310 likes | 458 Views
Securing Exchange Server 2003. Session Goals:. Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools used to help remove unwanted messages such as Spam. Demonstrate the ways in which we can enable Secure External Client Access.
E N D
Session Goals: • Introduce you to the concepts and mechanisms for securing Exchange 2003. • Examine the techniques and tools used to help remove unwanted messages such as Spam. • Demonstrate the ways in which we can enable Secure External Client Access. • Best Practices, tools and tips.
Agenda • Exchange 2003 Security Overview • Smart Screen and Spam Filtering Technology • Secure External Client Access • Best Practices and tools for Securing Exchange
Exchange 2003 Security Considerations: Features and considerations: • Secure by design and default • Many different clients and connection methods • Deployment Scenarios • Firewall implementations at the perimeter • SMTP Anti-Relay • Email filtering by Sender, Recipient and Connection filtering, including Block List services • SPAM filtering • Anti Virus Support • Outlook Web Access publishing
Exchange Server Deployment Scenarios FE/BE deployment General deployment Front-endExchange server Back-end Exchange servers Exchangeserver ISA Server integrated Exchangeserver ISA server Internet
Securing Exchange at the perimeter ISA 2004 Firewall Interaction (SMTP) Exchange Server
SSL Internet client Traditional firewall WebSrv/ OWA OWA Publishing without ISA 2004 Web server prompts for authentication — any Internet user can access this prompt …which allows viruses and worms to pass through undetected… SSL tunnels through traditional firewalls because it is encrypted… …and infect internal servers!
SSL or HTTP SSL Internet client WebSrv/ OWA ISA Server 2004 OWA Publishing with ISA 2004 ISA Server with HTTP Filtering URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear.
demonstration • Securely Publishing Exchange with ISA 2004 • SMTP Publishing • SMTP Keyword / Attachment Filtering • OWA Publishing
Agenda • Exchange 2003 Security Overview • Smart Screen and Spam Filtering Technology • Secure External Client Access • Best Practices and tools for Securing Exchange
Exchange Message Filtering Accept/ Deny Lists Information Store Block Lists Recipient Filter Sender Filtering Intelligent Message Filter
Intelligent Message Filtering • Utilizes Smart Screen Machine Learning • Applied at the gateway • Marks message with Spam Confidence Level (SCL) rating • Utilized throughout the mail stream • Scans headers, body of message and other attributes.
3rd Party Tools (Anti-Virus) SCL 5 SCL 8 SCL 5 Smart Screen Algorithm Junk E-mail Folder Inbox Spam Filtering with IMFSmart Screen Technology Gateway Server Mailbox Store Server
demonstration • The Intelligent Message Filter • Exchange 2003 UCE Control Features • Installing IMF • Configuring IMF
Agenda • Exchange 2003 Security Overview • Smart Screen and Spam Filtering Technology • Secure External Client Access • Best Practices and tools for Securing Exchange
Secure External Client Access to Exchange Server: What Are the Challenges? Outlook mobile accessXHTML, cHTML, HTML ActiveSync-Enabled mobile devices Exchange front-end server Wireless network Outlook web access Outlook using RPC Outlook using RPC over HTTP(S) Outlook express using IMAP4 or POP3 ISAserver Exchange back-end servers
Configuring Secure Outlook RPC / RPC over HTTP(S) Client Access ISAserver Outlook client Exchange servers Use the mail server publishing rule to enable Outlook RPC connections
Configuring RPC over HTTP(S) Client Access Considerations RPC over HTTP(S) requires: • Outlook 2003 running on Windows XP • Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers • Windows Server 2003 server running RPC proxy server • Modifying the Outlook profile to use RPC over HTTP(S) to connect to the Exchange server To enable RPC over HTTP(S) connections through ISA Server, use the Secure Web Publishing Wizard to publish the /rpc/*virtual directory
demonstration • RPC over HTTPS • Installing RPC over HTTPS • Configuration of ISA Server
Agenda • Exchange 2003 Security Overview • Smart Screen and Spam Filtering Technology • Secure External Client Access • Best Practices and tools for Securing Exchange
Maintaining Security on Exchange Server: What Are the Challenges? Challenges to maintaining security on an Exchange server include: • Hardening the Servers • Keeping up with the latest security updates • Keeping up with recommended best practices • Understanding the impact of configuring the various options within Exchange Server • Maintaining documentation on configuration and security settings
Hardening Back-End Exchange Servers Tasks for hardening back-end Exchange servers include: • Hardening services (Reduce Attack Surface) • Hardening file access control lists (ACLs) • Changing privilege rights • Enabling additional services (optional) Apply the Exchange 2003 Backend.inf security template to your back-end servers
Hardening Front-End Exchange Servers Tasks for hardening front-end Exchange servers include: • Hardening services (Reduce Attack Surface) • Hardening file access control lists (ACLs) • Enabling additional services (optional) • Running URLScan (optional but recommended) • Dismounting the mailbox store and deleting the public folder store (optional but recommended) Apply the Exchange 2003 Frontend.infsecurity template to your front-end servers
Analyzing Exchange Server 2003 Using MBSA MBSA checks for issues related to the following: ü Known Windows and Internet Explorer security issues ü Missing security updates ü Weak account passwords ü Internet Information Services (IIS) security issues ü SQL Server security issues ü Exchange Server security issues
Validating Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options ü ü Judge the general health of a system ü Help troubleshoot specific problems ü Includes the MBSA tool
Securing Exchange Servers: Best Practices Decide on Exchange Server design and harden servers according to their roles ü ü Limit Exchange Server functionality to clients that are strictly required ü Remain current with the latest updates for both Exchange Server 2003 and the operating system ü Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic Use SSL/TLS and forms-based authentication for Outlook Web Access ü
demonstration • Exchange Tools • Exchange Best Practice Analyzer
Session Summary Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements ü Implement the appropriate base and incremental security templates to fully secure Exchange Server ü Keep up to date with the latest best practices and techniques for securing Exchange Server 2003 ü Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools ü Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility ü
For More Information… • Main TechNet Web site at • www.microsoft.ca/technet • Anti Spam Capabilities in Exchange 2003 • www.microsoft.com/exchange/techinfo/security/antispam.asp • Microsoft Anti Spam Technology • www.microsoft.com/mscorp/twc/privacy/spam.mspx • IMF download from • www.microsoft.com/exchange/imf