Optimer Sikkerheden Exchange Server 2003

Implementing Exchange Server Security

Henrik Damslund

Senior Technology Specialist

Microsoft

Session Prerequisites

Hands-on experience with Microsoft Windows Server 2003

Working knowledge of Microsoft Exchange Server 2003

Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP

Working knowledge of networking, including TCP/IP, DNS, and IIS

Basic understanding of PKI concepts and technologies

Level 300

Session Overview

Implementing Exchange Server

Securing Exchange Server Services and Messaging Protocols

Maintaining Security on Exchange Server

Configuring Exchange to Protect Against Unwanted E-Mail


Implementing Exchange Server An overview of Exchange Server 2003 security. Exchange Server deployment scenarios. Exchange Server client scenarios. Configuration and security update recommendations for

Exchange Server. Implementing a defense-in-depth approach to Exchange Server

security.Securing Exchange Server Services and Messaging Protocols



Exchange Server 2003 Security Overview

Secure by designSecure by designSecure by default

Support for Sender, Recipient and Connection filtering, including Block List services

Secure by default

Support for Sender, Recipient and Connection filtering, including Block List services

Secure by defaultSecure by default

User logon on server disabled

Messaging limits configuration of 10MB

User logon on server disabled

Messaging limits configuration of 10MB

Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx

Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx

Exchange Server Deployment Scenarios

ISA Server integratedISA Server integrated

General deployment General deployment FE/BE deploymentFE/BE deployment

Exchangeserver

Exchangeserver

InternetInternet

Front-endExchange

server

Front-endExchange

server

Back-end Exchange

servers

Back-end Exchange

servers

ISA serverISA server

Exchangeserver

Exchangeserver

Exchange Server Client Scenarios

General client access:General client access:

Microsoft OutlookMicrosoft Outlook

Mobile client access:Mobile client access:

Outlook Web Access

Outlook Mobile Access

Exchange Server ActiveSync

Outlook Web Access

Outlook Mobile Access

Exchange Server ActiveSync

Exchange Server 2003 client scenarios include the following:Exchange Server 2003 client scenarios include the following:

Configuration and Security Update Recommendations for Exchange Server

Component Configuration

Operating system and software

Microsoft Windows Server 2003 with the latest security updates Exchange Server 2003 with Service Pack 1 (or higher)Microsoft Exchange Intelligent Message Filter

Browser Internet Explorer 6 with the latest security updates

Security update management Microsoft Baseline Security Analyzer

Implementing a Defense-in-Depth Approach to Exchange Server Security

Using a layered approach:Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, security update management, antivirus updates, auditing

Host

Network segments, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, backup and restore strategy

Data



Securing Exchange Server Services and Messaging Protocols The challenges of securing Exchange Server 2003. Hardening the messaging environment. Hardening back-end Exchange servers. Hardening front-end Exchange servers. SMTP relaying. Securing SMTP communication between mail servers. Additional best practices for securing Exchange servers.



Securing Exchange Servers: What Are the Challenges?

Challenges to securing an Exchange server include:Challenges to securing an Exchange server include:

Maintaining the security of the underlying Windows infrastructure

Maintaining baseline security hardening practices

Understanding security options for various deployment scenarios

Maintaining the security of the underlying Windows infrastructure

Maintaining baseline security hardening practices

Understanding security options for various deployment scenarios

Hardening the Messaging Environment

To harden your Exchange messaging environment, deploy the following:To harden your Exchange messaging environment, deploy the following:

Environment Configuration

Server environment

Domain, Domain Controller, and Member Server Baseline Policy templatesWindows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638

Messaging environment

Exchange Domain Controller Baseline Policy templateExchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx

Hardening Back-End Exchange Servers

Tasks for hardening back-end Exchange servers include:Tasks for hardening back-end Exchange servers include:

Hardening services

Hardening file access control lists (ACLs)

Changing privilege rights

Enabling additional services (optional)

Hardening services


Changing privilege rights


Apply the Exchange 2003 Backend.inf security template to your back-end serversApply the Exchange 2003 Backend.inf security template to your back-end servers

Hardening Front-End Exchange Servers

Tasks for hardening front-end Exchange servers include:Tasks for hardening front-end Exchange servers include:

Hardening services



Running URLScan (optional but recommended)

Dismounting the mailbox store and deleting the public folder store (optional but recommended)

Hardening services



Running URLScan (optional but recommended)

Dismounting the mailbox store and deleting the public folder store (optional but recommended)

Apply the Exchange 2003 Frontend.inf security template to your front-end serversApply the Exchange 2003 Frontend.inf security template to your front-end servers

Understanding SMTP Relaying

SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns

SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns

Relaying may be necessary when:Relaying may be necessary when:

Accepting mail for another organization

Supporting clients that use POP3 or IMAP4

Supporting applications that generate SMTP mail

Accepting mail for another organization

Supporting clients that use POP3 or IMAP4

Supporting applications that generate SMTP mail

Prevent open relays by:Prevent open relays by:

Allowing only authenticated computers to relay

Restricting relaying to specific computers or users

Using an SMTP connector to relay mail to particular domains

Allowing only authenticated computers to relay

Restricting relaying to specific computers or users

Using an SMTP connector to relay mail to particular domains

Securing SMTP Communication Between Mail Servers

To secure SMTP communication between servers:To secure SMTP communication between servers:

Install and configure an X.509 certificate on the SMTP server 11

• Enable and configure TLS encryption for inbound mail

22

• Enable and configure TLS encryption for outbound mail to specific domains

33

Securing Exchange Servers: Best Practices

Limit Exchange Server functionality to clients that are strictly requiredLimit Exchange Server functionality to clients that are strictly required

Remain current with the latest updates for both Exchange Server 2003 and the operating systemRemain current with the latest updates for both Exchange Server 2003 and the operating system

Use SSL/TLS and forms-based authentication for Outlook Web AccessUse SSL/TLS and forms-based authentication for Outlook Web Access

Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 trafficUse ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic


Implementing Exchange ServerSecuring Exchange Server Services and Messaging ProtocolsMaintaining Security on Exchange Server

The challenges of maintaining security on Exchange Server. How to use the Microsoft Baseline Security Analyzer (MBSA)

to scan Exchange Server 2003 for security issues. How to validate Exchange configurations using the Microsoft

Exchange Server Best Practices Analyzer Tool. Implementing antivirus protection within an Exchange

Server 2003 environment.Configuring Exchange to Protect Against Unwanted E-Mail

Maintaining Security on Exchange Server: What Are the Challenges?

