Symantec Data Center Security default Intrusion Prevention policy provides zero day protection for customers running Exchange servers.
The Symantec Data Center Security (DCS) Intrusion Prevention default policy provides zero-day protection for Microsoft Exchange servers. There are also additional DCS controls available for a more comprehensive lockdown.
DCS Intrusion Prevention System provides zero-day protection including: operating system lockdown, application control and application isolation for physical and virtual server workloads. The underlying sandboxing technology and policy driven behavior controls for operating systems and applications, provide proactive protection against unknown threats without relying on continuous signature updates.
The default DCS Windows hardening policy with its predefined sandboxes for Microsoft Exchange and IIS application, prevents several attack techniques used by the threat actors during and post exploitation. The defense in depth strategy provides protection at various points of the attack sequence.
DCS Windows hardened policy controls:
- File protection prevents deployment of web shells on Exchange Servers to locations mentioned in the threats such as Exchange installation paths %ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
- Software Install restriction prevents download of powercat and other attacker tools
- Privileged Process Access Control prevents credential theft by blocking lsass process memory dump via procdump, mimikatz
- Default hardened policy does not allow IIS server sandbox to initiate connections to the internet thereby preventing attempts of data exfiltration to C2 servers.
Prevent suspicious proxy execution via child processes using living off the land techniques. Enable Sandbox Execution controls to prevent suspicious child processes from getting launched for IIS and Exchange worker processes. Add *\cmd.exe, *\powershell.exe, *\powershell_ISE.exe, *\rundll32.exe, *\net.exe to the list of programs that should not be launched by IIS and Exchange. Additional dual use tools can be referenced from the pre-defined Global Policy list of processes that services should not start. If there is a need to run a specific tool, then exceptions based on cmdline arguments and/or username can be added depending on IIS and Exchange usage in the deployment.