Upload
armando-leon
View
1.507
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Implementing Exchange Server Security.
Citation preview
Implementing Exchange Server Security
Henrik Damslund
Senior Technology Specialist
Microsoft
Session Prerequisites
Hands-on experience with Microsoft Windows Server 2003
Working knowledge of Microsoft Exchange Server 2003
Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP
Working knowledge of networking, including TCP/IP, DNS, and IIS
Basic understanding of PKI concepts and technologies
Level 300
Session Overview
Implementing Exchange Server
Securing Exchange Server Services and Messaging Protocols
Maintaining Security on Exchange Server
Configuring Exchange to Protect Against Unwanted E-Mail
Implementing Exchange Server
Implementing Exchange Server An overview of Exchange Server 2003 security. Exchange Server deployment scenarios. Exchange Server client scenarios. Configuration and security update recommendations for
Exchange Server. Implementing a defense-in-depth approach to Exchange Server
security.Securing Exchange Server Services and Messaging Protocols
Maintaining Security on Exchange Server
Configuring Exchange to Protect Against Unwanted E-Mail
Exchange Server 2003 Security Overview
Secure by designSecure by designSecure by default
Support for Sender, Recipient and Connection filtering, including Block List services
Secure by default
Support for Sender, Recipient and Connection filtering, including Block List services
Secure by defaultSecure by default
User logon on server disabled
Messaging limits configuration of 10MB
User logon on server disabled
Messaging limits configuration of 10MB
Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx
Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx
Exchange Server Deployment Scenarios
ISA Server integratedISA Server integrated
General deployment General deployment FE/BE deploymentFE/BE deployment
Exchangeserver
Exchangeserver
InternetInternet
Front-endExchange
server
Front-endExchange
server
Back-end Exchange
servers
Back-end Exchange
servers
ISA serverISA server
Exchangeserver
Exchangeserver
Exchange Server Client Scenarios
General client access:General client access:
Microsoft OutlookMicrosoft Outlook
Mobile client access:Mobile client access:
Outlook Web Access
Outlook Mobile Access
Exchange Server ActiveSync
Outlook Web Access
Outlook Mobile Access
Exchange Server ActiveSync
Exchange Server 2003 client scenarios include the following:Exchange Server 2003 client scenarios include the following:
Configuration and Security Update Recommendations for Exchange Server
Component Configuration
Operating system and software
Microsoft Windows Server 2003 with the latest security updates Exchange Server 2003 with Service Pack 1 (or higher)Microsoft Exchange Intelligent Message Filter
Browser Internet Explorer 6 with the latest security updates
Security update management Microsoft Baseline Security Analyzer
Implementing a Defense-in-Depth Approach to Exchange Server Security
Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, security update management, antivirus updates, auditing
Host
Network segments, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, backup and restore strategy
Data
Securing Exchange Server Services and Messaging Protocols
Implementing Exchange Server
Securing Exchange Server Services and Messaging Protocols The challenges of securing Exchange Server 2003. Hardening the messaging environment. Hardening back-end Exchange servers. Hardening front-end Exchange servers. SMTP relaying. Securing SMTP communication between mail servers. Additional best practices for securing Exchange servers.
Maintaining Security on Exchange Server
Configuring Exchange to Protect Against Unwanted E-Mail
Securing Exchange Servers: What Are the Challenges?
