1 / 30

Intro 2 Exchange - Chapter 10 - Securing Exchange 2003

Intro 2 Exchange - Chapter 10 - Securing Exchange 2003. Administering Permissions within Exchange 2003. Overview. In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs

miron
Download Presentation

Intro 2 Exchange - Chapter 10 - Securing Exchange 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro 2 Exchange - Chapter 10 - Securing Exchange 2003

  2. Administering Permissions within Exchange 2003

  3. Overview • In Exchange security is managed by assigning permissions in Active Directory • Exchange objects are secured with DACL and ACEs • Permissions assigned to an object can be applied directly to the object or inherited from a parent object • There two types of Permissions • Standard Permissions • Part of the default permissions for Active Directory • Extended Permissions • Added when Exchange is installed • Used to gain more specific administrative

  4. Delegating Authority

  5. Overview • When implementing an Exchange 2003 infrastructure an appropriate Administrative model needs to be chosen • To facilitate creating different Administrative Models Exchange 2003 provides an Exchange Delegation Wizard • Exchange Delegation Wizard enables an Administrator to select a user or group and give them a specific administrative role with the organization

  6. Supported Roles

  7. Exchange Full Administrator

  8. Users can fully administer Exchange System Information • Add • Delete • Rename • Modify Permissions

  9. Should be delegated to Administrators who need to configure and control access to the mail system

  10. Permissions • Container • Microsoft Exchange • Full Control • Organization • Send As and Receive As denied • Administrative Groups • All Permissions inherited; Send As and Receive As denied

  11. Exchange Administrator

  12. Users can fully administer Exchange System Information • Add • Delete • Rename • Cannot Modify Permissions

  13. Should be delegated to users or groups who are responsible for day-to-day administration of Exchange

  14. Permissions • Container • Microsoft Exchange • All permissions except Full Control • Organization • Send As and Receive As denied • Administrative Groups • All Permissions inherited except Full Control and Change; Send As and Receive As denied

  15. Exchange View Only Administrator

  16. User can view Exchange configuration information

  17. Should be delegated to administrators of other administrative groups who need to access an organizations's information

  18. Permissions • Container • Microsoft Exchange • Read, List Object and List Contents permissions allowed • Organization • Read, List Object and List Contents permissions inherited • View information store status permission allowed • Administrative Groups • Read, List Object and List Contents permissions inherited • View information store status permission inherited

  19. Public Key Infrastructures • Overview • To enable secure messaging Exchange relies on digital signatures and certification authorities to identify sending and receiving parties • System used for authentication is known as Public Key Infrastructures (PKI) • Microsoft has a proprietary PKI provided through Key Management Service (KMS) used with Exchange 2000 • KMS removed in Exchange 2003 and certification PKI is handled by the OS

  20. Public Key Infrastructures (2) • Key-Based Cryptography • Cryptographic algorithms fall into one of two categories Symmetric and Asymmetric • Symmetric cryptography • Known as secret key cryptography • Sender and receiver share a single, predetermined key • Sender and receiver need to decide on and transmit the shared key they can send any encrypted messages • Asymmetric cryptography • Known as public key cryptography • Keys used for Encryption and Decryption are different • Sender and receiver do not need to decided on a key or transmit prior to sending encrypted messages

  21. Public Key Infrastructures (3) • Certificates, Certificate Authorities and Trust • To encrypt messages using a public key encryption system senders need to be able to access public keys of intended recipients • Requires the use of a third party to act as a repository for the users' public keys and verify keys are associated with the appropriate users • A certificate is a digital declaration that contains a given user's public key and authenticates the user • A Certificate Authority (CA) is an entity that issues the certificate and attests to the fact that the certificate is valid and the user is authenticated • A CA can be a third-party company such as VeriSign or a Windows 2003 server configured as a CA within the organization

  22. Windows 2003 Public Key Infrastructures • Windows uses Certificate Services to create a CA • The CA issues and manages digital certificates in either an enterprise situation or a stand-alone situation • Enterprise • Integrated with Active Directory • Stand Alone • Can be members of a domain • Can be part of a workgroup • Two types of certification hierarchies: Rooted and Cross Certification • Rooted Hierarchy • Defines either an enterprise root CA or a stand alone CA • Root CA issues itself a certificate called a self-signed certificate • Below the root CA are one or more Enterprise or Stand Alone subordinate CAs • Cross Certification Hierarchy • CA acts as both a root CA and a subordinate CA • Used when two organizations want to establish a certificate trust between themselves • Commonly deployed in business-to-business scenarios when participating organizations have existing CA hierarchies

  23. Securing Communications • SSL/TLS can be used to secure SMTP traffic between e-mail servers • SSL/TLS can be used to secure both client-to-server traffic and server-to-traffic • Securing client-to-server traffic is less complicated than securing server-to-server traffic • Clients that use SMTP but not SSL cannot communicate with servers configured to SSL • ESMTP must be configured to allow clients to query what features they support

  24. Securing Communications (2) • Possible configurations when enabling SSL/TLS • Force SSL/TLS for all e-mail traffic • Enabling SSL/TLS for specific domains • Enabling SSL/TLS for inbound e-mail

  25. E-Mail Encryption • S/MIME protocol is used to secure e-mail by digitally signing or encrypting email messages • SSL/TLS secures messages during transit. S/MIME ensures end-to-end security • Encrypts on send • Decrypts on receive • S/MIME uses certificates to encrypt/decrypt • Designed to enable compatibility and authentication between different organizations and among different vendors

  26. Summary • Permissions that are assigned to an object within Exchange 2003 can be applied directly to the object itself or they can be inherited • There are two types of permissions Standard and Extended • Standard • Part of the default permissions for Active Directory • Extended • Added when Exchange 2003 is installed • The Exchange Administration delegation wizard enables you to select a user or group and give them a specific administrative role within the organization

  27. Summary (2) • A Microsoft Windows PKI provides an integrated set of services and administrative tools for creating deploying, and managing public key-based applications using public key cryptography • Symmetric Key Cryptography • In symmetric key cryptography, the encryption and decryption are identical. • Parties wanting to secure their communication using secret keys, exchange their encrypted keys securely before they can exchange data

  28. Summary (3) • Asymmetric Key Cryptography • Keys used for encryption and decryption are different • No need for the encryption key to be kept secret • Certificates are used to verify the identities of senders and receivers • A certificate contains a user's public key • A certificate also authenticates a user as who they claim to be • A CA is an entity that issues a digital certificate and attests to the fact that the certificate is valid and that the user is authentic

  29. Summary (4) • A certificate chain associates a certificate with a list of issuing CAs that ultimately leads to a certificate that the receiver implicitly trusts. • A root certificate forms the root of a certificate hierarchy that the receiver accepts as authentic • SSL/TLS can be used to encrypt and secure both client-to-server traffic and server-to-server traffic • Server-to-server SSL/TLS traffic is best handle using a separate dedicated SMTP connector

  30. Summary (5) • The S/MIME protocol allows users to send secure e-mail by digitally signing or encrypting e-mail messages • S/MIME is an updated version of MIME encoding standard that ensures so-called end-to-end security by allowing users to encrypt message when they are created and by allowing recipients to decrypt messages upon receipt

More Related