ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Installing VPN access on Windows Server 2016

    Scheduled Pinned Locked Moved Starwind
    virtual private networkvpnwindows server 2016ws2016protocolsnetworkremote connection
    70 Posts 7 Posters 16.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Carnival Boy
      last edited by

      @Carnival-Boy said in Installing VPN access on Windows Server 2016:

      Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

      Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @Carnival Boy
        last edited by

        @Carnival-Boy said in Installing VPN access on Windows Server 2016:

        Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

        So to return to the OP, Windows VPN is designed to be exposed, right? It's designed to be secure, right? So why not use it? What are it's flaws? Unlike years ago, Microsoft develop products with security at the fore.

        There are products that don't require you to pay a small fortune to be able to VPN in. Maybe that's why people don't use Windows VPN.

        That and it's still a Windows Server (so even if it is hardened) it's still vulnerable to everything bad out there.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Carnival Boy
          last edited by

          @Carnival-Boy said in Installing VPN access on Windows Server 2016:

          So to return to the OP, Windows VPN is designed to be exposed, right?

          I'm not sure that I like these terms "designed to be". I understand where you are coming from, but let's ask about something totally different...

          Is a Node.js server "designed to be" exposed without a proxy in front of it?

          Or, is Windows Software RAID "designed to be" used for your storage?

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said in Installing VPN access on Windows Server 2016:

            @Carnival-Boy said in Installing VPN access on Windows Server 2016:

            Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

            Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

            And what is good Email architecture?

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in Installing VPN access on Windows Server 2016:

              @scottalanmiller said in Installing VPN access on Windows Server 2016:

              @Carnival-Boy said in Installing VPN access on Windows Server 2016:

              Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

              Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

              And what is good Email architecture?

              Having a spam filter in front, and often a smart host for outgoing, and an edge device to handle the MTA tasks in front of the mailbox unit. All stuff that MS preaches.

              DashrenderD 2 Replies Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said in Installing VPN access on Windows Server 2016:

                @Dashrender said in Installing VPN access on Windows Server 2016:

                @scottalanmiller said in Installing VPN access on Windows Server 2016:

                @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

                Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

                And what is good Email architecture?

                Having a spam filter in front, and often a smart host for outgoing, and an edge device to handle the MTA tasks in front of the mailbox unit. All stuff that MS preaches.

                I'm curious, does MS have non Exchange hosts acting as a spam filter for O365?

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @scottalanmiller
                  last edited by

                  @scottalanmiller said in Installing VPN access on Windows Server 2016:

                  @Dashrender said in Installing VPN access on Windows Server 2016:

                  @scottalanmiller said in Installing VPN access on Windows Server 2016:

                  @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                  Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

                  Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

                  And what is good Email architecture?

                  Having a spam filter in front, and often a smart host for outgoing, and an edge device to handle the MTA tasks in front of the mailbox unit. All stuff that MS preaches.

                  Personally I do use a Spam filter in front of my Exchange Server for email, but skipped the smart host for outgoing.
                  I also have a reverse proxy in front of Exchange for ActiveSync and OWA.

                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Installing VPN access on Windows Server 2016:

                    @scottalanmiller said in Installing VPN access on Windows Server 2016:

                    @Dashrender said in Installing VPN access on Windows Server 2016:

                    @scottalanmiller said in Installing VPN access on Windows Server 2016:

                    @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                    Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

                    Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

                    And what is good Email architecture?

                    Having a spam filter in front, and often a smart host for outgoing, and an edge device to handle the MTA tasks in front of the mailbox unit. All stuff that MS preaches.

                    I'm curious, does MS have non Exchange hosts acting as a spam filter for O365?

                    I would assume so. Exchange isn't very practical for that.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Installing VPN access on Windows Server 2016:

                      @scottalanmiller said in Installing VPN access on Windows Server 2016:

                      @Dashrender said in Installing VPN access on Windows Server 2016:

                      @scottalanmiller said in Installing VPN access on Windows Server 2016:

                      @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                      Exchange is (now) designed to be exposed. So it's hardened and is secure. Or if it isn't, I'd like someone to explain why it isn't and how I should protect it.

