This document discusses securing Microsoft Exchange Server 2010. It covers configuring role-based access control (RBAC) to define permissions for administrators and users. It also discusses securing server roles and internet access. Demonstrations show how to configure custom RBAC role groups, the Threat Management Gateway for Outlook Web App, and a lab exercise for securing an Exchange deployment.
View the full video presentation http://bit.ly/2EbWTJ
Exchange 2010 brings new features and functionality to Outlook Web Access. See product demonstrations of the latest capabilities and understand how browser-based communication and collaboration gets better than ever in Exchange 2010.
View the full video presentation http://bit.ly/2EbWTJ
Exchange 2010 brings new features and functionality to Outlook Web Access. See product demonstrations of the latest capabilities and understand how browser-based communication and collaboration gets better than ever in Exchange 2010.
A primer that I put together for my Network Engineering team to help them understand Exchange. This goes into detail on how MAPI, and other exchange stack protocols work across the network.
Mail Server setup
Simple Mail Transfer Protocol (SMTP) is used to transfer mail between Mail Servers over Internet.
Post Office Protocol (PoP) and Internet Message Access Protocol (IMAP) is used between Client and Mail Server to retrieve mails.
A primer that I put together for my Network Engineering team to help them understand Exchange. This goes into detail on how MAPI, and other exchange stack protocols work across the network.
Mail Server setup
Simple Mail Transfer Protocol (SMTP) is used to transfer mail between Mail Servers over Internet.
Post Office Protocol (PoP) and Internet Message Access Protocol (IMAP) is used between Client and Mail Server to retrieve mails.
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
OpenStack Identity Service (Keystone) seminar.
Distributed Systems course at Engineering and Computer Science (ECS), University of Messina.
By Lorenzo Carnevale and Silvio Tavilla.
Seminar’s topics
❖ OpenStack Identity - Keystone (kilo)
❖ Installation and first configuration of Keystone
❖ Workshop
❖ Identity service configuration
➢ Identity API protection with RBAC
➢ Use Trusts
➢ Certificates for PKI
❖ Hierarchical Projects
❖ Identity API v3 client example
You manage a WebLogic Server installation by using any of several system administration tools provided with WebLogic Server. A WebLogic Server installation can consist of a single WebLogic Server instance or multiple instances, each hosted on one or more physical machines. The system administration tools include the Administration Console, command line utilities, and an API, with which you manage security, database connections, messaging, transaction processing, and the runtime configuration of your applications. The tools also allow you to monitor the health of the WebLogic Server environment to ensure maximum availability and performance for your applications.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
5. What Are Management Role Groups? Management role groups assign administrator permissions in Exchange Server 2010 Component Explanation Role holder Mailbox that is assigned to a role group Management role group Universal security group for managing Exchange Server permissions Management role Container for grouping other RBAC components Management role entry Defines which Exchange Server cmdlets an administrator can run Management role assignment Links the management role group to a management role Management role scope Defines where the administrator can perform the tasks
9. Process for Configuring Custom Role Groups Create the role group using the New-RoleGroup cmdlet 4 Identify the role groups and the role group members 1 Identify the management scope 3 Identify the management roles to assign the group 2
12. What Are Management Role Assignment Policies? Management role assignment policies assign permissions to users to manage their mailboxes or distribution groups Component Explanation Mailbox Each mailbox is assigned one role assignment policy Management role assignment policy Object for associating management roles with mailboxes Management role Container for grouping other RBAC components Management role assignment Associates management roles with management role assignment policies Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups
13.
14.
15.
16.
17.
18.
19.
20. Deploying Exchange Server 2010 for Internet Access Client Firewall Firewall or Reverse Proxy Hub Transport Server Domain Controller Mailbox Server Edge Transport Server Client Access Server Protocol Unsecure Port TLS/SSL Port HTTP 80 443 POP3 110 993 IMAP4 143 995 SMTP 25 25 SMTP client submission 587 587
21.
22.
23.
24. Demonstration: Configuring Threat Management Gateway for Outlook Web App In this demonstration, you will see how to configure an Outlook Web Access publishing role
Module 10: Securing Exchange Server 2010 Course 10135A Presentation: 70 minutes Lab: 60 minutes After completing this module, students will be able to: Configure role based access control (RBAC) Configure security for server roles in Microsoft® Exchange Server 2010 Configure secure Internet access Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135A_10.ppt. Important: We recommend that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135A-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Microsoft Outlook ® Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time. Make sure that students are aware that the Companion CD has additional module information and resources.
