Module 10 Securing Microsoft® Exchange Server 2010
Module Overview <ul><li>Configuring Role Based Access Control </li></ul><ul><li>Configuring Security for Server Roles in  ...
Lesson 1: Configuring Role Based Access Control <ul><li>What Is Role Based Access Control? </li></ul><ul><li>What Are Mana...
What Is Role Based Access Control? RBAC is used to define all Exchange Server 2010 permissions RBAC: <ul><li>Defines which...
What Are Management Role Groups? Management role groups assign administrator permissions in Exchange Server 2010  Componen...
Built-In Management Role Groups Management role groups include: <ul><li>Organization Management </li></ul><ul><li>View-Onl...
Demonstration: Managing Permissions Using the Built-In Role Groups <ul><li>In this demonstration, you will see how to: </l...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Process for Configuring Custom Role Groups Create the role group using the New-RoleGroup cmdlet  4 Identify the role group...
Demonstration: Configuring Custom Role Groups In this demonstration, you will see how to create a custom role group
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
What Are Management Role Assignment Policies? Management role assignment policies assign permissions to users to manage th...
Working with Management Role Assignment Policies In most organizations, the default management role assignment policy will...
Managing Permissions on Edge Transport Servers  <ul><li>RBAC requires an Active Directory site so you cannot use it to ass...
Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 <ul><li>Discussion: What Are the Exchange Server S...
Discussion: What Are the Exchange Server Security Risks? <ul><li>What security risks do you need to protect against when d...
Exchange Server Security Guidelines Implement the following best practices security measures: <ul><li>Install all security...
Lesson 3: Configuring Secure Internet Access <ul><li>Secure Internet Access Components </li></ul><ul><li>Deploying Exchang...
Secure Internet Access Components Providing Internet access for Exchange Server may include: <ul><li>Enabling messaging cl...
Deploying Exchange Server 2010 for Internet Access Client Firewall Firewall or Reverse Proxy Hub  Transport Server Domain ...
Securing Client Access Traffic from the Internet To provide secure client access from the Internet: <ul><li>Create and con...
Securing SMTP Connections from the Internet To secure the SMTP connections: <ul><li>Enable TLS/SSL for SMTP client connect...
What Is a Reverse Proxy? A reverse proxy provides: <ul><li>Security: Internet client connections are terminated on the rev...
Demonstration: Configuring Threat Management Gateway for Outlook Web App  In this demonstration, you will see how to confi...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Lab: Securing Exchange Server 2010 <ul><li>Exercise 1: Configuring Exchange Server Permissions </li></ul><ul><li>Exercise ...
Lab Scenario <ul><li>A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you...
Lab Review <ul><li>In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit ...
Module Review and Takeaways <ul><li>Review Questions </li></ul><ul><li>Common Issues and Troubleshooting Tips </li></ul><u...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Upcoming SlideShare
Loading in...5
×

10135 a 10

706

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
706
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
70
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Module 10: Securing Exchange Server 2010 Course 10135A Presentation: 70 minutes Lab: 60 minutes After completing this module, students will be able to: Configure role based access control (RBAC) Configure security for server roles in Microsoft® Exchange Server 2010 Configure secure Internet access Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135A_10.ppt. Important: We recommend that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135A-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Microsoft Outlook ® Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time. Make sure that students are aware that the Companion CD has additional module information and resources.
