11-24 Chapter 11 Microsoft Exchange Server 2003 Security Evaluating E-Mail If Outlook receives an unauthenticated e-mail message from an external source, it eval- uates the source IP address against the Accept and Deny lists and rejects the message if a match is found on the Deny list. If the IP address is not on the Accept or Deny list, Outlook evaluates the message against an RBL. If a match is found on the RBL, then Outlook stops the message at the protocol level. Otherwise, Outlook evaluates messages against any third-party, anti-junk e-mail prod- ucts or plug-ins configured at the transport layer. The third-party product analyzes the message and assigns it a Spam Confidence Level (SCL) value that indicates the degree to which the message can be considered unsolicited commercial e-mail. The SCL value is from 1 through 10—the lower the value, the higher the probability that the message is junk mail. Outlook moves the e-mail message into the information store and, based on the SCL value and Outlook’s user settings, it either delivers the message to a folder or deletes it. If you set Outlook’s filter to Low, it sends any message ranked below 4 to the Junk E-Mail folder. If you set the filter to High, Outlook sends any message ranked below 7 to the Junk E-Mail folder. Guidelines for Securing Mailboxes When developing a strategy for securing Exchange Server 2003 mailboxes, you should consider the following guidelines: ■ Prevent users outside your Exchange organization from receiving out-of- office e-mail messages You can configure the default SMTP policy, or create SMTP policies on a domain-by-domain basis, that do not reply to out-of-office messages or forward such messages to the Internet. ■ Prevent users from receiving e-mail from unidentified domains or from predetermined domains You can configure virtual servers to deny messages from unidentified domains or from any domain that you select. ■ Limit access to e-mail content by digitally signing and encrypting e-mail messages You can ensure that only the intended recipient views the message content by using digital signatures and encryption. ■ Prohibit unauthorized users from using distribution lists You can config- ure distribution lists to accept e-mail from authenticated users only. Lesson 3 Securing Mailboxes 11-25 ■ Filter unsolicited e-mail You can create a message filter and then apply that fil- ter to each applicable virtual server. You can filter a message by sender, recipient, or domain. ■ Prevent junk e-mail You can search incoming and outgoing e-mail for specific words, phrases, and senders. You can configure OWA and Outlook 2003 to deter- mine how junk e-mail should be handled. Recipient and Sender Filtering You can block unwanted e-mail based on IP addresses, sender e-mail address, recipi- ent e-mail addresses, or e-mail domain. You block e-mail by configuring Accept and Deny lists, which can be configured through the global Message Delivery object and then applied to individual virtual servers. Recipient Filtering You can use recipient filtering to reduce junk e-mail. You can filter e-mail that is addressed to users who are not found in Active Directory or to whom the sender does not have permissions to send e-mail. Exchange Server 2003 rejects any incoming e-mail that matches the defined criteria at the protocol level and returns a 550 error. You can also use recipient filtering to filter messages that are sent to well-defined recipients, such as root@domain and inet@domain. This practice is indicative of unso- licited commercial e-mail. Note Recipient filtering rules apply only to anonymous connections. Authenticated users and other Exchange servers bypass these rules. Sender Filtering Sender filtering reduces junk e-mail by enabling you to create filters based on the sender of the message. You can, for example, filter messages that are sent by specific users or messages that are sent without sender addresses. You can archive filtered messages, or you can drop the connection if the sender’s address matches the filter criterion. Practice: Configuring the Junk E-Mail Feature in Outlook 2003 and Enabling Connection Filtering In this practice, you configure the level of junk e-mail protection that you require in Outlook 2003 and enable and configure connection filtering on your front-end server. Exercise 1: Configure the Junk E-Mail Feature in Outlook 2003 To configure the Junk E-Mail feature in Outlook 2003, perform the following steps: 1. Start Outlook. 2. On the Tools menu, click Options. 11-26 Chapter 11 Microsoft Exchange Server 2003 Security 3. On the Preferences tab, click Junk E-Mail. 4. Configure the required level of protection (No Protection, Low, High, or Safe Lists Only). 5. If you want to delete junk e-mail instead of moving it to a folder, you can select the relevant check box. 6. Add entries to the Trusted Senders, Trusted Recipients, and Junk Senders lists by selecting the relevant tabs. You can also import lists from, and export them to, a text file. 7. Click OK. Exercise 2: Enable Connection Filtering In this exercise, you configure Exchange Server 2003 to enable connection filtering on Server02 and then block mail from a malicious user and a junk mail sender. Note that fictitious names are used for the block list provider, the malicious user, and the junk mail sender. To enable connection filtering, perform the following steps: 1. Open Exchange System Manager and click Global Settings. 2. In the details pane, right-click Message Delivery, and then click Properties. 