Module 10: Maintaining Exchange Server 2010 Course 10135A
Module 10: Maintaining Exchange Server 2010 Course 10135A
If you have students with Exchange Server experience, highlight how RBAC differs from how permissions were assigned in previous versions. Exchange Server 2003 enables you to use Active Directory® directory service groups to assign permissions at the organization or administrative group level. In Exchange Server 2007, you could assign permissions at the organization or individual server level. In both cases, Exchange Server did not provide options for configuring granular permissions, and offered limited options for configuring permissions. In Exchange Server 2010, you can configure very precise permissions, right down to enabling access to specific cmdlets and attributes. Another difference between how you could assign permissions in Exchange Server 2003 and Exchange Sever 2007, and how you assign them in Exchange Server 2010, is that in the previous Exchange Server versions, you assigned permissions by modifying the Access Control Lists (ACLs) on Active Directory objects. In Exchange Server 2010, however, you configure which cmdlets users can run. Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators likely will maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels. Module 10: Maintaining Exchange Server 2010 Course 10135A
As you teach this content, explain that a management role is just a container that groups together the other RBAC components. The RBAC components define: Which tasks an administrator can perform Who is granted permission to perform the tasks Where the user can perform the task Stress that you can define each of these components at a high level or at a specific level. A management role entry can allow or deny access to all Exchange Server cmdlets, to a specific Exchange Server cmdlet, or even to a particular parameter on a cmdlet. Management role groups provide an easy way to assign permissions in Exchange Server. By using the default groups, or creating custom groups with specific permissions, you can manage all permissions by just assigning mailboxes to role groups. Module 10: Maintaining Exchange Server 2010 Course 10135A
Similar to previous Exchange Server versions, Exchange Server 2010 contains a default set of groups that you can use to assign permissions in the Exchange Server organization. Mention that for most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission-delegation requirements need to use custom management role groups and management roles. Avoid describing all of the built-in role groups in detail. Instead, highlight a few, and point out the table in the student notes that provides details about all the roles. Module 10: Securing Exchange Server 2010 Course 10135A
Stress that for most small- and medium-sized organizations that do not have complicated permission assignment scenarios, the easiest way to manage Exchange Server permissions is to add users or security groups to the built-in Exchange Server security groups in Active Directory Domain Services (AD DS) or Active Directory. These groups are automatically assigned the management role. Ask students which of the built-in role groups they will use in their organization. Answers will vary. Small- or medium-sized organizations, where one set of administrators is the only group that performs any recipient management or Exchange Server management tasks, may use only the Organization Management role group. Organizations with decentralized administrative processes are much more likely to use other management roles to delegate permissions. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd . Log on to 10135A-VAN-EX2 as Conor using a password of Pa$$w0rd . Demonstration Steps 1. On VAN-EX1, open Active Directory Users and Computers . 2. Expand Adatum.com , click Microsoft Exchange Security Groups , and then double-click Recipient Management. 3. On the Members tab, click Add . 4. In the Enter the object names to select field, type Conor , and then press OK twice. 5. On VAN-EX2, ensure that you are logged on as Conor. 6. Open the Exchange Management Console and the Exchange Management Shell. 7. In the Exchange Management Console, expand Microsoft Exchange On-Premises , expand Organization Configuration . Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization. 8. Click Mailbox , and in the Results pane, verify that you do not have sufficient permissions to view the data. 9. Expand Recipient Configuration , click Mailbox , and then double-click Axel Delgado . 10.In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK . Module 10: Securing Exchange Server 2010 Course 10135A
11.Right-click Axel Delgado , and then click New Local Move Request . 12.On the Introduction page, click Browse . In the Select Mailbox Database dialog box, click Mailbox Database 1 , click OK , click Next two times, click New , and then click Finish . Note: If you get an error that no MRS servers are available, verify that the Microsoft Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2. 13.In the Exchange Management Shell, type get-exchangeserver | FL , and then press ENTER. The user account has Read permission to the Exchange server information. 14.At the PS prompt, type Set-User Axel -Title Manager , and then press ENTER. Verify that Conor has permission to modify the Active Directory account. 15.Log off VAN-EX2. Module 10: Securing Exchange Server 2010 Course 10135A
Mention that this topic provides a process overview about creating new custom management roles. The following demonstration will provide more details about how to perform the steps. As you describe this process, consider using an example scenario in which users might want to use a custom role. For example: 1. They may be configuring a role group that enables human resources (HR) administrators to configure the organization and personal settings for each user. You will need to create the appropriate group, and identify which users will be group members. 2. Because this group will work with recipients, you will need to identify the management roles that relate to recipient management. 3. In this scenario, you might not need to limit the scope for the role group. If they need to be able to manage recipients in the entire organization, do not limit the scope. If you want to limit which recipients you want the HR administrators to manage, you could limit the scope to specific recipients. 4. Run the cmdlet to create the role group. Module 10: Securing Exchange Server 2010 Course 10135A