  • Module 10: Maintaining Exchange Server 2010 Course 10135A
  • Module 10: Maintaining Exchange Server 2010 Course 10135A
  • If you have students with Exchange Server experience, highlight how RBAC differs from how permissions were assigned in previous versions. Exchange Server 2003 enables you to use Active Directory® directory service groups to assign permissions at the organization or administrative group level. In Exchange Server 2007, you could assign permissions at the organization or individual server level. In both cases, Exchange Server did not provide options for configuring granular permissions, and offered limited options for configuring permissions. In Exchange Server 2010, you can configure very precise permissions, right down to enabling access to specific cmdlets and attributes. Another difference between how you could assign permissions in Exchange Server 2003 and Exchange Sever 2007, and how you assign them in Exchange Server 2010, is that in the previous Exchange Server versions, you assigned permissions by modifying the Access Control Lists (ACLs) on Active Directory objects. In Exchange Server 2010, however, you configure which cmdlets users can run. Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators likely will maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels. Module 10: Maintaining Exchange Server 2010 Course 10135A
  • As you teach this content, explain that a management role is just a container that groups together the other RBAC components. The RBAC components define: Which tasks an administrator can perform Who is granted permission to perform the tasks Where the user can perform the task Stress that you can define each of these components at a high level or at a specific level. A management role entry can allow or deny access to all Exchange Server cmdlets, to a specific Exchange Server cmdlet, or even to a particular parameter on a cmdlet. Management role groups provide an easy way to assign permissions in Exchange Server. By using the default groups, or creating custom groups with specific permissions, you can manage all permissions by just assigning mailboxes to role groups. Module 10: Maintaining Exchange Server 2010 Course 10135A
  • Similar to previous Exchange Server versions, Exchange Server 2010 contains a default set of groups that you can use to assign permissions in the Exchange Server organization. Mention that for most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission-delegation requirements need to use custom management role groups and management roles. Avoid describing all of the built-in role groups in detail. Instead, highlight a few, and point out the table in the student notes that provides details about all the roles. Module 10: Securing Exchange Server 2010 Course 10135A
  • Stress that for most small- and medium-sized organizations that do not have complicated permission assignment scenarios, the easiest way to manage Exchange Server permissions is to add users or security groups to the built-in Exchange Server security groups in Active Directory Domain Services (AD DS) or Active Directory. These groups are automatically assigned the management role. Ask students which of the built-in role groups they will use in their organization. Answers will vary. Small- or medium-sized organizations, where one set of administrators is the only group that performs any recipient management or Exchange Server management tasks, may use only the Organization Management role group. Organizations with decentralized administrative processes are much more likely to use other management roles to delegate permissions. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd . Log on to 10135A-VAN-EX2 as Conor using a password of Pa$$w0rd . Demonstration Steps 1. On VAN-EX1, open Active Directory Users and Computers . 2. Expand Adatum.com , click Microsoft Exchange Security Groups , and then double-click Recipient Management. 3. On the Members tab, click Add . 4. In the Enter the object names to select field, type Conor , and then press OK twice. 5. On VAN-EX2, ensure that you are logged on as Conor. 6. Open the Exchange Management Console and the Exchange Management Shell. 7. In the Exchange Management Console, expand Microsoft Exchange On-Premises , expand Organization Configuration . Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization. 8. Click Mailbox , and in the Results pane, verify that you do not have sufficient permissions to view the data. 9. Expand Recipient Configuration , click Mailbox , and then double-click Axel Delgado . 10.In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK . Module 10: Securing Exchange Server 2010 Course 10135A
  • 11.Right-click Axel Delgado , and then click New Local Move Request . 12.On the Introduction page, click Browse . In the Select Mailbox Database dialog box, click Mailbox Database 1 , click OK , click Next two times, click New , and then click Finish . Note: If you get an error that no MRS servers are available, verify that the Microsoft Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2. 13.In the Exchange Management Shell, type get-exchangeserver | FL , and then press ENTER. The user account has Read permission to the Exchange server information. 14.At the PS prompt, type Set-User Axel -Title Manager , and then press ENTER. Verify that Conor has permission to modify the Active Directory account. 15.Log off VAN-EX2. Module 10: Securing Exchange Server 2010 Course 10135A
  • Mention that this topic provides a process overview about creating new custom management roles. The following demonstration will provide more details about how to perform the steps. As you describe this process, consider using an example scenario in which users might want to use a custom role. For example: 1. They may be configuring a role group that enables human resources (HR) administrators to configure the organization and personal settings for each user. You will need to create the appropriate group, and identify which users will be group members. 2. Because this group will work with recipients, you will need to identify the management roles that relate to recipient management. 3. In this scenario, you might not need to limit the scope for the role group. If they need to be able to manage recipients in the entire organization, do not limit the scope. If you want to limit which recipients you want the HR administrators to manage, you could limit the scope to specific recipients. 4. Run the cmdlet to create the role group. Module 10: Securing Exchange Server 2010 Course 10135A