3. Select the Connection Filtering tab. 4. Click Add. 5. In the Connection Filtering Rule dialog box, in the Display Name box, type Blocklist Provider. In the DNS Suffix Of Provider box, type contosoblocklists .com, and then click OK. 6. Click OK to close the Message Delivery Properties dialog box. 7. Read the message in the Exchange System Manager dialog box, and then click OK. 8. In Exchange System Manager, navigate to Administrative Groups\First Administra- tive Group\Servers\Server02\Protocols\SMTP. 9. Right-click Default SMTP Virtual Server, and then click Properties. 10. Click Advanced on the General tab of the Default SMTP Virtual Server Properties dialog box. 11. In the Advanced dialog box, click Edit. 12. In the Identification dialog box, select the Apply Connection Filter check box as shown in Figure 11-4, and then click OK. Lesson 3 Securing Mailboxes 11-27 F11es04 Figure 11-4 Setting connection filtering 13. In the Advanced dialog box, verify that Filter Enabled is set to Yes, and then click OK. 14. Click OK to close the Default SMTP Virtual Server Properties dialog box. Exercise 3: Block an E-Mail Address and a Domain To block a specific e-mail address and the domain of a known junk mail sender, per- form the following steps: 1. Open Exchange System Manager. 2. In the console tree, click Global Settings. 3. In the details pane, right-click Message Delivery, and then click Properties. 4. Access the Sender Filtering tab in the Message Delivery Properties dialog box. 5. Click Add. 6. In the Add Sender dialog box, type donhall@nwtraders.com, as shown in Figure 11-5, and then click OK. F11es05 Figure 11-5 Blocking e-mail from a specific user 7. In the Message Delivery Properties dialog box, ensure that the Drop Connection If Address Matches Filter check box is selected, and then click OK. 8. In the Warning dialog box, click OK to acknowledge that this filter must be enabled on the virtual server. 11-28 Chapter 11 Microsoft Exchange Server 2003 Security 9. In Exchange System Manager, navigate to Administrative Groups\First Administra- tive Group\Servers\Server02\Protocols\SMTP. 10. Right-click Default SMTP Virtual Server, and then click Properties. 11. Select the Access tab in the Default SMTP Virtual Server Properties dialog box. 12. Click Connection. 13. In the Connection dialog box, ensure that All Except The List Below is selected, and then click Add. 14. In the Computer dialog box, click Domain, click OK when warned that this is a resource intensive configuration, type treyresearch.com, as shown in Figure 11-6, and then click OK. F11es06 Figure 11-6 Blocking e-mail from a domain 15. In the Connection dialog box, click OK. 16. Select the General tab in the Default SMTP Virtual Server Properties dialog box, and then click Advanced. 17. Click Edit. 18. In the Identification dialog box, select the Apply Sender Filter check box, and then click OK. 19. Click OK to close the Advanced dialog box. 20. Click OK to close the Default SMTP Virtual Server Properties dialog box. Lesson 3 Securing Mailboxes 11-29 Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and then try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter. 1. How does Exchange Server 2003 filtering work, and what do you need to config- ure in order to use it? 2. An e-mail message has an SCL value of 3. Which of the following statements is true? a. The sender was found on the Deny list. b. The sender was found on the Accept list. c. The message probably is not junk e-mail. d. The message probably is junk e-mail. Lesson Summary ■ Outlook 2003, OWA, and Exchange Server 2003 can filter junk e-mail. ■ E-mail can be accepted or rejected based on the address of a single sender or on a domain name. ■ E-mail from an external source can be rejected based on the recipient address. ■ A Realtime Blackhole List or Relay Blocking List (RBL) provides a third-party solu- tion to the junk e-mail problem. 11-30 Chapter 11 Microsoft Exchange Server 2003 Security Lesson 4: Implementing Digital Signature and Encryption Capabilities This lesson describes digital signatures and encryption and then explains how these capabilities enhance Exchange Server 2003 security. The lesson explains how public key infrastructure (PKI) is used to send digitally signed and encrypted e-mail messages. It also describes PKI components. Finally, the lesson describes how the enrollment process enables digital signature and encryption capabilities. After this lesson, you will be able to ■ Explain what digital signature and encryption capabilities are ■ Explain what a PKI is ■ Describe the PKI components that enable digital signature and encryption capabilities ■ Describe how the enrollment process enables digital signature and encryption capabilities ■ Describe the process of creating and deploying digital signature and encryption certificates ■ Configure Outlook digital signature and encryption capabilities Estimated lesson time: 30 minutes Digital Signature and Encryption Digital signature and encryption enable you to secure your messaging system by pro- tecting e-mail messages from modification and inspection by malicious third parties as they are transmitted from the sender to the receiver. A digital signature is a code attached to an e-mail message that ensures that the indi- vidual who is sending the message is really who he or she claims to be. The code is linked to the message content so that any modification of the content of the message during transit will result in an invalid signature. You can protect e-mail messages against inspection by using encryption. Encryption is a cryptographic technique that translates the contents of an e-mail message into an unreadable