Embed Size (px)
DESCRIPTION
Securing Exchange Server 2003. Session Goals:. Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools used to help remove unwanted messages such as Spam. Demonstrate the ways in which we can enable Secure External Client Access. - PowerPoint PPT Presentation
Citation preview
Securing Exchange Server 2003
Session Goals:• Introduce you to the concepts and mechanisms for securing Exchange 2003.• Examine the techniques and tools used to help remove unwanted messages such as Spam. • Demonstrate the ways in which we can enable Secure External Client Access.• Best Practices, tools and tips.
Agenda
• Exchange 2003 Security Overview• Smart Screen and Spam Filtering Technology• Secure External Client Access• Best Practices and tools for Securing Exchange
Exchange 2003 Security Considerations:Features and considerations:
Secure by design and defaultMany different clients and connection methodsDeployment ScenariosFirewall implementations at the perimeterSMTP Anti-RelayEmail filtering by Sender, Recipient and Connection filtering, including Block List servicesSPAM filteringAnti Virus SupportOutlook Web Access publishing
Exchange Server Deployment Scenarios
ISA Server integrated
General deployment FE/BE deployment
Exchangeserver
Internet
Front-endExchange
server
Back-end Exchange
servers
ISA server
Exchangeserver
Securing Exchange at the perimeter ISA 2004 Firewall Interaction (SMTP)
Exchange Exchange ServerServer
OWA Publishing without ISA 2004
Traditional Traditional firewallfirewall
WebWebSrv/ Srv/
OWA OWA
clientclient
Web server prompts for Web server prompts for authentication — any authentication — any
Internet user can access Internet user can access this promptthis prompt
SSLSSL
SSL tunnels through SSL tunnels through traditional firewalls traditional firewalls
because it is encrypted…because it is encrypted…
……which allows viruses which allows viruses and worms to pass and worms to pass
through undetected…through undetected…
……and infect internal servers!and infect internal servers!
Internet
ISA Server can ISA Server can decrypt and inspect decrypt and inspect
SSL trafficSSL traffic
URLScan for ISA Server can stop URLScan for ISA Server can stop Web attacks at the network edge, Web attacks at the network edge,
even over encrypted SSLeven over encrypted SSL
ISA Server with HTTP FilteringISA Server with HTTP FilteringOWA Publishing with ISA 2004
WebWebSrv/ Srv/
OWA OWA
clientclient ISA Server 2004ISA Server 2004
ISA Server pre-authenticates ISA Server pre-authenticates users, eliminating multiple users, eliminating multiple
dialog boxes and only allowing dialog boxes and only allowing valid traffic throughvalid traffic through
SSL or SSL or HTTPHTTP
SSLSSL
Internet
inspected traffic can be sent to the internal inspected traffic can be sent to the internal server re-encrypted or in the clear.server re-encrypted or in the clear.
Securely Publishing Exchange Securely Publishing Exchange with ISA 2004with ISA 2004SMTP PublishingSMTP PublishingSMTP Keyword / Attachment FilteringSMTP Keyword / Attachment FilteringOWA PublishingOWA Publishing
demonstrationdemonstration
Agenda
• Exchange 2003 Security Overview• Smart Screen and Spam Filtering Technology• Secure External Client Access• Best Practices and tools for Securing Exchange
Exchange Message Filtering
Accept/Accept/Deny ListsDeny Lists
Block ListsBlock ListsRecipient FilterRecipient Filter
Sender FilteringSender FilteringIntelligent Message FilterIntelligent Message Filter
Information StoreInformation Store
Intelligent Message Filtering
• Utilizes Smart Screen Machine Learning• Applied at the gateway
– Marks message with Spam Confidence Level (SCL) rating• Utilized throughout the mail stream• Scans headers, body of message and other attributes.