Discuss scenarios in which organizations might choose to create a new custom role group. The slide and notes below describe one possible scenario for choosing to create a custom role group. Encourage students to provide other suggestions, and then describe the components required to implement the custom role group. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd . Do not log on to 10135A-VAN-EX2 at this point. Demonstration Steps 1. On VAN-EX1, open the Exchange Management Shell. 2. At the PS prompt, type the following command, and then press ENTER. New-ManagementScope –Name MarketingMailboxes –recipientroot "adatum.com/Marketing" -RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 3. Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, "Mail Recipient Creation " -CustomRecipientWriteScope MarketingMailboxes 4. In the Exchange Management Shell, type the following command, and then press ENTER: Add-rolegroupmember –id MarketingAdmins –member Andreas 4. On VAN-EX1, open Active Directory Users and Computers . 5. Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group. 6. On VAN-EX2, log on as Adatum\\Andreas using a password of Pa$$w0rd . 7. Open the Exchange Management Console. 8. In the Exchange Management Console, expand Microsoft Exchange On-Premises , and then expand Recipient Configuration . 9. Click Mailbox , and then double-click Axel Delgado . Module 10: Securing Exchange Server 2010 Course 10135A
10. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is not saved. 11. Double-click Manoj Syamala . 12. In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is saved. 13. Click New Mailbox . Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container. Click New Mailbox . Create a new mailbox in the Marketing OU. Verify that the user can create mailboxes in the Marketing OU. Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles? Answer: Answers will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles. Module 10: Securing Exchange Server 2010 Course 10135A
Highlight the similarities between management role assignment policies and role groups. In both cases, group management roles assign all the permissions, and each role contains a set of management role entries. The primary difference between management role assignment policies and role groups is that you can use role assignment policies to configure permissions for the objects that users own. Because of this, you cannot configure a scope for management role assignment policies. Module 10: Securing Exchange Server 2010 Course 10135A
If can be difficult for students to understand which permissions Exchange Server assigns by default for the organization. To do this, run the Get-ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet. This cmdlet lists all the management roles that Exchange Server assigns to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, run the get-managementrole Mybaseoptions | FL cmdlet, and describe the role entries assigned to this management role. Question : How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes. Module 10: Securing Exchange Server 2010 Course 10135A
Emphasize that RBAC requires AD DS or Active Directory because it is based on assigning access to specific Active Directory objects. This means that you cannot use RBAC to configure permissions on Edge Transport servers. Mention that, by default, administrators have full control of all Edge Transport server settings, and the only tasks they can delegate are backup and recovery, and viewing message queues on the server. To enable users to perform administrative tasks on the Edge Transport server, simply add them to the appropriate local group. Module 10: Securing Exchange Server 2010 Course 10135A
Module 10: Securing Exchange Server 2010 Course 10135A
Question: What security risks do you need to protect against when deploying Exchange Server? Answer: Answers will vary, but students should mention threats such as: Malicious e-mail, such as viruses and phishing e-mails SMTP-based attacks on Simple Mail Transfer Protocol (SMTP) servers that your organization exposes to the Internet Web-based attacks on Client Access servers Compromised user credentials, either when user credentials are submitted in clear text or are captured on an unsecure kiosk Compromised data, such as when mobile devices are lost or stolen, or when users access attachments through Outlook Web App from unsecure client computers Question: What risks are the most serious? Answer: The most serious threat to most Exchange Server organizations relates to malicious e-mails. Although most organizations now use excellent anti-virus and antiphishing applications, new types of malicious software still pose a serious threat. Additionally, when users access e-mail from unsecure mobile clients or public computers, such as kiosks, this poses an additional, more serious threat in most organizations. Module 10: Securing Exchange Server 2010 Course 10135A
This topic describes the general security practices that students should implement on their Exchange servers and in their Exchange environments. Stress that these are best practices for all types of servers, not just Exchange servers. Ask students if they have other guidelines to add to the list. What processes do they use in their organizations to secure servers, including Exchange servers? Mention that Exchange Server 2010 setup now applies the Windows Firewall rules that each Exchange server role requires. Module 10: Securing Exchange Server 2010 Course 10135A
Module 10: Securing Exchange Server 2010 Course 10135A