  • Discuss scenarios in which organizations might choose to create a new custom role group. The slide and notes below describe one possible scenario for choosing to create a custom role group. Encourage students to provide other suggestions, and then describe the components required to implement the custom role group. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd . Do not log on to 10135A-VAN-EX2 at this point. Demonstration Steps 1. On VAN-EX1, open the Exchange Management Shell. 2. At the PS prompt, type the following command, and then press ENTER. New-ManagementScope –Name MarketingMailboxes –recipientroot &amp;quot;adatum.com/Marketing&amp;quot; -RecipientRestrictionFilter {RecipientType -eq &amp;quot;UserMailbox&amp;quot;} 3. Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, &amp;quot;Mail Recipient Creation &amp;quot; -CustomRecipientWriteScope MarketingMailboxes 4. In the Exchange Management Shell, type the following command, and then press ENTER: Add-rolegroupmember –id MarketingAdmins –member Andreas 4. On VAN-EX1, open Active Directory Users and Computers . 5. Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group. 6. On VAN-EX2, log on as Adatum\\Andreas using a password of Pa$$w0rd . 7. Open the Exchange Management Console. 8. In the Exchange Management Console, expand Microsoft Exchange On-Premises , and then expand Recipient Configuration . 9. Click Mailbox , and then double-click Axel Delgado . Module 10: Securing Exchange Server 2010 Course 10135A
  • 10. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is not saved. 11. Double-click Manoj Syamala . 12. In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is saved. 13. Click New Mailbox . Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container. Click New Mailbox . Create a new mailbox in the Marketing OU. Verify that the user can create mailboxes in the Marketing OU. Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles? Answer: Answers will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles. Module 10: Securing Exchange Server 2010 Course 10135A
  • Highlight the similarities between management role assignment policies and role groups. In both cases, group management roles assign all the permissions, and each role contains a set of management role entries. The primary difference between management role assignment policies and role groups is that you can use role assignment policies to configure permissions for the objects that users own. Because of this, you cannot configure a scope for management role assignment policies. Module 10: Securing Exchange Server 2010 Course 10135A
  • If can be difficult for students to understand which permissions Exchange Server assigns by default for the organization. To do this, run the Get-ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet. This cmdlet lists all the management roles that Exchange Server assigns to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, run the get-managementrole Mybaseoptions | FL cmdlet, and describe the role entries assigned to this management role. Question : How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes. Module 10: Securing Exchange Server 2010 Course 10135A
  • Emphasize that RBAC requires AD DS or Active Directory because it is based on assigning access to specific Active Directory objects. This means that you cannot use RBAC to configure permissions on Edge Transport servers. Mention that, by default, administrators have full control of all Edge Transport server settings, and the only tasks they can delegate are backup and recovery, and viewing message queues on the server. To enable users to perform administrative tasks on the Edge Transport server, simply add them to the appropriate local group. Module 10: Securing Exchange Server 2010 Course 10135A
  • Module 10: Securing Exchange Server 2010 Course 10135A
  • Question: What security risks do you need to protect against when deploying Exchange Server? Answer: Answers will vary, but students should mention threats such as: Malicious e-mail, such as viruses and phishing e-mails SMTP-based attacks on Simple Mail Transfer Protocol (SMTP) servers that your organization exposes to the Internet Web-based attacks on Client Access servers Compromised user credentials, either when user credentials are submitted in clear text or are captured on an unsecure kiosk Compromised data, such as when mobile devices are lost or stolen, or when users access attachments through Outlook Web App from unsecure client computers Question: What risks are the most serious? Answer: The most serious threat to most Exchange Server organizations relates to malicious e-mails. Although most organizations now use excellent anti-virus and antiphishing applications, new types of malicious software still pose a serious threat. Additionally, when users access e-mail from unsecure mobile clients or public computers, such as kiosks, this poses an additional, more serious threat in most organizations. Module 10: Securing Exchange Server 2010 Course 10135A
  • This topic describes the general security practices that students should implement on their Exchange servers and in their Exchange environments. Stress that these are best practices for all types of servers, not just Exchange servers. Ask students if they have other guidelines to add to the list. What processes do they use in their organizations to secure servers, including Exchange servers? Mention that Exchange Server 2010 setup now applies the Windows Firewall rules that each Exchange server role requires. Module 10: Securing Exchange Server 2010 Course 10135A
  • Module 10: Securing Exchange Server 2010 Course 10135A
