Embed Size (px)
DESCRIPTION
Citation preview
Module 10
Securing Microsoft® Exchange Server 2010
Module Overview
• Configuring Role Based Access Control
• Configuring Security for Server Roles in Exchange Server 2010
• Configuring Secure Internet Access
Lesson 1: Configuring Role Based Access Control
• What Is Role Based Access Control?
• What Are Management Role Groups?
• Built-In Management Role Groups
• Demonstration: Managing Permissions Using the Built-In Role Groups
• Process for Configuring Custom Role Groups
• Demonstration: Configuring Custom Role Groups
• What Are Management Role Assignment Policies?
• Working With Management Role Assignment Policies
• Managing Permissions on Edge Transport Servers
What Is Role Based Access Control?
RBAC is used to define all Exchange Server 2010 permissionsRBAC is used to define all Exchange Server 2010 permissions
RBAC:
• Defines which Exchange Management Shell cmdlets a user can run and which objects the user can modify
• Is applied by all Exchange Server management tools
RBAC options include:
• Using management role groups to assign administrative permissions
• Management role assignment policies to assign permissions that users can perform on their own mailbox or distribution groups
What Are Management Role Groups?
Component Explanation
Role holder Mailbox that is assigned to a role group
Management role group Universal security group for managing Exchange Server permissions
Management role Container for grouping other RBAC components
Management role entry Defines which Exchange Server cmdlets an administrator can run
Management role assignment
Links the management role group to a management role
Management role scope Defines where the administrator can perform the tasks
Management role groups assign administrator permissions in Exchange Server 2010 Management role groups assign administrator permissions in Exchange Server 2010
Built-In Management Role Groups
Management role groups include:
• Organization Management
• View-Only Organization Management
• Recipient Management
• Unified Messaging Management
• Discovery Management
• Records Management
• Server Management
• Help Desk
• Public Folder Management
• Delegated Setup
Demonstration: Managing Permissions Using the Built-In Role Groups
In this demonstration, you will see how to:
• Add role holders to a role group
• Verify the permissions assigned to the built-in role groups
Process for Configuring Custom Role Groups
Identify the role groups and the role group members11
Identify the management scope33
Create the role group using the New-RoleGroup cmdlet 44
Identify the management roles to assign the group22
Demonstration: Configuring Custom Role Groups
In this demonstration, you will see how to create a custom role group
What Are Management Role Assignment Policies?
Component Explanation
Mailbox Each mailbox is assigned one role assignment policy
Management role assignment policy
Object for associating management roles with mailboxes
Management role Container for grouping other RBAC components
Management role assignment
Associates management roles with management role assignment policies
Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups
Management role assignment policies assign permissions to users to manage their mailboxes or distribution groupsManagement role assignment policies assign permissions to users to manage their mailboxes or distribution groups
Working with Management Role Assignment Policies
In most organizations, the default management role assignment policy will meet all requirementsIn most organizations, the default management role assignment policy will meet all requirements
You can modify the default configuration by:
• Modifying the default management role assignment policy to add or remove management roles
• Defining a new default management role assignment policy
• Creating a new management role assignments and explicitly assigning them to mailboxes
Managing Permissions on Edge Transport Servers
Administrative Task Local Group
Backup and restore Backup operators
Configure Edge Transport server settings
Administrators
Configure edge subscriptions Administrators
Connect using Remote Desktop
Administrators
View queues and messages Users
• RBAC requires an Active Directory site so you cannot use it to assign permissions on Edge Transport servers
• Use local groups to assign permissions
• RBAC requires an Active Directory site so you cannot use it to assign permissions on Edge Transport servers
• Use local groups to assign permissions
Lesson 2: Configuring Security for Server Roles in Exchange Server 2010
• Discussion: What Are the Exchange Server Security Risks?
• Exchange Server Security Guidelines
Discussion: What Are the Exchange Server Security Risks?
• What security risks do you need to protect against when deploying Exchange Server?
• Which risks are the most serious?
Exchange Server Security Guidelines
Implement the following best practices security measures:
• Install all security updates and software updates
• Run Exchange Best Practices Analyzer regularly
• Run Microsoft Baseline Security Analyzer
• Avoid running additional software on Exchange servers
• Install and maintain anti-virus software
• Enforce complex password policies
Lesson 3: Configuring Secure Internet Access
• Secure Internet Access Components
• Deploying Exchange Server 2010 for Internet Access
• Securing Client Access Traffic from the Internet
• Securing SMTP Connections from the Internet
• What Is a Reverse Proxy?
• Demonstration: Configuring the Threat Management Gateway for Outlook Web App
Secure Internet Access Components
Providing Internet access for Exchange Server may include:
• Enabling messaging clients to connect to the ClientAccess server
• Enabling IMAP4/POP3 clients to send SMTP e-mail
Enabling secure access to the Exchange servers may require:
• VPN
• Firewall configuration
• Reverse proxy configuration
Deploying Exchange Server 2010 for Internet Access
Protocol Unsecure Port
TLS/SSL Port
HTTP 80 443
POP3 110 993
IMAP4 143 995
SMTP 25 25
SMTP client submission
587 587
ClientFirewall
Firewall or Reverse
Proxy
Hub TransportServer
DomainControllerMailbox Server
Edge TransportServer
Client AccessServer
Securing Client Access Traffic from the Internet
To provide secure client access from the Internet:
• Create and configure a server certificate
• Require SSL for all virtual directories
• Enable only required client access methods
• Require secure authentication
• Enforce remote client security
• Require TLS/SSL for IMAP4 and POP3 access
• Implement an application layer firewall or reverse proxy
Securing SMTP Connections from the Internet
To secure the SMTP connections:
• Enable TLS/SSL for SMTP client connections
• Use the Client Receive Connector (Port 587)
• Ensure that anonymous relay is disabled
• Enable IMAP4 and POP3 selectively
Secure SMTP connections from the Internet may be required for IMAP4 or POP3 clientsSecure SMTP connections from the Internet may be required for IMAP4 or POP3 clients
What Is a Reverse Proxy?
A reverse proxy provides:
• Security: Internet client connections are terminated on the reverse proxy
• Application layer filtering: Inspect the contents of network traffic
• SSL bridging: All connections to the reverse proxy and to the Client Access server are encrypted
• Load balancing: Arrays of reverse proxy servers can distribute network traffic for a single URL
• SSL offloading: SSL requests can be terminated on the reverse proxy
Demonstration: Configuring Threat Management Gateway for Outlook Web App
In this demonstration, you will see how to configure an Outlook Web Access publishing role
Lab: Securing Exchange Server 2010
• Exercise 1: Configuring Exchange Server Permissions
• Exercise 2: Configuring a Reverse Proxy for Exchange Server Access
Logon information
Estimated time: 60 minutes
Virtual machines10135A-VAN-DC1 10135A-VAN-EX1 10135A-VAN-EX2
User name Administrator
Password Pa$$w0rd
Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include:
• Exchange Server administrators should have minimal permissions, which means that whenever possible, you should delegate Exchange Server management permissions.
• Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.
Lab Review
• In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks?
• How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client?
Module Review and Takeaways
• Review Questions
• Common Issues and Troubleshooting Tips
• Real-World Issues and Scenarios
• Best Practices
