Module 3: Securing Exchange

Server 2003
Overview

Preparing for and Protecting Against Computer Viruses

Securing Mailboxes
Implementing Digital Signature and Encryption
Capabilities
Configuring Firewalls
Configuring Administrative Permissions
Allowing Only Required Services to Run on
Exchange 2003
Discussion: Securing Exchange Server 2003
Video
Lesson: Preparing for and Protecting Against Computer
Viruses

What Are Computer Viruses?

Guidelines for Preparing an Antivirus Strategy
Considerations When Choosing Antivirus Software
Guidelines for Creating Virus-Clean Policies and
Procedures
Where to Locate and Download Security Updates
What Are Computer Viruses?

A program that attaches itself to files or programs,

and that then replicates and spreads its infected
Virus
files across computers and networks. A virus
requires a host program to work

A program that can replicate itself. A worm does not

Worm
require a host program

A program that claims to be one thing but instead

Trojan horse does damage when it is run. A Trojan horse cannot
replicate itself
Guidelines for Preparing an Antivirus Strategy

Determine how to educate users about viruses

Determine where to install antivirus software

Client-side antivirus software
Server-side antivirus software
Firewall antivirus software

Ensure that the antivirus software is current

Considerations When Choosing Antivirus Software

Component Antivirus software feature

Exchange server Exchange 2003 support

Distribution functionality
Client computer
Administrative tools

Server and firewall E-mail scan

Software updates
All components Varied virus detection
Multiple scan locations
Guidelines for Creating Virus-Clean Policies and
Procedures

When creating virus-clean policies and procedures,

you should consider:

When to isolate the affected systems

When to restore the system to its original state

How to validate system functionality and performance

Where to Locate and Download Security Updates

Bulletins:
Microsoft Security Notification Service
Microsoft Security Web site
Microsoft Windows Update

Utilities:
Microsoft Baseline Security Analyzer
Microsoft Software Update Services
Microsoft Systems Management Server
Lesson: Securing Mailboxes

Message Filtering to Reduce Unsolicited Commercial

E-Mail
How Outlook 2003 and Exchange 2003 Evaluate
Unsolicited Commercial E-Mail
How to Configure the Junk E-Mail Feature
Guidelines for Securing Mailboxes
What Is Recipient and Sender Filtering?
How to Create and Apply Recipient and Sender Filtering
Guidelines for Cleaning E-Mail of Viruses
Message Filtering to Reduce Unsolicited Commercial
E-Mail

The process used to identify unsolicited

Message commercial e-mail by examining e-mail headers
filtering and message bodies, and then matching those
against established junk e-mail rules

A list of domain names and IP addresses that are

Block lists known to send unsolicited commercial e-mail and
are maintained by third-party companies

An Exchange 2003 junk e-mail protection feature

Connection
that is used to check an incoming IP address
filtering
against those that are listed on a blocklist
 How Outlook 2003 and Exchange 2003 Evaluate
Unsolicited Commercial E-Mail

Exchange 2003 Outlook 2003

Gateway Server/ Mailbox Server/
Transport Information Store
User
Allow and Trusted and
Message Junk
Deny Lists Senders User
Trusted and Inbox
Junk
Senders
Spam?
Block lists
Spam?
Junk
E-Mail
Third-Party Folder
Plug-Ins Junk
Inbox E-Mail
Folder
How to Configure the Junk E-Mail Feature

To configure the Junk E-mail To enable connection filtering:

feature:
1 On the Tools menu, click
Options 1 Configure the Connection
Filtering tab on the global
2 On the Preferences tab, click Message Delivery object
Junk E-Mail
2 Apply the filter at the SMTP
3 Configure the level of virtual server level by
protection, and then
selecting Advanced on the
configure Trusted Senders,
General tab of the SMTP
Trusted Recipients, and
virtual server object
Junk Senders

Practice
Guidelines for Securing Mailboxes

Prevent users outside your Exchange organization from

receiving out-of-office e-mail messages

Prevent users from receiving unsolicited e-mail

Prevent users from receiving e-mail from unidentified or

predetermined domains

Prevent distribution lists from being used by unauthorized

users

Limit access to e-mail content by digitally signing and

encrypting e-mail messages

Prevent junk mail by searching incoming and outgoing

e-mail for specific words, phrases, and senders
What Is Recipient and Sender Filtering?