Discuss the option of using a virtual private network (VPN) to provide access to Exchange servers for external clients. Many organizations use this as an option, rather than providing direct access to the Client Access servers. A VPN can have several advantages, such as enabling multifactor authentication and access to internal network resources other than Exchange servers. However, in most cases, a VPN is more complicated to configure than other access methods, and it requires additional configuration in each client computer. Question: What type of access are you enabling from the Internet to your organization’s Exchange servers? Answer: Answers will vary. Many organizations require access to the Client Access servers using a variety of messaging clients such as Microsoft Office Outlook Anywhere, Outlook Web App, or Exchange ActiveSync®. Fewer organizations are enabling Internet Message Access Protocol 4 (IMAP4) or Post Office Protocol 3 (POP3) access to the Exchange servers, so fewer organizations need to provide SMTP relay services for these clients. Module 10: Securing Exchange Server 2010 Course 10135A
Spend time describing the firewall and server deployment as shown in the diagram. Students should understand that you must deploy all Exchange server roles, except for the Edge Transport server role, on the internal network, not the perimeter network. Students should be familiar with the port numbers, so you can probably review the default ports quickly. Module 10: Securing Exchange Server 2010 Course 10135A
Stress that the most critical component in configuring secure client access from the Internet is to configure server certificates on the Client Access server, and to require TLS/SSL authentication protocols for all connections to the server. If you do not implement the certification and Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol, the user credentials may be sent across the Internet in clear text. One of the key goals of Internet security is to reduce the server attack surface by enabling only required services. If your organization only requires Outlook Web App from the Internet, then disable all other options. Module 3 detailed the authentication options for client access connections. When you discuss these options, the most important point is that Exchange administrators should choose the most secure option available for each client access protocol. Enforcing remote client security may restrict which types of clients you can use to connect to the Client Access server. For example, you cannot enforce security settings on public kiosks, so you may want to block users from using Outlook Web App, and instead force them to use Outlook Anywhere, which you can install on a domain-managed computer. Module 10: Securing Exchange Server 2010 Course 10135A
Stress the importance of using TLS/SSL for all client connections. Students may not be familiar with the client receive connector that is enabled on each Hub Transport server. This connector uses TCP port 587 rather than TCP port 25, and it enables POP3 and IMAP4 clients to send e-mail through an e-mail server. RFC 2476 describes using this port to enable message submission from e-mail clients. Consider showing the configuration of the client receive connector. Also, consider demonstrating how to check whether a SMTP server is configured to allow open relay. To do this, open the command prompt on a server with the Telnet client installed, and then type the following commands: Ehlo IS Mail from: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) Rcpt to: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) If you receive an OK response, the server is enabled for open relay. If you receive a relay-denied response, the server is configured correctly. Module 10: Securing Exchange Server 2010 Course 10135A
If students are not familiar with a reverse proxy, consider drawing a diagram on the white board that shows the location of a reverse proxy. Then show how the reverse proxy acts as the termination point for all client connections– both unsecure and secure. Show how you can decrypt SSL connections on the reverse proxy, and how you can re-encrypt it before forwarding it to the Client Access server. Mention that reverse proxies only work with Web-based protocols, such as HTTP. You can configure a reverse proxy to forward SMTP, POP3, or IMAP4 connections, but the reverse proxy does not intercept or scan the client connections for these protocols. Module 10: Securing Exchange Server 2010 Course 10135A
Mention that the Microsoft Forefront™ Threat Management Gateway (TMG) is Microsoft’s replacement for Internet Security and Acceleration Server. This server is one example of a reverse proxy, and it functions the same way as all reverse proxies. Preparation Ensure that the 10135A-VAN-DC1, and the 10135A-VAN-EX1, and 10135A-VAN-TMG virtual machines are running. Log on to all virtual machines as Administrator with a password of Pa$$w0rd . Demonstration Steps 1. On VAN-TMG, click Start , point to All Programs , click Microsoft Forefront TMG , and then click Forefront TMG Management . 2. Expand Forefront TMG , and then click Firewall Policy . 3. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access . 4. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule , and then click Next . 5. On the Select Services page, in the Exchange version list, click Exchange Server 2010 , select the Outlook Web Access check box, and then click Next . 6. On the Publishing Type page, click Next . 7. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next . When you configure this option, the TMG server re-encrypts all network traffic sent to the Client Access server. 8. On the Internal Publishing Details page, in the Internal site name text box, type VAN-EX1.Adatum.com , and then click Next . 9. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com , and then click Next . 10.On the Select Web Listener page, in the Web Listener drop-down list, click New . Web listeners are configuration objects on the TMG server that define how the server accepts client connections. 11.On the Welcome to the New Web Listener Wizard page, type HTTP Listener , and then click Next . 12.On the Client Connection Security page, click Do not require SSL secure connections from clients , and then click Next . Important: In a production environment, you always should use the option to Require SSL secured connections with clients . In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible. Module 10: Securing Exchange Server 2010 Course 10135A