format. There are many different types of encryption. Exchange imple- ments public key encryption, which uses a public key that is known to everyone and a private key that is known only to the recipient of the message. For example, when Don Hall wants to send a secure message to Kim Akers, Don uses Kim’s public key to encrypt the message. Kim then uses her private key, known only by her, to decrypt Don’s message. If a public key is used to encrypt messages, only the corresponding private key can be used to decrypt those messages. It is almost impos- sible to deduce a private key, even if you know the public key. Lesson 4 Implementing Digital Signature and Encryption Capabilities 11-31 Real World Private Keys The function of real-world security is to make it very difficult for an attacker to breach the system. Remember that there is no known limit to human ingenuity and no system is perfect. Remember also that a private key is effective only if no third party knows it. The longer a private key exists, the more likely it is to be cracked. Exchange Server 2003 and Outlook 2003 implement digital signature and encryption capabilities by using Secure Multi-Purpose Internet Mail Extensions (S/MIME), which is the version of the MIME protocol that supports encryption. Public Key Infrastructure A PKI is a policy that is used to establish a secure method for exchanging information. It is also an integrated set of services and administrative tools for creating, deploying, and managing public key–based applications. It includes cryptographic methods and a system for managing the process that enables you to identify users and securely exchange data. PKI signature and encryption capabilities enable you to strengthen the security of your Exchange Server 2003 organization by protecting e-mail from being read by anyone other than the intended recipient or from being altered by anyone other than the sender while the message is in transit, or while the message is stored either on the cli- ent in a .pst file or on the Exchange server in the mailbox store. A PKI includes components that enable digital signature and encryption capabilities. A PKI contains the components listed in Table 11-4. Table 11-4 PKI Components PKI component Description Digital certificate Authenticates users and computers. Certificate template Defines the content and purpose of a certificate. Typically one certificate template is created for digital signatures and another is created for encryption. However, a single certificate template can be created for both purposes. Certificate revocation list (CRL) Lists the certificates that are revoked by a CA before the certificates reach their scheduled expiration date. Certificate authority (CA) Issues certificates to users, computers, and services, and then man- ages these certificates. 11-32 Chapter 11 Microsoft Exchange Server 2003 Security Tip When a PKI is checking the validity of a certificate, one of the first things it does is to check it against a CRL. If no CRL exists, an error may be returned. Therefore, you may need to issue a certificate and then revoke it to create a CRL before a PKI will operate correctly. Practice: Deploying Digital Signature and Encryption Certificates Using a certificate for digital signatures or encryption requires that you deploy the cer- tificate in Exchange Server 2003 by using auto-enrollment settings and that you verify the Outlook configuration. Before starting this practice, you need to obtain a certificate, if you have not already done so. To do this, open Internet Explorer, access http:// Server01/Certsrv and complete the wizard. If Server01 is not a CA, you need to obtain a certificate over the Internet from an external CA, such as VeriSign. Certificate publication points and CRL distribution points Provide locations where certificates and CRLs are made publicly available. Certificates and CRLs can be made available through a directory service, such as X.500, LDAP, or through directories that are specific to the operating system and Web servers. Certificate and CA management tools Manage issued certificates, publish CA certificates and CRLs, config- ure CAs, import and export certificates and keys, and recover archived private keys. Applications and services that are enabled by public keys Use certificates for e-commerce and secure network access by using digital signature and encryption capabilities. Certificate servers Enable you to create, issue, and manage certificates by using Microsoft Certificate Services. Using Certificate Services on Win- dows Server 2003 with Exchange Server 2003 integrates all of the certificate functionality into a single service, rather than relying on multiple services, such as Microsoft Key Management Service (KMS), which was required in previous versions of Exchange. The benefits of certificate servers include the following: ■ Issuing certificates from a single, archived location. ■ Maintaining a copy of all the private keys on the server, thus allowing users to retrieve their private key information if they are unable to access the information locally. ■ Enabling automatic certificate deployment to users with valid credentials. ■ Importing archived private keys and certificates into a CA. Table 11-4 PKI Components PKI component Description Lesson 4 Implementing Digital Signature and Encryption Capabilities 11-33 Exercise 1: Implement Digital Signature and Encryption Capabilities on Exchange Server 2003 To configure Exchange Server 2003 to allow users to digitally sign and encrypt mes- sages, perform the following steps: 1. Open the Certification Authority console on Server01. 