  • Discuss the option of using a virtual private network (VPN) to provide access to Exchange servers for external clients. Many organizations use this as an option, rather than providing direct access to the Client Access servers. A VPN can have several advantages, such as enabling multifactor authentication and access to internal network resources other than Exchange servers. However, in most cases, a VPN is more complicated to configure than other access methods, and it requires additional configuration in each client computer. Question: What type of access are you enabling from the Internet to your organization’s Exchange servers? Answer: Answers will vary. Many organizations require access to the Client Access servers using a variety of messaging clients such as Microsoft Office Outlook Anywhere, Outlook Web App, or Exchange ActiveSync®. Fewer organizations are enabling Internet Message Access Protocol 4 (IMAP4) or Post Office Protocol 3 (POP3) access to the Exchange servers, so fewer organizations need to provide SMTP relay services for these clients. Module 10: Securing Exchange Server 2010 Course 10135A
  • Spend time describing the firewall and server deployment as shown in the diagram. Students should understand that you must deploy all Exchange server roles, except for the Edge Transport server role, on the internal network, not the perimeter network. Students should be familiar with the port numbers, so you can probably review the default ports quickly. Module 10: Securing Exchange Server 2010 Course 10135A
  • Stress that the most critical component in configuring secure client access from the Internet is to configure server certificates on the Client Access server, and to require TLS/SSL authentication protocols for all connections to the server. If you do not implement the certification and Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol, the user credentials may be sent across the Internet in clear text. One of the key goals of Internet security is to reduce the server attack surface by enabling only required services. If your organization only requires Outlook Web App from the Internet, then disable all other options. Module 3 detailed the authentication options for client access connections. When you discuss these options, the most important point is that Exchange administrators should choose the most secure option available for each client access protocol. Enforcing remote client security may restrict which types of clients you can use to connect to the Client Access server. For example, you cannot enforce security settings on public kiosks, so you may want to block users from using Outlook Web App, and instead force them to use Outlook Anywhere, which you can install on a domain-managed computer. Module 10: Securing Exchange Server 2010 Course 10135A
  • Stress the importance of using TLS/SSL for all client connections. Students may not be familiar with the client receive connector that is enabled on each Hub Transport server. This connector uses TCP port 587 rather than TCP port 25, and it enables POP3 and IMAP4 clients to send e-mail through an e-mail server. RFC 2476 describes using this port to enable message submission from e-mail clients. Consider showing the configuration of the client receive connector. Also, consider demonstrating how to check whether a SMTP server is configured to allow open relay. To do this, open the command prompt on a server with the Telnet client installed, and then type the following commands: Ehlo IS Mail from: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) Rcpt to: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) If you receive an OK response, the server is enabled for open relay. If you receive a relay-denied response, the server is configured correctly. Module 10: Securing Exchange Server 2010 Course 10135A
  • If students are not familiar with a reverse proxy, consider drawing a diagram on the white board that shows the location of a reverse proxy. Then show how the reverse proxy acts as the termination point for all client connections– both unsecure and secure. Show how you can decrypt SSL connections on the reverse proxy, and how you can re-encrypt it before forwarding it to the Client Access server. Mention that reverse proxies only work with Web-based protocols, such as HTTP. You can configure a reverse proxy to forward SMTP, POP3, or IMAP4 connections, but the reverse proxy does not intercept or scan the client connections for these protocols. Module 10: Securing Exchange Server 2010 Course 10135A
  • Mention that the Microsoft Forefront™ Threat Management Gateway (TMG) is Microsoft’s replacement for Internet Security and Acceleration Server. This server is one example of a reverse proxy, and it functions the same way as all reverse proxies. Preparation Ensure that the 10135A-VAN-DC1, and the 10135A-VAN-EX1, and 10135A-VAN-TMG virtual machines are running. Log on to all virtual machines as Administrator with a password of Pa$$w0rd . Demonstration Steps 1. On VAN-TMG, click Start , point to All Programs , click Microsoft Forefront TMG , and then click Forefront TMG Management . 2. Expand Forefront TMG , and then click Firewall Policy . 3. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access . 4. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule , and then click Next . 5. On the Select Services page, in the Exchange version list, click Exchange Server 2010 , select the Outlook Web Access check box, and then click Next . 6. On the Publishing Type page, click Next . 7. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next . When you configure this option, the TMG server re-encrypts all network traffic sent to the Client Access server. 8. On the Internal Publishing Details page, in the Internal site name text box, type VAN-EX1.Adatum.com , and then click Next . 9. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com , and then click Next . 10.On the Select Web Listener page, in the Web Listener drop-down list, click New . Web listeners are configuration objects on the TMG server that define how the server accepts client connections. 11.On the Welcome to the New Web Listener Wizard page, type HTTP Listener , and then click Next . 12.On the Client Connection Security page, click Do not require SSL secure connections from clients , and then click Next . Important: In a production environment, you always should use the option to Require SSL secured connections with clients . In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible. Module 10: Securing Exchange Server 2010 Course 10135A
