Optimer Sikkerheden Exchange Server 2003


Published on

Implementing Exchange Server Security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Optimer Sikkerheden Exchange Server 2003

  1. 1. Implementing Exchange Server Security Henrik Damslund Senior Technology Specialist Microsoft
  2. 2. Session Prerequisites <ul><li>Hands-on experience with Microsoft Windows Server 2003 </li></ul><ul><li>Working knowledge of Microsoft Exchange Server 2003 </li></ul><ul><li>Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP </li></ul><ul><li>Working knowledge of networking, including TCP/IP, DNS, and IIS </li></ul><ul><li>Basic understanding of PKI concepts and technologies </li></ul>Level 300
  3. 3. Session Overview <ul><li>Implementing Exchange Server </li></ul><ul><li>Securing Exchange Server Services and Messaging Protocols </li></ul><ul><li>Maintaining Security on Exchange Server </li></ul><ul><li>Configuring Exchange to Protect Against Unwanted E-Mail </li></ul>
  4. 4. Implementing Exchange Server <ul><li>Implementing Exchange Server </li></ul><ul><ul><li>An overview of Exchange Server 2003 security. </li></ul></ul><ul><ul><li>Exchange Server deployment scenarios. </li></ul></ul><ul><ul><li>Exchange Server client scenarios. </li></ul></ul><ul><ul><li>Configuration and security update recommendations for Exchange Server. </li></ul></ul><ul><ul><li>Implementing a defense-in-depth approach to Exchange Server security. </li></ul></ul><ul><li>Securing Exchange Server Services and Messaging Protocols </li></ul><ul><li>Maintaining Security on Exchange Server </li></ul><ul><li>Configuring Exchange to Protect Against Unwanted E-Mail </li></ul>
  5. 5. Exchange Server 2003 Security Overview Secure by design <ul><li>Secure by default </li></ul><ul><li>Support for Sender, Recipient and Connection filtering, including Block List services </li></ul>Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/ security_E2k3.mspx Secure by default <ul><li>User logon on server disabled </li></ul><ul><li>Messaging limits configuration of 10MB </li></ul>
  6. 6. Exchange Server Deployment Scenarios ISA Server integrated General deployment FE/BE deployment Exchange server Internet Front-end Exchange server Back-end Exchange servers ISA server Exchange server
  7. 7. Exchange Server Client Scenarios General client access: <ul><li>Microsoft Outlook </li></ul>Mobile client access: <ul><li>Outlook Web Access </li></ul><ul><li>Outlook Mobile Access </li></ul><ul><li>Exchange Server ActiveSync </li></ul>Exchange Server 2003 client scenarios include the following:
  8. 8. Configuration and Security Update Recommendations for Exchange Server <ul><li>Microsoft Baseline Security Analyzer </li></ul>Security update management <ul><li>Internet Explorer 6 with the latest security updates </li></ul>Browser Configuration Component <ul><li>Microsoft Windows Server 2003 with the latest security updates </li></ul><ul><li>Exchange Server 2003 with Service Pack 1 (or higher) </li></ul><ul><li>Microsoft Exchange Intelligent Message Filter </li></ul>Operating system and software
  9. 9. Implementing a Defense-in-Depth Approach to Exchange Server Security <ul><li>Using a layered approach: </li></ul><ul><li>Increases an attacker’s risk of detection </li></ul><ul><li>Reduces an attacker’s chance of success </li></ul>Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, backup and restore strategy Data
  10. 10. Securing Exchange Server Services and Messaging Protocols <ul><li>Implementing Exchange Server </li></ul><ul><li>Securing Exchange Server Services and Messaging Protocols </li></ul><ul><ul><li>The challenges of securing Exchange Server 2003. </li></ul></ul><ul><ul><li>Hardening the messaging environment. </li></ul></ul><ul><ul><li>Hardening back-end Exchange servers. </li></ul></ul><ul><ul><li>Hardening front-end Exchange servers. </li></ul></ul><ul><ul><li>SMTP relaying. </li></ul></ul><ul><ul><li>Securing SMTP communication between mail servers. </li></ul></ul><ul><ul><li>Additional best practices for securing Exchange servers. </li></ul></ul><ul><li>Maintaining Security on Exchange Server </li></ul><ul><li>Configuring Exchange to Protect Against Unwanted E-Mail </li></ul>
  11. 11. Securing Exchange Servers: What Are the Challenges? Challenges to securing an Exchange server include: <ul><li>Maintaining the security of the underlying Windows infrastructure </li></ul><ul><li>Maintaining baseline security hardening practices </li></ul><ul><li>Understanding security options for various deployment scenarios </li></ul>