Challenges to securing an Exchange server include:Challenges to securing an Exchange server include:
Maintaining the security of the underlying Windows infrastructure
Maintaining baseline security hardening practices
Understanding security options for various deployment scenarios
Maintaining the security of the underlying Windows infrastructure
Maintaining baseline security hardening practices
Understanding security options for various deployment scenarios
Hardening the Messaging Environment
To harden your Exchange messaging environment, deploy the following:To harden your Exchange messaging environment, deploy the following:
Environment Configuration
Server environment
Domain, Domain Controller, and Member Server Baseline Policy templatesWindows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638
Messaging environment
Exchange Domain Controller Baseline Policy templateExchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx
Hardening Back-End Exchange Servers
Tasks for hardening back-end Exchange servers include:Tasks for hardening back-end Exchange servers include:
Hardening services
Hardening file access control lists (ACLs)
Changing privilege rights
Enabling additional services (optional)
Hardening services
Hardening file access control lists (ACLs)
Changing privilege rights
Enabling additional services (optional)
Apply the Exchange 2003 Backend.inf security template to your back-end serversApply the Exchange 2003 Backend.inf security template to your back-end servers
Hardening Front-End Exchange Servers
Tasks for hardening front-end Exchange servers include:Tasks for hardening front-end Exchange servers include:
Hardening services
Hardening file access control lists (ACLs)
Enabling additional services (optional)
Running URLScan (optional but recommended)
Dismounting the mailbox store and deleting the public folder store (optional but recommended)
Hardening services
Hardening file access control lists (ACLs)
Enabling additional services (optional)
Running URLScan (optional but recommended)
Dismounting the mailbox store and deleting the public folder store (optional but recommended)
Apply the Exchange 2003 Frontend.inf security template to your front-end serversApply the Exchange 2003 Frontend.inf security template to your front-end servers
Understanding SMTP Relaying
SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns
SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns
Relaying may be necessary when:Relaying may be necessary when:
Accepting mail for another organization
Supporting clients that use POP3 or IMAP4
Supporting applications that generate SMTP mail
Accepting mail for another organization
Supporting clients that use POP3 or IMAP4
Supporting applications that generate SMTP mail
Prevent open relays by:Prevent open relays by:
Allowing only authenticated computers to relay
Restricting relaying to specific computers or users
Using an SMTP connector to relay mail to particular domains
Allowing only authenticated computers to relay
Restricting relaying to specific computers or users
Using an SMTP connector to relay mail to particular domains
Securing SMTP Communication Between Mail Servers
To secure SMTP communication between servers:To secure SMTP communication between servers:
Install and configure an X.509 certificate on the SMTP server 11
• Enable and configure TLS encryption for inbound mail
22
• Enable and configure TLS encryption for outbound mail to specific domains
33
Securing Exchange Servers: Best Practices
Limit Exchange Server functionality to clients that are strictly requiredLimit Exchange Server functionality to clients that are strictly required
Remain current with the latest updates for both Exchange Server 2003 and the operating systemRemain current with the latest updates for both Exchange Server 2003 and the operating system
Use SSL/TLS and forms-based authentication for Outlook Web AccessUse SSL/TLS and forms-based authentication for Outlook Web Access
Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 trafficUse ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic
Maintaining Security on Exchange Server
Implementing Exchange ServerSecuring Exchange Server Services and Messaging ProtocolsMaintaining Security on Exchange Server
The challenges of maintaining security on Exchange Server. How to use the Microsoft Baseline Security Analyzer (MBSA)
to scan Exchange Server 2003 for security issues. How to validate Exchange configurations using the Microsoft
Exchange Server Best Practices Analyzer Tool. Implementing antivirus protection within an Exchange
Server 2003 environment.Configuring Exchange to Protect Against Unwanted E-Mail
Maintaining Security on Exchange Server: What Are the Challenges?