                      Is that true? MS has made a point of making a lot of layers of Exchange and good design is normally assumed to have a SPAM filter in front of it so that Exchange itself is never really exposed. Exchange being "designed" to be exposed would imply a flaw in thinking from MS, but I don't think that they've made that mistake. Exchange is still designed or intended to be used in a good email architecture.

                      And what is good Email architecture?

                      Having a spam filter in front, and often a smart host for outgoing, and an edge device to handle the MTA tasks in front of the mailbox unit. All stuff that MS preaches.

                      Personally I do use a Spam filter in front of my Exchange Server for email, but skipped the smart host for outgoing.
                      I also have a reverse proxy in front of Exchange for ActiveSync and OWA.

                      Smart Host isn't nearly as important.

                      1 Reply Last reply Reply Quote 1
                      • C
                        Carnival Boy
                        last edited by

                        A spam filter is to protect email clients, not Exchange. All email is benign as far as Exchange is concerned.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Carnival Boy
                          last edited by

                          @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                          A spam filter is to protect email clients, not Exchange. All email is benign as far as Exchange is concerned.

                          The spam portion of it is to protect the mail. But the spam filter is also the SMTP proxy that protects the Exchange server. It's not the email traffic that it is protecting it from, it's SMTP attacks.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            Things like direct buffer overflow attacks against Exchange can't be done when you have a proxy in front of it.

                            1 Reply Last reply Reply Quote 1
                            • C
                              Carnival Boy
                              last edited by

                              How does that work?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Carnival Boy
                                last edited by

                                @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                How does that work?

                                Two ways, one as a full on proxy which is basically an application layer firewall. By having an SMTP Proxy that isn't the same as your main SMTP server, you have a totally different attack surface to worry about. Just use Postfix or Sendmail as examples. An attack against them is totally different than an attack against Exchange. That doesn't suggest that they are better or worse, only different.

                                So attacking the proxy to get to Exchange means you have two layers to get through instead of one. But that's just the beginning. Since your proxy sits out in front, chances are that it failing will not grant any attack mechanism to use against the Exchange server behind it. Due to it being a different machine, it is almost certainly going to "fail closed" even if it fails (and things like Postfix are pretty bullet proof.)

                                Any attack that gets to Exchange has to survive the proxy and since the proxy relays sanitized emails and does not pass through the SMTP protocol attacks, it effectively filters nearly any type of attack.

                                Think of it like a Jump box for SSH, but for SMTP.

                                1 Reply Last reply Reply Quote 1
                                • C
                                  Carnival Boy
                                  last edited by

                                  How does an SMTP protocol attack work?

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Carnival Boy
                                    last edited by scottalanmiller

                                    @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                    How does an SMTP protocol attack work?

                                    Same as any other protocol based attack, you use the protocol to attack the server. Are you familiar with buffer overflows? That entire attack category is done over the protocol in use (SMTP, HTTP, SIP, whatever.)

                                    All external hacking is done this way.

                                    1 Reply Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      Here is an old one that Exchange used to have, just as an example...

                                      https://tools.cisco.com/security/center/viewAlert.x?alertId=8254

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        Here is one for some crappy third party SMTP server, again, just examples of historical, well known SMTP attack vectors that have been found, and closed.

                                        https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24780

                                        1 Reply Last reply Reply Quote 1
                                        • C
                                          Carnival Boy
                                          last edited by

                                          I need an example that's not from 2004!

                                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Carnival Boy
                                            last edited by

                                            @Carnival-Boy said in Installing VPN access on Windows Server 2016:

                                            I need an example that's not from 2004!

                                            Why? If you know what the vector is, you know that the age of the example can't matter.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 1 / 4
                                            • First post
                                              Last post