A method for reducing unsolicited commercial

Recipient
e-mail by filtering inbound e-mail on the recipient of
filtering
the e-mail

A method for reducing unsolicited commercial

Sender
e-mail by filtering inbound e-mail on the sender of
filtering
the e-mail
How to Create and Apply Recipient and Sender Filtering
To create and apply
recipient filtering:
1 In Exchange System
Manager, configure the
Recipient Filtering tab on the
global Message Delivery
object
2 Apply the filter at the SMTP
virtual server level by
selecting Advanced on the
General tab of the SMTP
Virtual Server object
To create and apply
sender filtering:
1 In Exchange System
Manager, configure the
Sender Filtering tab on the
global Message Delivery
object
2 Apply the filter at the SMTP
virtual server level by
selecting Advanced on the
General tab of the SMTP
Virtual Server object
Practice
Guidelines for Cleaning E-Mail of Viruses

1 Shut down all of the Internet gateways

2 Install the latest fixes and security patches

3 Clean all of the infected Exchange components

4 Install the latest signature files and run a manual scan

Evaluate any quarantine folders and remove any of the files

5 that are infected

6 To avoid re-infection, complete all the preceding steps before

you turn on your Internet gateways
Lesson: Implementing Digital Signature and Encryption
Capabilities

What Are Digital Signature and Encryption Capabilities?

What Is a PKI?
What Are the PKI Components That Enable Digital
Signature and Encryption Capabilities?
How the Enrollment Process Enables Digital Signature
and Encryption Capabilities
The Process of Creating and Deploying Digital Signature
and Encryption Certificates
How to Configure Digital Signature and Encryption
Capabilities
What Are Digital Signature and Encryption Capabilities?

Digital signature and encryption capabilities:

Protect e-mail from being opened by anyone other than

the intended recipient
Protect e-mail from being altered by anyone other than
the sender
What Is a PKI?

A PKI:
Is a policy for establishing a secure method for
exchanging information
Is an integrated set of services and administrative
tools for creating, deploying, and managing public
key-based applications
Includes cryptographic methods and a system for
managing the process that enables you to send
digitally signed and encrypted e-mail message
What Are the PKI Components That Enable Digital
Signature and Encryption Capabilities?

Tools for Key and Certification Certificate

Certificate
Certificate Management Authority Publication Point

Outlook
2003

Certificate CRL Public KeyEnabled

Revocation List Distribution Point Applications and Services
How the Enrollment Process Enables Digital Signature
and Encryption Capabilities

Private
User Key Private/Public
Key Pair
Computer
Public
Key

Service
Application
Certification
Authority

Certificate
Administrator
The Process of Creating and Deploying Digital Signature
and Encryption Certificates

The process of digitally signing and encrypting e-mail:

1 Create the certificate templates

2 Configure an enterprise CA to enable key recovery
3 Deploy the certificate by using auto-enrollment
settings
4 Verify the Outlook configuration
How to Configure Digital Signature and Encryption
Capabilities

To configure Outlook:
1 Open Outlook
2 On the Tools menu, click Options
3 In the Options dialog box, on the Security tab, in the
Encrypted box, click Settings

4 In the Security Settings Preference dialog box, in the

Security Settings Name box, type a logical name for the
digital certificate
5 In the Certificates and Algorithms box, in the Signing
Certificate box, select a signing certificate, and then click
OK
6 On the Security tab, in the Encrypted box, select the Practice
preferred options, and then click OK
Lesson: Configuring Firewalls

Using a Firewall to Increase Security

IIS Ports Used by Exchange
Multimedia: Connecting MAPI Clients to Exchange
Server Through a Firewall
Recommended Options for Connecting a MAPI Client to
an Exchange Server When Separated by a Firewall
Using a Firewall to Increase Security

Private Intranet

Internet

External Internet Attacker Firewall

Options for increasing security using firewalls:

Use perimeter networks

Use a smart host
Use a firewall to filter Internet traffic
Use a firewall to maintain Internet connectivity
IIS Ports Used by Exchange

Default Protocol Support by IIS

HTTP
HTTP SMTP NNTP

Protocol Support by IIS and Exchange 2000

HTTP SMTP NNTP POP3 IMAP4

Multimedia: Connecting MAPI Clients to
Exchange Server Through a Firewall

This presentation shows:

How MAPI mail clients use RPC to

connect through a firewall to
servers running Exchange
Recommended Options for Connecting a MAPI Client to
an Exchange Server When Separated by a Firewall

Options:

Locate the RPC proxy server inside the firewall on your

network
Locate the RPC proxy server in the perimeter network

Exchange information
store and Exchange
directory proxy

Firewall
Lesson: Configuring Administrative Permissions

What Are Administrative Groups?

Where Is a New Computer Running Exchange Server
Added?
How to Create an Administrative Group
How to Grant Exchange Administrative Permissions
How to Modify and Prevent Inherited Permissions
How to Configure Advanced Security Permissions by
Using Adsiedit.exe
What Are Administrative Groups?

