Microsoft will simply kill RAV Antivirus off. I don't know for sure what will happen, but I do entertain dark thoughts.
Not to worry, though, as Kaspersky, Vexira MailArmor, and Amavis are all good. In fact, there is no shortage of viable anti-virus programs for Postfix, or for that matter, any Linux mail transfer agent (MTA).
Next, make sure to add an iptables firewall to the mix in order to trap outgoing malicious packets in case your defenses are ever compromised. The least you can do is not be a source of contagion. Again, I refer to the excellent Brian Hatch article, "Egress Filtering for a Healthier Internet" (see resources).
Page 2: Securing Outlook Itself
Securing Outlook Itself
Now let's dive into the wonderful world of patches and configuration tweaks for Outlook/Outlook Express. In a nutshell, turn off everything everywhere: scripting, preview pane, HTML, etc. — off, off, everything off.
There are something like eight different versions of Outlook. Whatever version you have, find the Security tab under Tools => Options. By the way, everything you do in this menu will affect Outlook, Internet Explorer, and Outlook Express.
Let's take a look at all the things to turn off in the Internet Zone. Accept no defaults; this is a custom job all the way. Select "Custom Level" and turn off all these options:
- ActiveX: Never ever ever allow ActiveX to run. It is designed expressly to allow remote execution of code over the Internet. Why anyone thought this would be a good idea is a complete mystery. Ignore the nonsense about "ActiveX controls marked safe for scripting." Like, since it's signed — by the author no less — it will be any less questionable. Just say NO — disable all the checkboxes for ActiveX.
- Disable font and file downloads — unless you actually anticipate needing a Chinese font, or some such spam trick.
- Java: I have mixed feelings about Java. Sun claims Java applets are safe and have never been exploited. Me, I disable it just to be on the safe side.
- Disable "Access data sources across domains" and "Drag and drop or copy and paste files." Neither one serves any useful purpose (except to spammers and viruses).
- "Installation of desktop items" – NO! Turn it off.
- "Launching programs and files in an iframe" – No, no, a hundred times NO. Oh, iframes are wonderful — to a virus author who wishes to execute code on your system via Internet Explorer. (Outlook and Outlook Express use IE to render HTML-formatted mail).
- Keep going on down the form, checking "Disable" for everything until you reach "Software channel permissions." Set "Software channel permissions" to "High safety." I have no idea if anyone is still trying to turn the Internet into TV — like we are baby birds waiting to be force-fed regurgitated matter — but in any case, take no chances. (This is assuming "High safety" actually helps, which I would not bank on, being an untrusting sort of human.)
Choosing a Zone
- Attachment Security button: Yes, it's an oxymoron. This button is present only on older versions of Outlook. Your choices are "High" or "None." Obviously, choose High.
- No Preview Pane. It's a shame, but many exploits don't even need the user to click on them — just using the Preview Pane activates them. Kill it off via the View => Layout => Preview Pane menu.
- No HTML mail. As you have been faithfully following my CrossNodes columns, you've doubtless already read my rants against HTML mail. In a nutshell, the HTML mail option allows malicious code to be executed on your computer, so again, just say no.
On newer versions of IE and Outlook, you have the option to select which zone becomes the default Internet zone. Choose "restricted zone," and go through its options just like we did above. No, no, no, no, no, etc.
Notice the different zones, "Trusted Sites" and "Local Intranet," each of which can be configured differently. As viruses are spread by the millions from trusted sources, I'd say it's best to continue to say no to everything.
You could install the Outlook E-mail Security Update, which is supposed to quarantine certain executable attachments from running on your system. The update also will alert users when an outside program attempts to monkey with their address books. I've had mixed success with it, though; the major downside is that it's not something you can easily uninstall if you don't like it. I quote: "...this update integrates with your Outlook product and cannot be uninstalled without completely uninstalling Office."
Page 3: Securing Windows
This article was originally published on Monday Sep 8th 2003
The fun is not over. Keeping Windows patched and updated is important, yet not foolproof. I cannot count the number of times installing a patch or upgrade created new problems. Regardless, keeping up-to-date is important. See Windows Update for Windows patches and updates. (Amusingly, you'll find the site proclaims that "Windows Update can only be accessed by Internet browsers that support ActiveX Controls.")
Windows installs with file extensions hidden by default. Turn this back on, duh; if you can't see the file extension, how can you tell what it is? This particular command gets moved around on different versions of Windows. Try My Computer => Tools => Folder Options => View. Un-check "Hide file extensions for known file types." Set it to "Show hidden files and folders" and "Display the full path on the title bar/address bar."
Eyes and Ears Open
Finally, make sure your abuse@ and postmaster@ addresses are working, and even better, being read by real live humans. If something malicious is being spewed forth from your systems, the unhappy recipients need to be able to tell you.
Well I don't know about you, but I feel pretty tired after all that. This column was brought to you by Libranet Debian Linux 2.7, Abiword, and Kmail.
Giptables – An excellent front-end for building iptables rules
Filtering E-Mail with Postfix and Procmail, Part One
Filtering E-Mail with Postfix and Procmail, Part Two
Filtering E-Mail with Postfix and Procmail, Part Three
Filtering E-Mail with Postfix and Procmail, Part Four
Microsoft Bulletin on iframes
SuSE OpenExchange: More Than a Mere Mail Server
Egress Filtering for a Healthier Internet
See All Articles by Columnist Carla Schroder