Challenges to maintaining security on an Exchange server include:Challenges to maintaining security on an Exchange server include:

Keeping up with the latest security updates

Keeping up with recommended best practices

Understanding the impact of configuring the various options within Exchange Server

Maintaining documentation on configuration and security settings

Keeping up with the latest security updates

Keeping up with recommended best practices

Understanding the impact of configuring the various options within Exchange Server

Maintaining documentation on configuration and security settings

Analyzing Exchange Server 2003 Using MBSA

MBSA checks for issues related to the following:MBSA checks for issues related to the following:

Known Windows and Internet Explorer security issues Known Windows and Internet Explorer security issues

Missing security updates Missing security updates

Weak account passwords Weak account passwords

Internet Information Services (IIS) security issues Internet Information Services (IIS) security issues

Exchange Server security issues Exchange Server security issues

SQL Server security issues SQL Server security issues

Validating Exchange Server Configuration Settings

ExBPA can examine your Exchange servers to:ExBPA can examine your Exchange servers to:

Generate a list of issues, such as misconfigurations or unsupported or non-recommended optionsGenerate a list of issues, such as misconfigurations or unsupported or non-recommended options

Judge the general health of a systemJudge the general health of a system

Help troubleshoot specific problemsHelp troubleshoot specific problems

Demonstration: Analyzing Configuration Settings on Exchange Server 2003

Analyze Exchange Server using the ExBPA Tool

Implementing Antivirus Protection on Exchange Server

Consider the following when designing and implementing an antivirus solution: Consider the following when designing and implementing an antivirus solution:

Design a defense-in-depth approach

Implement an antivirus scanner that supports AVAPI 2.5

Prevent file-based scanning on Exchange Server folders

Design a defense-in-depth approach

Implement an antivirus scanner that supports AVAPI 2.5

Prevent file-based scanning on Exchange Server folders





Configuring Exchange to Protect Against Unwanted E-Mail The options in Exchange Server for limiting unwanted e-mail. Configuring filtering by recipient address. Configuring filtering by sender address or domain. Implementing real-time block list support using connection filtering. Exchange Server 2003 Intelligent Message Filter. Deploying Intelligent Message Filter. How Intelligent Message Filter works with Exchange Server and

Outlook. Managing IMF archived messages using the Archive Manager.

What Are the Exchange Options for Limiting Unwanted E-Mail?

Options to limit unwanted e-mail include:Options to limit unwanted e-mail include:

Recipient filtering

Sender filtering

Connection filtering

Microsoft Exchange Intelligent Message Filter

Recipient filtering

Sender filtering


Microsoft Exchange Intelligent Message Filter

Configuring Filtering by Recipient Address

Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

Configuring Filtering by Sender Address or Domain

Sender filtering blocks mail from specified senders or domains

Sender filtering blocks mail from specified senders or domains

Implementing Real-Time Block List Support Using Connection Filtering

Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

Overview of Exchange Intelligent Message Filter

Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users

Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users

Deploying the Intelligent Message Filter

Exchange Gateway Servers

Exchange Gateway Servers

Intelligent Message

Filter

Intelligent Message

Filter FirewallFirewall

InternetInternet

Exchange Intranet Servers

Exchange Intranet Servers

Intelligent Message Filter handles e-mail based upon two thresholds:Intelligent Message Filter handles e-mail based upon two thresholds:

Gateway blocking configuration

Store junk e-mail configuration

Gateway blocking configuration

Store junk e-mail configuration

How the Intelligent Message Filter Works with Exchange and Outlook

Exchange Server 2003 Gateway Server

Exchange Server 2003 Gateway Server



Recipient filtering Recipient filtering

Sender filtering Sender filtering

Intelligent Message Filter

(GatewayThreshold)

Intelligent Message Filter

(GatewayThreshold)

Exchange Server 2003 Back-endExchange Server 2003 Back-end

Store threshold Store threshold

User mailboxUser mailbox

InboxInbox JunkJunk InboxInbox

Y N Y N

InternetInternet

Safe senderSafe

senderBlocked sender

Blocked sender

YesYes NoNo

SpamSpam

Managing IMF Archived Messages Using the Archive Manager

Archive Manager C# tool released with source on GotDotNet

http://workspaces.gotdotnet.com/imfarchive

Supports the following features:

Tree view of the Archive directory of messages View of RFC2822 decoded headers and raw message Resubmission of message to pickup directory Deletion of messages Forwarding of message as attachment to third-party

address

Session Summary

Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements

Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements

Implement the appropriate base and incremental security templates to fully secure Exchange Server Implement the appropriate base and incremental security templates to fully secure Exchange Server

Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools

Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility

Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility

Next Steps

Find additional security training events:

http://www.microsoft.com/seminar/events/security.mspxSign up for security communications:

http://www.microsoft.com/technet/security/signup/default.mspx

Find additional e-learning clinics

https://www.microsoftelearning.com/security

Get additional security information on Exchange Server 2003:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx

Questions and Answers