Challenges to maintaining security on an Exchange server include:Challenges to maintaining security on an Exchange server include:
Keeping up with the latest security updates
Keeping up with recommended best practices
Understanding the impact of configuring the various options within Exchange Server
Maintaining documentation on configuration and security settings
Keeping up with the latest security updates
Keeping up with recommended best practices
Understanding the impact of configuring the various options within Exchange Server
Maintaining documentation on configuration and security settings
Analyzing Exchange Server 2003 Using MBSA
MBSA checks for issues related to the following:MBSA checks for issues related to the following:
Known Windows and Internet Explorer security issues Known Windows and Internet Explorer security issues
Missing security updates Missing security updates
Weak account passwords Weak account passwords
Internet Information Services (IIS) security issues Internet Information Services (IIS) security issues
Exchange Server security issues Exchange Server security issues
SQL Server security issues SQL Server security issues
Validating Exchange Server Configuration Settings
ExBPA can examine your Exchange servers to:ExBPA can examine your Exchange servers to:
Generate a list of issues, such as misconfigurations or unsupported or non-recommended optionsGenerate a list of issues, such as misconfigurations or unsupported or non-recommended options
Judge the general health of a systemJudge the general health of a system
Help troubleshoot specific problemsHelp troubleshoot specific problems
Demonstration: Analyzing Configuration Settings on Exchange Server 2003
Analyze Exchange Server using the ExBPA Tool
Implementing Antivirus Protection on Exchange Server
Consider the following when designing and implementing an antivirus solution: Consider the following when designing and implementing an antivirus solution:
Design a defense-in-depth approach
Implement an antivirus scanner that supports AVAPI 2.5
Prevent file-based scanning on Exchange Server folders
Design a defense-in-depth approach
Implement an antivirus scanner that supports AVAPI 2.5
Prevent file-based scanning on Exchange Server folders
Configuring Exchange to Protect Against Unwanted E-Mail
Implementing Exchange Server
Securing Exchange Server Services and Messaging Protocols
Maintaining Security on Exchange Server
Configuring Exchange to Protect Against Unwanted E-Mail The options in Exchange Server for limiting unwanted e-mail. Configuring filtering by recipient address. Configuring filtering by sender address or domain. Implementing real-time block list support using connection filtering. Exchange Server 2003 Intelligent Message Filter. Deploying Intelligent Message Filter. How Intelligent Message Filter works with Exchange Server and
Outlook. Managing IMF archived messages using the Archive Manager.
What Are the Exchange Options for Limiting Unwanted E-Mail?
Options to limit unwanted e-mail include:Options to limit unwanted e-mail include:
Recipient filtering
Sender filtering
Connection filtering
Microsoft Exchange Intelligent Message Filter
Recipient filtering
Sender filtering
Connection filtering
Microsoft Exchange Intelligent Message Filter
Configuring Filtering by Recipient Address
Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory
Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory
Configuring Filtering by Sender Address or Domain
Sender filtering blocks mail from specified senders or domains
Sender filtering blocks mail from specified senders or domains
Implementing Real-Time Block List Support Using Connection Filtering
Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider
Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider
Overview of Exchange Intelligent Message Filter
Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users
Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users
Deploying the Intelligent Message Filter
Exchange Gateway Servers
Exchange Gateway Servers
Intelligent Message
Filter
Intelligent Message
Filter FirewallFirewall
InternetInternet
Exchange Intranet Servers
Exchange Intranet Servers
Intelligent Message Filter handles e-mail based upon two thresholds:Intelligent Message Filter handles e-mail based upon two thresholds:
Gateway blocking configuration
Store junk e-mail configuration
Gateway blocking configuration
Store junk e-mail configuration
How the Intelligent Message Filter Works with Exchange and Outlook
Exchange Server 2003 Gateway Server
Exchange Server 2003 Gateway Server
Connection filtering
Connection filtering
Recipient filtering Recipient filtering
Sender filtering Sender filtering
Intelligent Message Filter
(GatewayThreshold)
Intelligent Message Filter
(GatewayThreshold)
Exchange Server 2003 Back-endExchange Server 2003 Back-end
Store threshold Store threshold
User mailboxUser mailbox
InboxInbox JunkJunk InboxInbox
Y N Y N
InternetInternet
Safe senderSafe
senderBlocked sender
Blocked sender
YesYes NoNo
SpamSpam
Managing IMF Archived Messages Using the Archive Manager
Archive Manager C# tool released with source on GotDotNet
http://workspaces.gotdotnet.com/imfarchive
Supports the following features:
Tree view of the Archive directory of messages View of RFC2822 decoded headers and raw message Resubmission of message to pickup directory Deletion of messages Forwarding of message as attachment to third-party
address
Session Summary
Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements
Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements
Implement the appropriate base and incremental security templates to fully secure Exchange Server Implement the appropriate base and incremental security templates to fully secure Exchange Server
Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools
Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility
Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspxSign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Find additional e-learning clinics
https://www.microsoftelearning.com/security
Get additional security information on Exchange Server 2003:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx
Questions and Answers