This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

File hosts

Hi all, I made a modification to the hosts file of the atm to mitigate the Microsoft Exchange autodiscovery problem as reported in this article.

https://www.guardicore.com/labs/autodiscovering-the-great-leak

Question: Will the changes be retained when the UTM is restarted?

Thanks!



This thread was automatically locked due to age.
Parents
  • The setting is likely not retained. You should NEVER change local files on the UTM ... unless you are requested by support.

    You can also make all necessary changes in the GUI / DNS


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • The setting is likely not retained. You should NEVER change local files on the UTM ... unless you are requested by support.

    You can also make all necessary changes in the GUI / DNS


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • Interesting.  That's a long article!  Dirk, what would you do in DNS?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,
    the article describes the problem (like so many in the last few weeks) and the possibilities of "mitigating" it.

    Mitigation:
    Mitigating the issue of Autodiscover leaks is important as we have previously demonstrated. In order to mitigate this issue, two separate approaches are required:
    ...
    For the general public: Make sure that you are actively blocking Autodiscover. domains (such as Autodiscover.com/Autodiscover.com.cn, etc) in your firewall.

    ... and of course the product-specific solution ..
    "Guardicore Centra's DNS Security allows creating block rules for Autodiscover domain names"

    One possibility is to block access to "autodiscover.xyz" in the LAN.
    Some approaches refer to a hosts file to do this.
    I think the TO asks for adjustments to the host file on the UTM/firewall - which is probably not a good idea ...
    With "BlackHole DNS entries" on the firewall, I think that can be solved better.

    Of course, this only helps to a limited extent, as the Exchange login data of the clients (notebooks, cell phones) are unprotected again when they leave the LAN.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks, Dirk.  So a solution would be Request Routes like 'Autodiscover.com.br -> Blackhole'.  One could also restrict access to Exchange to internal and VPN users.  Instead of VPN, would using WAF for Exchange access and requiring HTTPS in the Virtual Server mitigate the problem?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, WAF won't help.

    The problem is not your / my own Exchange-Server, but the client which uses autodiscover.
    The Client (outlook for example = OL) try to find his server.
    For user hans@mydomain.de the client try autodiscover.mydomain.de
    If it doesn't reach this server, OL try other a lot of other names ... "autodiscover.de" for example.
    If the bad boy owns "autodiscover.de" and place a server behind this name, my OL send him my logon credentials ...


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.