  • 13.On the Web Listener IP Addresses page, select the External check box, and then click Next . 14.On the Authentication Settings page, accept the default of HTML Form Authentication , and then click Next . 15.On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next , and then click Finish . Click OK . 16.Click Edit , and then on the Authentication tab, click Advanced . 17. Select the Allow client authentication over HTTP check box, and then click OK three times. 16.On the Select Web Listener page, click Next . 17.On the Authentication Delegation page, accept the default of Basic authentication , and then click Next . 18.On the User Sets page, accept the default, and then click Next . 19.On the Completing the New Exchange Publishing Rule Wizard page, click Finish . 20.Click Apply twice to apply the changes, and then click OK once the changes are applied. Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG? Answer: Answers will vary. Many companies have deployed Internet Security and Acceleration (ISA) Server 2006, and are using it to secure messaging client connections. Other companies have deployed hardware-based reverse proxies. Most of the reverse proxies provide the same functionality, but the process for configuring the settings may be very different. Module 10: Securing Exchange Server 2010 Course 10135A
  • In this lab, students will configure Exchange Server permissions, and then configure a reverse proxy for Exchange Server access. Exercise 1 Inputs: Students will be provided with instructions for configuring Exchange Server permission. The instructions will require that students use both the Exchange security groups and RBAC. Outputs: Students will configure Exchange Server organization security using both built-in management roles and custom management roles. Exercise 2 Inputs: Students will be provided with a set of instructions for configuring a proxy server to provide secure access to the Client Access server and Hub Transport server. Outputs: Students will configure security for the Client Access server and Hub Transport server roles by configuring a reverse proxy. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting, and will help to facilitate the lab discussion at the module’s end. Remind the students to complete the discussion questions after the last lab exercise. Module 10: Securing Exchange Server 2010 Course 10135A
  • Module 10: Securing Exchange Server 2010 Course 10135A
  • Use the questions on the slide to guide the debriefing after students complete the lab exercises. Question: In the lab, you configured Exchange Server permissions by using a custom role. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? Answer: You limited the types of tasks the delegated administrators could perform by removing some of the management role entries assigned to the OrganizationAdministrators management role. You limited what objects the delegated administrators could manage by limiting the management role scope to only specific Exchange Server cmdlets. Question: How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? Answer: You would need to configure a server publishing rule to publish the IMAP4 protocol on the Client Access server. You also need to configure a server-publishing rule to publish a SMTP server on a Hub Transport server. Module 10: Securing Exchange Server 2010 Course 10135A
  • Review Questions Question: You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Answer: In most cases, you can accomplish this by just adding the members of the Human Resources department to the Recipient Management role group in AD DS or Active Directory. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group. Question: Users in your organization are using POP3 clients from the Internet. These users report that they can receive e-mail, but not send, e-mail. What should you do? Answer: You will need to provide the users with a SMTP server that they can use to send e-mail. You should configure a Hub Transport server Receive Connector. Question: Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do? Answer: You will need to configure an Exchange ActiveSync publishing rule in TMG that enables access to the required virtual directories on the Client Access server. Common Issues and Troubleshooting Tips Point the students to possible troubleshooting tips for the issues that this section presents. Real-World Issues and Scenarios Question: Your organization has configured an SMTP Receive connector on an Edge Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do? Answer: When you configured the Edge Transport server to relay messages for IMAP4 users, you enabled anonymous relaying for all users. You will need to disable message relaying on the Edge Transport server, and enable authenticated relaying on a Hub Transport server. Question: You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do? Answer: You need to enable all of the members of the ServerAdmins group to run remote Windows PowerShell™ cmdlets. Module 10: Securing Exchange Server 2010 Course 10135A
  • Module 10: Securing Exchange Server 2010 Course 10135A Question: Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do? Answer: To ensure that users do not receive certificate errors, you will need to purchase a certificate from a public CA. You can request a certificate with multiple SANs or use a wildcard certificate to ensure that the one certificate can be used for all client connections. You then can use the same certificate on the Client Access server, or use a certificate from a private CA on the Client Access server. Best Practices Help the students understand the best practices that this section presents. Ask students to consider these best practices in the context of their own business situations.