  12. 12. Hardening the Messaging Environment To harden your Exchange messaging environment, deploy the following: <ul><li>Exchange Domain Controller Baseline Policy template </li></ul><ul><li>Exchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/ exchange/2003/library/exsecure.mspx </li></ul>Messaging environment Configuration Environment <ul><li>Domain, Domain Controller, and Member Server Baseline Policy templates </li></ul><ul><li>Windows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638 </li></ul>Server environment
  13. 13. Hardening Back-End Exchange Servers Tasks for hardening back-end Exchange servers include: <ul><li>Hardening services </li></ul><ul><li>Hardening file access control lists (ACLs) </li></ul><ul><li>Changing privilege rights </li></ul><ul><li>Enabling additional services (optional) </li></ul>Apply the Exchange 2003 Backend.inf security template to your back-end servers
  14. 14. Hardening Front-End Exchange Servers Tasks for hardening front-end Exchange servers include: <ul><li>Hardening services </li></ul><ul><li>Hardening file access control lists (ACLs) </li></ul><ul><li>Enabling additional services (optional) </li></ul><ul><li>Running URLScan (optional but recommended) </li></ul><ul><li>Dismounting the mailbox store and deleting the public folder store (optional but recommended) </li></ul>Apply the Exchange 2003 Frontend.inf security template to your front-end servers
  15. 15. Understanding SMTP Relaying SMTP Relaying : When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns Relaying may be necessary when: <ul><li>Accepting mail for another organization </li></ul><ul><li>Supporting clients that use POP3 or IMAP4 </li></ul><ul><li>Supporting applications that generate SMTP mail </li></ul>Prevent open relays by: <ul><li>Allowing only authenticated computers to relay </li></ul><ul><li>Restricting relaying to specific computers or users </li></ul><ul><li>Using an SMTP connector to relay mail to particular domains </li></ul>
  16. 16. Securing SMTP Communication Between Mail Servers To secure SMTP communication between servers: <ul><li>Install and configure an X.509 certificate on the SMTP server </li></ul>1 <ul><li>Enable and configure TLS encryption for inbound mail </li></ul>2 <ul><li>Enable and configure TLS encryption for outbound mail to specific domains </li></ul>3
  17. 17. Securing Exchange Servers: Best Practices Limit Exchange Server functionality to clients that are strictly required Remain current with the latest updates for both Exchange Server 2003 and the operating system Use SSL/TLS and forms-based authentication for Outlook Web Access  Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic   
  18. 18. Maintaining Security on Exchange Server <ul><li>Implementing Exchange Server </li></ul><ul><li>Securing Exchange Server Services and Messaging Protocols </li></ul><ul><li>Maintaining Security on Exchange Server </li></ul><ul><ul><li>The challenges of maintaining security on Exchange Server. </li></ul></ul><ul><ul><li>How to use the Microsoft Baseline Security Analyzer (MBSA) to scan Exchange Server 2003 for security issues. </li></ul></ul><ul><ul><li>How to validate Exchange configurations using the Microsoft Exchange Server Best Practices Analyzer Tool. </li></ul></ul><ul><ul><li>Implementing antivirus protection within an Exchange Server 2003 environment. </li></ul></ul><ul><li>Configuring Exchange to Protect Against Unwanted E-Mail </li></ul>
  19. 19. Maintaining Security on Exchange Server: What Are the Challenges? Challenges to maintaining security on an Exchange server include: <ul><li>Keeping up with the latest security updates </li></ul><ul><li>Keeping up with recommended best practices </li></ul><ul><li>Understanding the impact of configuring the various options within Exchange Server </li></ul><ul><li>Maintaining documentation on configuration and security settings </li></ul>
  20. 20. Analyzing Exchange Server 2003 Using MBSA MBSA checks for issues related to the following: Known Windows and Internet Explorer security issues Missing security updates Weak account passwords Internet Information Services (IIS) security issues Exchange Server security issues SQL Server security issues      