2. Expand Tailspintoys. 3. Right-click Certificate Templates, point to New, and then click Certificate Template To Issue. 4. In the Enable Certificate Templates dialog box, click Exchange User, and then click OK. 5. In the Certification Authority console, right-click Certificate Templates, and then click Manage. 6. Right-click Exchange User in the details pane of the Certificate Templates console, and then click Properties. 7. Select the Security tab in the Exchange User Properties dialog box. 8. Click Authenticated Users in the Group Or User Names box. 9. In the Permissions For Authenticated Users box, select the Allow check box for the Enroll permission, as shown in Figure 11-7, and then click OK. F11es07 Figure 11-7 Allowing Authenticated Users Enroll permission so they can digitally sign and encrypt e-mail 10. Close the Certificate Templates management list and the Certification Authority console. [...]... are as follows: ■ NNTP ■ Microsoft Exchange IMAP4 ■ Microsoft Exchange POP3 Administration The following services are required to administer Exchange Server 2003: ■ Microsoft Exchange System Attendant ■ Microsoft Exchange Management ■ Windows Management Instrumentation Routing The following services are required to enable Exchange Server 2003 to route messages: ■ Microsoft Exchange Routing Engine ■... 11- 48 Chapter 11 Microsoft Exchange Server 2003 Security Compatibility The following services are required to provide compatibility with earlier versions of Exchange: ■ Microsoft Exchange Event Service ■ Microsoft Exchange Site Replication Service ■ Exchange MTA Stacks (Exchange Server 5.5 compatibility only) Additional Features The following services provide additional features for Exchange Server 2003: ... virtual servers After this lesson, you will be able to ■ Describe the services that Exchange Server 2003 uses ■ Explain why you should allow only required services to run on Exchange Server 2003 ■ Identify the required services on an Exchange front-end server ■ Identify the required services on an Exchange back-end server ■ Manage protocol logging on HTTP virtual servers including the Exchange virtual server. .. Exercise You are the Exchange Full Administrator in a branch of Woodgrove Bank Your Exchange organization comprises four front-end Exchange Server 2003 servers configured as a network load sharing cluster and two back-end Exchange Server 2003 servers configured as a Windows cluster to provide failover protection Your domain controllers and member servers are all Windows Server 2003 servers Security is... Server 2003 server that he or she needs to manage When you create an Exchange Server 2003 organization, the Exchange Domain Servers group and the Exchange Enterprise Servers group are created automatically These two groups are assigned permissions that allow Exchange servers to gain access to Exchange configuration and recipient information in Active Directory These are system groups for use by Exchange. .. Routing group objects ■ Public folder tree objects ■ Server objects Adding an Exchange Administrative Group When you set up an Exchange Server 2003 organization, you automatically create the First Administrative Group container, and the Exchange Server 2003 server is added to this group If you then add a new computer running Exchange Server 2003 to your Exchange organization, the computer is added to this... SMTP virtual servers Estimated lesson time: 30 minutes Services Used by Exchange Server 2003 Exchange Server 2003 comprises a number of processes, components, and services that communicate with each other on local and remote computers Exchange servers must communicate with other Exchange servers, domain controllers, and several different types of client Depending on the role an Exchange server plays... considering disabling Microsoft Exchange Management on a front-end Exchange server Can you disable this service? What other considerations do you need to take into account? 2 Which of the following services are required to administer Exchange Server 2003? (Select all that apply.) a Microsoft Exchange System Attendant b Microsoft Exchange Management c NNTP d Windows Management Instrumentation e Exchange MTA... service is enabled It is dependent on Microsoft Exchange Management ■ Microsoft Exchange MTA Stacks You require this service if you need compatibility with previous versions of Exchange or if there are X.400 connectors ■ Microsoft Exchange System Attendant You require this service if you want to perform Exchange administration and for Exchange maintenance to run ■ Microsoft Exchange Routing Engine You require... Chapter 11 Microsoft Exchange Server 2003 Security Lesson 6: Disabling Services and Protocol Logging This lesson discusses the services that are used by Exchange Server 2003, explains service dependencies, and explains which services can be disabled to provide enhanced Exchange security The lesson also discusses protocol logging and how this can be used to audit access on the various Exchange Server 2003 . on each Exchange Server 2003 server that he or she needs to manage. When you create an Exchange Server 2003 organization, the Exchange Domain Servers group and the Exchange Enterprise Servers. control access to your Exchange e-mail system. 11- 38 Chapter 11 Microsoft Exchange Server 2003 Security ■ Exchange Administrator Exchange Administrators can fully administer Exchange system information. click OK. 8. In the Warning dialog box, click OK to acknowledge that this filter must be enabled on the virtual server. 11- 28 Chapter 11 Microsoft Exchange Server 2003 Security 9. In Exchange