  • 10135 a 10

    1. 1. Module 10 Securing Microsoft® Exchange Server 2010
    2. 2. Module Overview <ul><li>Configuring Role Based Access Control </li></ul><ul><li>Configuring Security for Server Roles in Exchange Server 2010 </li></ul><ul><li>Configuring Secure Internet Access </li></ul>
    3. 3. Lesson 1: Configuring Role Based Access Control <ul><li>What Is Role Based Access Control? </li></ul><ul><li>What Are Management Role Groups? </li></ul><ul><li>Built-In Management Role Groups </li></ul><ul><li>Demonstration: Managing Permissions Using the Built-In Role Groups </li></ul><ul><li>Process for Configuring Custom Role Groups </li></ul><ul><li>Demonstration: Configuring Custom Role Groups </li></ul><ul><li>What Are Management Role Assignment Policies? </li></ul><ul><li>Working With Management Role Assignment Policies </li></ul><ul><li>Managing Permissions on Edge Transport Servers </li></ul>
    4. 4. What Is Role Based Access Control? RBAC is used to define all Exchange Server 2010 permissions RBAC: <ul><li>Defines which Exchange Management Shell cmdlets a user can run and which objects the user can modify </li></ul><ul><li>Is applied by all Exchange Server management tools </li></ul>RBAC options include: <ul><li>Using management role groups to assign administrative permissions </li></ul><ul><li>Management role assignment policies to assign permissions that users can perform on their own mailbox or distribution groups </li></ul>
    5. 5. What Are Management Role Groups? Management role groups assign administrator permissions in Exchange Server 2010 Component Explanation Role holder Mailbox that is assigned to a role group Management role group Universal security group for managing Exchange Server permissions Management role Container for grouping other RBAC components Management role entry Defines which Exchange Server cmdlets an administrator can run Management role assignment Links the management role group to a management role Management role scope Defines where the administrator can perform the tasks
    6. 6. Built-In Management Role Groups Management role groups include: <ul><li>Organization Management </li></ul><ul><li>View-Only Organization Management </li></ul><ul><li>Recipient Management </li></ul><ul><li>Unified Messaging Management </li></ul><ul><li>Discovery Management </li></ul><ul><li>Records Management </li></ul><ul><li>Server Management </li></ul><ul><li>Help Desk </li></ul><ul><li>Public Folder Management </li></ul><ul><li>Delegated Setup </li></ul>
    7. 7. Demonstration: Managing Permissions Using the Built-In Role Groups <ul><li>In this demonstration, you will see how to: </li></ul><ul><li>Add role holders to a role group </li></ul><ul><li>Verify the permissions assigned to the built-in role groups </li></ul>
    8. 8. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    9. 9. Process for Configuring Custom Role Groups Create the role group using the New-RoleGroup cmdlet 4 Identify the role groups and the role group members 1 Identify the management scope 3 Identify the management roles to assign the group 2
    10. 10. Demonstration: Configuring Custom Role Groups In this demonstration, you will see how to create a custom role group
    11. 11. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    12. 12. What Are Management Role Assignment Policies? Management role assignment policies assign permissions to users to manage their mailboxes or distribution groups Component Explanation Mailbox Each mailbox is assigned one role assignment policy Management role assignment policy Object for associating management roles with mailboxes Management role Container for grouping other RBAC components Management role assignment Associates management roles with management role assignment policies Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups
    13. 13. Working with Management Role Assignment Policies In most organizations, the default management role assignment policy will meet all requirements You can modify the default configuration by: <ul><li>Modifying the default management role assignment policy to add or remove management roles </li></ul><ul><li>Defining a new default management role assignment policy </li></ul><ul><li>Creating a new management role assignments and explicitly assigning them to mailboxes </li></ul>
    14. 14. Managing Permissions on Edge Transport Servers <ul><li>RBAC requires an Active Directory site so you cannot use it to assign permissions on Edge Transport servers </li></ul><ul><li>Use local groups to assign permissions </li></ul>Administrative Task Local Group Backup and restore Backup operators Configure Edge Transport server settings Administrators Configure edge subscriptions Administrators Connect using Remote Desktop Administrators View queues and messages Users