  21. 21. Validating Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options Judge the general health of a system Help troubleshoot specific problems   
  22. 22. Demonstration: Analyzing Configuration Settings on Exchange Server 2003 <ul><li>Analyze Exchange Server using the ExBPA Tool </li></ul>
  23. 23. Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution: <ul><li>Design a defense-in-depth approach </li></ul><ul><li>Implement an antivirus scanner that supports AVAPI 2.5 </li></ul><ul><li>Prevent file-based scanning on Exchange Server folders </li></ul>
  24. 24. Configuring Exchange to Protect Against Unwanted E-Mail <ul><li>Implementing Exchange Server </li></ul><ul><li>Securing Exchange Server Services and Messaging Protocols </li></ul><ul><li>Maintaining Security on Exchange Server </li></ul><ul><li>Configuring Exchange to Protect Against Unwanted E-Mail </li></ul><ul><ul><li>The options in Exchange Server for limiting unwanted e-mail. </li></ul></ul><ul><ul><li>Configuring filtering by recipient address. </li></ul></ul><ul><ul><li>Configuring filtering by sender address or domain. </li></ul></ul><ul><ul><li>Implementing real-time block list support using connection filtering. </li></ul></ul><ul><ul><li>Exchange Server 2003 Intelligent Message Filter. </li></ul></ul><ul><ul><li>Deploying Intelligent Message Filter. </li></ul></ul><ul><ul><li>How Intelligent Message Filter works with Exchange Server and Outlook. </li></ul></ul><ul><ul><li>Managing IMF archived messages using the Archive Manager. </li></ul></ul>
  25. 25. What Are the Exchange Options for Limiting Unwanted E-Mail? Options to limit unwanted e-mail include: <ul><li>Recipient filtering </li></ul><ul><li>Sender filtering </li></ul><ul><li>Connection filtering </li></ul><ul><li>Microsoft Exchange Intelligent Message Filter </li></ul>
  26. 26. Configuring Filtering by Recipient Address Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory
  27. 27. Configuring Filtering by Sender Address or Domain Sender filtering blocks mail from specified senders or domains
  28. 28. Implementing Real-Time Block List Support Using Connection Filtering Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider
  29. 29. Overview of Exchange Intelligent Message Filter Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users
  30. 30. Deploying the Intelligent Message Filter Exchange Gateway Servers Intelligent Message Filter Firewall Internet Exchange Intranet Servers Intelligent Message Filter handles e-mail based upon two thresholds: <ul><li>Gateway blocking configuration </li></ul><ul><li>Store junk e-mail configuration </li></ul>
  31. 31. How the Intelligent Message Filter Works with Exchange and Outlook Exchange Server 2003 Gateway Server Connection filtering Recipient filtering Sender filtering Intelligent Message Filter (Gateway Threshold) Exchange Server 2003 Back-end Store threshold User mailbox Inbox Junk Inbox Y N Y N Internet Safe sender Blocked sender Yes No Spam
  32. 32. Managing IMF Archived Messages Using the Archive Manager <ul><li>Archive Manager C# tool released with source on GotDotNet </li></ul><ul><ul><li>http://workspaces.gotdotnet.com/imfarchive </li></ul></ul><ul><li>Supports the following features: </li></ul><ul><ul><li>Tree view of the Archive directory of messages </li></ul></ul><ul><ul><li>View of RFC2822 decoded headers and raw message </li></ul></ul><ul><ul><li>Resubmission of message to pickup directory </li></ul></ul><ul><ul><li>Deletion of messages </li></ul></ul><ul><ul><li>Forwarding of message as attachment to third-party address </li></ul></ul>
  33. 33. Session Summary Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements Implement the appropriate base and incremental security templates to fully secure Exchange Server Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility    
  34. 34. Next Steps <ul><li>Find additional security training events: </li></ul><ul><ul><li>http://www.microsoft.com/seminar/events/security.mspx </li></ul></ul><ul><li>Sign up for security communications: </li></ul><ul><ul><li>http://www.microsoft.com/technet/security/signup/ default.mspx </li></ul></ul><ul><li>Find additional e-learning clinics </li></ul><ul><ul><li> https://www.microsoftelearning.com/security </li></ul></ul><ul><li>Get additional security information on Exchange Server 2003: </li></ul><ul><ul><li>http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx </li></ul></ul>
  35. 35. Questions and Answers