SCL 5SCL 5
Spam Filtering with IMFSmart Screen Technology
SCL 8SCL 8
Smart Screen Smart Screen AlgorithmAlgorithm
Gateway ServerGateway ServerMailbox Store ServerMailbox Store Server
33rdrd Party Tools Party Tools (Anti-Virus)(Anti-Virus)
Junk E-mailJunk E-mailFolderFolder
InboxInbox
SCL 5SCL 5
The Intelligent Message Filter The Intelligent Message Filter Exchange 2003 UCE Control FeaturesExchange 2003 UCE Control FeaturesInstalling IMFInstalling IMFConfiguring IMFConfiguring IMF
demonstrationdemonstration
Agenda
• Exchange 2003 Security Overview• Smart Screen and Spam Filtering Technology• Secure External Client Access• Best Practices and tools for Securing Exchange
Secure External Client Access to Exchange Server: What Are the Challenges? Outlook mobile access
XHTML, cHTML, HTMLActiveSync-Enabled
mobile devices
Wirelessnetwork
ISAserver
Outlook web accessOutlook using RPCOutlook using RPC
over HTTP(S)Outlook express
using IMAP4 or POP3
Exchangefront-end
server
Exchangeback-endservers
Configuring Secure Outlook RPC / RPC over HTTP(S) Client Access
Outlookclient
Exchangeservers
ISAserver
Use the mail server publishing rule to enable Outlook RPC connections
Configuring RPC over HTTP(S) Client Access Considerations
RPC over HTTP(S) requires:
Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers
Outlook 2003 running on Windows XP
Windows Server 2003 server running RPC proxy server
Modifying the Outlook profile to use RPC over HTTP(S) to connect to the Exchange server
To enable RPC over HTTP(S) connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory
RPC over HTTPS RPC over HTTPS Installing RPC over HTTPSInstalling RPC over HTTPSConfiguration of ISA ServerConfiguration of ISA Server
demonstrationdemonstration
Agenda
• Exchange 2003 Security Overview• Smart Screen and Spam Filtering Technology• Secure External Client Access• Best Practices and tools for Securing Exchange
Maintaining Security on Exchange Server: What Are the Challenges?
Challenges to maintaining security on an Exchange server include:
Hardening the Servers
Keeping up with the latest security updates
Keeping up with recommended best practices
Understanding the impact of configuring the various options within Exchange Server
Maintaining documentation on configuration and security settings
Hardening Back-End Exchange Servers
Tasks for hardening back-end Exchange servers include:
Hardening services (Reduce Attack Surface)
Hardening file access control lists (ACLs)
Changing privilege rights
Enabling additional services (optional)
Apply the Exchange 2003 Backend.inf security template to your back-end servers
Hardening Front-End Exchange Servers
Tasks for hardening front-end Exchange servers include:
Hardening services (Reduce Attack Surface)
Hardening file access control lists (ACLs)
Enabling additional services (optional)
Running URLScan (optional but recommended)
Dismounting the mailbox store and deleting the public folder store (optional but recommended)
Apply the Exchange 2003 Frontend.inf security template to your front-end servers
Analyzing Exchange Server 2003 Using MBSA
MBSA checks for issues related to the following:Known Windows and Internet Explorer security issues
Missing security updates
Weak account passwords
Internet Information Services (IIS) security issues
Exchange Server security issues
SQL Server security issues
Validating Exchange Server Configuration Settings
ExBPA can examine your Exchange servers to:Generate a list of issues, such as misconfigurations or unsupported or non-recommended options
Judge the general health of a system
Help troubleshoot specific problems
Includes the MBSA tool
Securing Exchange Servers: Best Practices
Limit Exchange Server functionality to clients that are strictly required
Remain current with the latest updates for both Exchange Server 2003 and the operating system
Use SSL/TLS and forms-based authentication for Outlook Web Access
Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic
Decide on Exchange Server design and harden servers according to their roles
Exchange Tools Exchange Tools Exchange Best Practice AnalyzerExchange Best Practice Analyzer
demonstrationdemonstration
Session Summary
Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements
Implement the appropriate base and incremental security templates to fully secure Exchange Server
Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools
Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility
Keep up to date with the latest best practices and techniques for securing Exchange Server 2003
For More Information…• Main TechNet Web site at
– www.microsoft.ca/technet
• Anti Spam Capabilities in Exchange 2003– www.microsoft.com/exchange/techinfo/security/antispam.asp
• Microsoft Anti Spam Technology– www.microsoft.com/mscorp/twc/privacy/spam.mspx
• IMF download from– www.microsoft.com/exchange/imf
