Embed Size (px)
DESCRIPTION
Citation preview
Module 10
Securing Microsoft® Exchange Server 2010
Module Overview
• Configuring Role-Based Access Control
• Configuring Audit Logging
• Configuring Secure Internet Access
Lesson 1: Configuring Role-Based Access Control
• What Is Role-Based Access Control?
• What Are Management Role Groups?
• Built-In Management Role Groups
• Demonstration: Managing Permissions Using the Built-In Role Groups
• Process for Configuring Custom Role Groups
• Demonstration: Configuring Custom Role Groups
• What Are Management Role Assignment Policies?
• What Are Exchange Server Split Permissions?
• Configuring RBAC Split Permissions
• Configuring Active Directory Split Permissions
What Is Role-Based Access Control?
RBAC defines all Exchange Server 2010 permissions, and is applied by all Exchange Server management toolsRBAC defines all Exchange Server 2010 permissions, and is applied by all Exchange Server management tools
RBAC defines which cmdlets the user can run :
RBAC options include:
• Management role groups• Management role assignment policies• Direct policy assignment (avoid using)
• Who: Can modify objects• What: Objects and attributes that can be modified• Where: Scope or context of objects that can be
modified
What Are Management Role Groups?
Role Holder
RoleGroup
RoleAssignment
RoleAssignment
ManagementRole
ManagementRole
ConfigurationRead/Write Scope
RecipientRead/Write Scope
RoleEntries
RoleEntries
Role Holder Role Group RoleAssignment
Management Role
Role Entries
Mailboxes or universal security groups or users or distribution groups or role groups
Higher-level job function
Binding layer Task-based permissions
Individual permissions
“Maria” “Help Desk”
“UserOptions”
“View-onlyRecipients”
“Get-Mailbox”
“Ian”
“Pat”
WHATWHERE
WHO
Built-In Management Role Groups
Management role groups include:
• Organization Management• View-Only Organization Management• Recipient Management• Unified Messaging Management• Discovery Management• Records Management• Server Management• Help Desk• Public Folder Management• Delegated Setup
Demonstration: Managing Permissions Using the Built-In Role Groups
In this demonstration, you will see how to
• Add role holders to a role group
• Verify the permissions assigned to the built-in role groups
Process for Configuring Custom Role Groups
Identify the role groups and the role group members11
Identify the management scope33
Create the role group using the ECP or the New-RoleGroup cmdlet 44
Identify the management roles to assign the group22
Demonstration: Configuring Custom Role Groups
In this demonstration, you will see how to create a custom role group
What Are Management Role Assignment Policies?
Component Explanation
Mailbox Each mailbox is assigned one role assignment policy
Management role assignment policy
Object for associating management roles with mailboxes
Management role Container for grouping other RBAC components
Management role assignment
Associates management roles with management role assignment policies
Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups
Management role assignment policies assign permissions to users to manage their mailboxes or distribution groupsManagement role assignment policies assign permissions to users to manage their mailboxes or distribution groups
Working with Management Role Assignment Policies
In most organizations, the default management role assignment policy will meet all requirementsIn most organizations, the default management role assignment policy will meet all requirements
You can modify the default configuration by:
• Modifying the default management role assignment policy to add or remove management roles
• Defining a new default management role assignment policy
• Creating a new management role assignments and explicitly assigning them to mailboxes
What Are Exchange Server Split Permissions?
Split permissions separates creation of security principals in AD DS—such as users and security groups—from the subsequent configuration of those objects through Exchange Server 2010 tools
Split permissions separates creation of security principals in AD DS—such as users and security groups—from the subsequent configuration of those objects through Exchange Server 2010 tools
With Exchange Server split permissions:
• You remove the ability for Exchange administrators to create security principals using Exchange administration tools
• You can choose between two models:• RBAC split permissions• Active Directory split permissions
Available with Exchange Server 2010 SP1 or newerAvailable with Exchange Server 2010 SP1 or newer
Configuring RBAC Split Permissions
You must configure RBAC split permissions manually, as follows:
Verify that Active Directory split permissions have not been enabled11
Create regular and delegating role assignments for the new role group for appropriate roles33
Remove regular and delegating management role assignments between the Mail Recipient Creation role, and both the Organization Management and Recipient Management role groups
44
• Create a new role group for AD DS administrators22
Remove the regular and delegating role assignments between the Security Group Creation and Membership role, and the Organization Management role group
55
Configuring Active Directory Split Permissions
Active Directory split permissions is configured automatically during Setup or when you specify the command:setup.com /PrepareAD /ActiveDirectorySplitPermissions:true
Active Directory split permissions is configured automatically during Setup or when you specify the command:setup.com /PrepareAD /ActiveDirectorySplitPermissions:true
Active Directory split permissions results:
• Cannot create security principals with Exchange Server management tools
• Cannot manage distribution group members with Exchange Server management tools
• Exchange Trusted Subsystem and Exchange servers cannot create security principals
• Exchange servers and Exchange management tools can only modify Exchange attributes of existing Active Directory security principals
Lesson 2: Configuring Audit Logging
• What Is Administrator Audit Logging?