    15. 15. Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 <ul><li>Discussion: What Are the Exchange Server Security Risks? </li></ul><ul><li>Exchange Server Security Guidelines </li></ul>
    16. 16. Discussion: What Are the Exchange Server Security Risks? <ul><li>What security risks do you need to protect against when deploying Exchange Server? </li></ul><ul><li>Which risks are the most serious? </li></ul>
    17. 17. Exchange Server Security Guidelines Implement the following best practices security measures: <ul><li>Install all security updates and software updates </li></ul><ul><li>Run Exchange Best Practices Analyzer regularly </li></ul><ul><li>Run Microsoft Baseline Security Analyzer </li></ul><ul><li>Avoid running additional software on Exchange servers </li></ul><ul><li>Install and maintain anti-virus software </li></ul><ul><li>Enforce complex password policies </li></ul>
    18. 18. Lesson 3: Configuring Secure Internet Access <ul><li>Secure Internet Access Components </li></ul><ul><li>Deploying Exchange Server 2010 for Internet Access </li></ul><ul><li>Securing Client Access Traffic from the Internet </li></ul><ul><li>Securing SMTP Connections from the Internet </li></ul><ul><li>What Is a Reverse Proxy? </li></ul><ul><li>Demonstration: Configuring the Threat Management Gateway for Outlook Web App </li></ul>
    19. 19. Secure Internet Access Components Providing Internet access for Exchange Server may include: <ul><li>Enabling messaging clients to connect to the Client Access server </li></ul><ul><li>Enabling IMAP4/POP3 clients to send SMTP e-mail </li></ul>Enabling secure access to the Exchange servers may require: <ul><li>VPN </li></ul><ul><li>Firewall configuration </li></ul><ul><li>Reverse proxy configuration </li></ul>
    20. 20. Deploying Exchange Server 2010 for Internet Access Client Firewall Firewall or Reverse Proxy Hub Transport Server Domain Controller Mailbox Server Edge Transport Server Client Access Server Protocol Unsecure Port TLS/SSL Port HTTP 80 443 POP3 110 993 IMAP4 143 995 SMTP 25 25 SMTP client submission 587 587
    21. 21. Securing Client Access Traffic from the Internet To provide secure client access from the Internet: <ul><li>Create and configure a server certificate </li></ul><ul><li>Require SSL for all virtual directories </li></ul><ul><li>Enable only required client access methods </li></ul><ul><li>Require secure authentication </li></ul><ul><li>Enforce remote client security </li></ul><ul><li>Require TLS/SSL for IMAP4 and POP3 access </li></ul><ul><li>Implement an application layer firewall or reverse proxy </li></ul>
    22. 22. Securing SMTP Connections from the Internet To secure the SMTP connections: <ul><li>Enable TLS/SSL for SMTP client connections </li></ul><ul><li>Use the Client Receive Connector (Port 587) </li></ul><ul><li>Ensure that anonymous relay is disabled </li></ul><ul><li>Enable IMAP4 and POP3 selectively </li></ul>Secure SMTP connections from the Internet may be required for IMAP4 or POP3 clients
    23. 23. What Is a Reverse Proxy? A reverse proxy provides: <ul><li>Security: Internet client connections are terminated on the reverse proxy </li></ul><ul><li>Application layer filtering: Inspect the contents of network traffic </li></ul><ul><li>SSL bridging: All connections to the reverse proxy and to the Client Access server are encrypted </li></ul><ul><li>Load balancing: Arrays of reverse proxy servers can distribute network traffic for a single URL </li></ul><ul><li>SSL offloading: SSL requests can be terminated on the reverse proxy </li></ul>
    24. 24. Demonstration: Configuring Threat Management Gateway for Outlook Web App In this demonstration, you will see how to configure an Outlook Web Access publishing role
    25. 25. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    26. 26. Lab: Securing Exchange Server 2010 <ul><li>Exercise 1: Configuring Exchange Server Permissions </li></ul><ul><li>Exercise 2: Configuring a Reverse Proxy for Exchange Server Access </li></ul>Logon information Estimated time: 60 minutes Virtual machines 10135A-VAN-DC1 10135A-VAN-EX1 10135A-VAN-EX2 User name Administrator Password Pa$$w0rd
    27. 27. Lab Scenario <ul><li>A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include: </li></ul><ul><li>Exchange Server administrators should have minimal permissions, which means that whenever possible, you should delegate Exchange Server management permissions. </li></ul><ul><li>Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server. </li></ul>
    28. 28. Lab Review <ul><li>In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? </li></ul><ul><li>How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? </li></ul>
    29. 29. Module Review and Takeaways <ul><li>Review Questions </li></ul><ul><li>Common Issues and Troubleshooting Tips </li></ul><ul><li>Real-World Issues and Scenarios </li></ul><ul><li>Best Practices </li></ul>
    30. 30. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×