A collection of Exchange 2000 or

Exchange 2003 objects that are grouped
together for the purpose of managing and
Administrative Group A delegating permissions
Can contain servers, routing groups, policies,
and public folder hierarchies
Administrative models include: centralized,
distributed, and hybrid
Administrative Group B

Administrative Group Objects

System Routing Public

Server
Policy Group Folder Tree
Objects
Objects Objects Objects
Where Is a New Computer Running Exchange Server
Added?

A new computer running Exchange is added to an

administrative group:
By default, Exchange creates the First Administrative
Group container and the server is added to this
administrative group

If only one administrative group exists, the server is

automatically added to this administrative group

If multiple administrative groups exist, Setup prompts

you to select the administrative group to which the
server should be added
How to Create an Administrative Group
To display the Administrative
Groups container:
1 Right-click the
Administrative Groups
container
2 In the Properties dialog box
of the Organization object,
click Display administrative
groups
To create a new Administrative
Group:
In Exchange System
Manager, right-click the
Administrative Groups
container, point to New, and
then click Administrative
Group
Practice
How to Grant Exchange Administrative Permissions

Exchange Is a utility that enables you to select a group or user

Administration and grant them administrative permission to your
Delegation Wizard Exchange organization

Scope of permissions is Roles and associated permissions

determined by whether you
start the wizard from:
The Organization object
An Administrative Group
object
supported by the wizard:
Exchange Full Administrator
Exchange Administrator
Exchange View Only
Administrator

Practice
How to Modify and Prevent Inherited Permissions

To modify permissions to To prevent individual

prevent propagating to child permissions from propagating to
objects: child objects:
1 On the Security tab of the 1 On the Security tab, click
child object, click Advanced Advanced

2 In the Advanced Security 2 In the Advanced Security

Settings dialog box, clear Settings dialog box, modify
the Allow inheritable the access control settings
permissions from the parent
to propagate to this object
and all child objects check
box
How to Configure Advanced Security Permissions by
Using Adsiedit.exe

To configure advanced security settings:

1 Browse to the location:

Configuration Container, CN=Configuration,
CN=Services, CN=Microsoft Exchange
2 In the Properties dialog box of the object you want to
modify, on the Security tab, click Advanced

Practice
Lesson: Allowing Only the Required Services to Run on
Exchange 2003

Services Used by Exchange 2003

Why Allow Only Required Services to Run on
Exchange 2003?
What Are the Required Services on an Exchange
Front-End Server?
What Are the Required Services on an Exchange
Back-End or Mailbox Server?
 Services Used by Exchange 2003

Service
Service
dependencies
NNTP, SMTP, World Wide Web Publishing Service,
Setup
and IIS Admin Service
Exchange System Attendant, Exchange Management,
Administration
and Windows Management Instrumentation
Exchange Routing Engine, IIS Admin Service, and
Routing
SMTP
Exchange Event Service, Exchange Site Replication
Legacy compatibility
Service, and Exchange MTA Stacks
Microsoft Search and World Wide Web Publishing
Additional features
Service
Why Allow Only Required Services to Run on
Exchange 2003?

Allow only required services to run on Exchange 2003

because:
The goal is to limit all possible vulnerabilities without
affecting the core functionality of Exchange
By disabling a service, the port associated with that
service is no longer available for port-related attacks
What Are the Required Services on an Exchange
Front-End Server?

Service name Why is it required?

Exchange Routing Engine Provides Exchange routing functionality

IPSec Policy Agent IPSec filter on the Outlook Web Access

server
IIS Admin Service Required by MSExchange routing engine

World Wide Web Publishing Required for client communication with

Service Outlook Web Access front-end servers
What Are the Required Services on an Exchange
Back-End or Mailbox Server?
Service name
Exchange Information Store
Exchange Management
Windows Management Instrumentation
Exchange MTA Stacks
Exchange System Attendant
Exchange Routing Engine
IPSec Policy Agent
IIS Admin Service
NTLM Security Support Provider
SMTP
World Wide Web Publishing Service
Why is it required?
To access mailbox and public folder stores
For message tracking
For Exchange management
For Exchange maintenance to run
For Exchange maintenance and other tasks
To coordinate message transfer between
Exchange servers
To implement IPSec policy on server
For MSExchange routing engine
For System Attendant
For Exchange transport
For communication with Outlook Web
Access front-end servers
Discussion: Securing Exchange Server 2003

1 Read the scenarios

2 Determine possible solutions
3 Discuss your solutions with the class