• What Is Mailbox Audit Logging?
• Demonstration: Configuring Audit Logging
What Is Administrator Audit Logging?
Administrator audit logging enables you to track changes made to the Exchange environment by administratorsAdministrator audit logging enables you to track changes made to the Exchange environment by administrators
Administrator audit logging:
• Is enabled by default in Exchange Server 2010 SP1• Can be configured with Set-AdminAuditLogConfig• Logs all cmdlets and parameters by default except for
Test-, Get-, and Search- cmdlets• Supports searches using the Exchange Management
Shell and the Exchange Control Panel
Perform detailed log searches with the Search-AdminAuditLog and New-AdminAuditLogSearch cmdletsPerform detailed log searches with the Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets
What Is Mailbox Audit Logging?
Mailbox audit logging:
• Must be enabled on a per-mailbox basis using the Set-Mailbox cmdlet
• Does not automatically log owner access unless specified to do so
• Supports non-owner access reports through the Exchange Control Panel
Perform detailed log searches with the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdletsPerform detailed log searches with the Search-MailboxAuditLog and New-MailboxAuditLogSearch cmdlets
Mailbox Audit logging is used to track mailbox access by mailbox owners, delegates and administratorsMailbox Audit logging is used to track mailbox access by mailbox owners, delegates and administrators
Demonstration: Configuring Audit Logging
In this demonstration, you will see how to enable audit logging and to search audit logs
Lesson 3: Configuring Secure Internet Access
• Exchange Server Security Guidelines
• Secure Internet Access Components
• Deploying Exchange Server 2010 for Internet Access
• Securing Client Access Traffic from the Internet
• Securing SMTP Connections from the Internet
• Benefits of Using Reverse Proxy
• Demonstration: Configuring Threat Management Gateway for Outlook Web App
Exchange Server Security Guidelines
Implement the following best practices security measures:
• Install all security updates and software updates• Run Exchange Best Practices Analyzer regularly• Avoid running additional software on Exchange
servers• Install and maintain anti-virus software• Enforce complex password policies
Secure Internet Access Components
Providing Internet access for Exchange Server may include:
• Enabling messaging clients to connect to the ClientAccess server
• Enabling IMAP4/POP3 clients to send SMTP email
Enabling secure access to the Exchange servers may require:
• VPN• Firewall configuration• Reverse proxy configuration
Deploying Exchange Server 2010 for Internet Access
Protocol Unsecure Port
TLS/SSL Port
HTTP 80 443
POP3 110 995
IMAP4 143 993
SMTP 25 25
SMTP client submission
587 587
ClientFirewall
Firewall or Reverse
Proxy
Hub TransportServer
DomainControllerMailbox Server
Edge TransportServer
Client AccessServer
Securing Client Access Traffic from the Internet
To provide secure client access from the Internet:
• Create and configure a server certificate• Require SSL for all virtual directories• Enable only required client access methods• Require secure authentication• Enforce remote client security • Require TLS/SSL for IMAP4 and POP3 access• Implement an application layer firewall or
reverse proxy
Securing SMTP Connections from the Internet
To secure the SMTP connections:
• Enable TLS/SSL for SMTP client connections• Use the Client Receive Connector (Port 587)• Ensure that anonymous relay is disabled• Enable IMAP4 and POP3 selectively
Secure SMTP connections from the Internet may be required for IMAP4 or POP3 clientsSecure SMTP connections from the Internet may be required for IMAP4 or POP3 clients
Benefits of Using Reverse Proxy
A reverse proxy provides:
• Security: Internet client connections are terminated on the reverse proxy
• Application layer filtering: Inspect the contents of network traffic
• SSL bridging: All connections to the reverse proxy and to the Client Access server are encrypted
• Load balancing: Arrays of reverse proxy servers can distribute network traffic for a single URL
• SSL offloading: SSL requests can be terminated on the reverse proxy
Demonstration: Configuring Threat Management Gateway for Outlook Web App
In this demonstration, you will see how to configure an Outlook Web App publishing role
Lab: Securing Exchange Server 2010
• Exercise 1: Configuring Exchange Server Permissions
• Exercise 2: Configuring Audit Logging
• Exercise 2: Configuring a Reverse Proxy for Exchange Server Access
Logon information
Estimated time: 60 minutes
Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include:
• Exchange Server administrators should have minimal permissions, which means that whenever possible, you should delegate Exchange Server management permissions.
• Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.
Lab Review
• In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks?
• How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client?
Module Review and Takeaways
• Review Questions
• Common Issues and Troubleshooting Tips
• Real-World Issues and Scenarios
• Best Practices