13.On the Web Listener IP Addresses page, select the External check box, and then click Next . 14.On the Authentication Settings page, accept the default of HTML Form Authentication , and then click Next . 15.On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next , and then click Finish . Click OK . 16.Click Edit , and then on the Authentication tab, click Advanced . 17. Select the Allow client authentication over HTTP check box, and then click OK three times. 16.On the Select Web Listener page, click Next . 17.On the Authentication Delegation page, accept the default of Basic authentication , and then click Next . 18.On the User Sets page, accept the default, and then click Next . 19.On the Completing the New Exchange Publishing Rule Wizard page, click Finish . 20.Click Apply twice to apply the changes, and then click OK once the changes are applied. Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG? Answer: Answers will vary. Many companies have deployed Internet Security and Acceleration (ISA) Server 2006, and are using it to secure messaging client connections. Other companies have deployed hardware-based reverse proxies. Most of the reverse proxies provide the same functionality, but the process for configuring the settings may be very different. Module 10: Securing Exchange Server 2010 Course 10135A
In this lab, students will configure Exchange Server permissions, and then configure a reverse proxy for Exchange Server access. Exercise 1 Inputs: Students will be provided with instructions for configuring Exchange Server permission. The instructions will require that students use both the Exchange security groups and RBAC. Outputs: Students will configure Exchange Server organization security using both built-in management roles and custom management roles. Exercise 2 Inputs: Students will be provided with a set of instructions for configuring a proxy server to provide secure access to the Client Access server and Hub Transport server. Outputs: Students will configure security for the Client Access server and Hub Transport server roles by configuring a reverse proxy. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting, and will help to facilitate the lab discussion at the module’s end. Remind the students to complete the discussion questions after the last lab exercise. Module 10: Securing Exchange Server 2010 Course 10135A
Module 10: Securing Exchange Server 2010 Course 10135A
Use the questions on the slide to guide the debriefing after students complete the lab exercises. Question: In the lab, you configured Exchange Server permissions by using a custom role. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? Answer: You limited the types of tasks the delegated administrators could perform by removing some of the management role entries assigned to the OrganizationAdministrators management role. You limited what objects the delegated administrators could manage by limiting the management role scope to only specific Exchange Server cmdlets. Question: How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? Answer: You would need to configure a server publishing rule to publish the IMAP4 protocol on the Client Access server. You also need to configure a server-publishing rule to publish a SMTP server on a Hub Transport server. Module 10: Securing Exchange Server 2010 Course 10135A
Review Questions Question: You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Answer: In most cases, you can accomplish this by just adding the members of the Human Resources department to the Recipient Management role group in AD DS or Active Directory. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group. Question: Users in your organization are using POP3 clients from the Internet. These users report that they can receive e-mail, but not send, e-mail. What should you do? Answer: You will need to provide the users with a SMTP server that they can use to send e-mail. You should configure a Hub Transport server Receive Connector. Question: Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do? Answer: You will need to configure an Exchange ActiveSync publishing rule in TMG that enables access to the required virtual directories on the Client Access server. Common Issues and Troubleshooting Tips Point the students to possible troubleshooting tips for the issues that this section presents. Real-World Issues and Scenarios Question: Your organization has configured an SMTP Receive connector on an Edge Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do? Answer: When you configured the Edge Transport server to relay messages for IMAP4 users, you enabled anonymous relaying for all users. You will need to disable message relaying on the Edge Transport server, and enable authenticated relaying on a Hub Transport server. Question: You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do? Answer: You need to enable all of the members of the ServerAdmins group to run remote Windows PowerShell™ cmdlets. Module 10: Securing Exchange Server 2010 Course 10135A
Module 10: Securing Exchange Server 2010 Course 10135A Question: Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do? Answer: To ensure that users do not receive certificate errors, you will need to purchase a certificate from a public CA. You can request a certificate with multiple SANs or use a wildcard certificate to ensure that the one certificate can be used for all client connections. You then can use the same certificate on the Client Access server, or use a certificate from a private CA on the Client Access server. Best Practices Help the students understand the best practices that this section presents. Ask students to consider these best practices in the context of their own business situations.