1 / 49

Implementing Exchange Server Security

Implementing Exchange Server Security. Ward Solutions. Session Prerequisites. Hands-on experience with Microsoft Windows Server 2003 Working knowledge of Microsoft Exchange Server 2003 Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP

Audrey
Download Presentation

Implementing Exchange Server Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Exchange Server Security Ward Solutions

  2. Session Prerequisites • Hands-on experience with Microsoft Windows Server 2003 • Working knowledge of Microsoft Exchange Server 2003 • Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP • Working knowledge of networking, including TCP/IP, DNS, and IIS • Basic understanding of PKI concepts and technologies Level 300

  3. Session Overview • Implementing Exchange Server • Securing Exchange Server Services and Messaging Protocols • Maintaining Security on Exchange Server • Configuring Exchange to Protect Against Unwanted E-Mail

  4. Implementing Exchange Server • Implementing Exchange Server • Securing Exchange Server Services and Messaging Protocols • Maintaining Security on Exchange Server • Configuring Exchange to Protect Against Unwanted E-Mail

  5. Secure by default • User logon on server disabled • Messaging limits configuration of 10MB Exchange Server 2003 Security Overview Secure by design • Secure by default • Support for Sender, Recipient and Connection filtering, including Block List services Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2k3.mspx

  6. Exchange Server Deployment Scenarios FE/BE deployment General deployment Front-endExchange server Back-end Exchange servers Exchangeserver ISA Server integrated Exchangeserver ISA server Internet

  7. Hosted Exchange

  8. Exchange Server Client Scenarios Exchange Server 2003 client scenarios include the following: General client access: • Microsoft Outlook Mobile client access: • Outlook Web Access • Outlook Mobile Access • Exchange Server ActiveSync

  9. Configuration and Security Update Recommendations for Exchange Server

  10. Strong passwords, ACLs, backup and restore strategy Policies, procedures, and awareness Physical security Data Application Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Host Internal network Network segments, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Guards, locks, tracking devices Security policies, procedures, and education Implementing a Defense-in-Depth Approach to Exchange Server Security Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success

  11. Securing Exchange Server Services and Messaging Protocols • Implementing Exchange Server • Securing Exchange Server Services and Messaging Protocols • Maintaining Security on Exchange Server • Configuring Exchange to Protect Against Unwanted E-Mail

  12. Securing Exchange Servers: What Are the Challenges? Challenges to securing an Exchange server include: • Maintaining the security of the underlying Windows infrastructure • Maintaining baseline security hardening practices • Understanding security options for various deployment scenarios

  13. Hardening the Messaging Environment To harden your Exchange messaging environment, deploy the following:

  14. Hardening Back-End Exchange Servers Tasks for hardening back-end Exchange servers include: • Hardening services • Hardening file access control lists (ACLs) • Changing privilege rights • Enabling additional services (optional) Apply the Exchange 2003 Backend.inf security template to your back-end servers

  15. Hardening Front-End Exchange Servers Tasks for hardening front-end Exchange servers include: • Hardening services • Hardening file access control lists (ACLs) • Enabling additional services (optional) • Running URLScan (optional but recommended) • Dismounting the mailbox store and deleting the public folder store (optional but recommended) Apply the Exchange 2003 Frontend.infsecurity template to your front-end servers

  16. Relaying may be necessary when: • Accepting mail for another organization • Supporting clients that use POP3 or IMAP4 • Supporting applications that generate SMTP mail Prevent open relays by: • Allowing only authenticated computers to relay • Restricting relaying to specific computers or users • Using an SMTP connector to relay mail to particular domains Understanding SMTP Relaying SMTP Relaying: When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns

  17. Demonstration 1: Securing and Testing SMTP Relaying Securing SMTP relaying and testing for open relays

  18. Install and configure an X.509 certificate on the SMTP server 1 • Enable and configure TLS encryption for inbound mail 2 3 • Enable and configure TLS encryption for outbound mail to specific domains Securing SMTP Communication Between Mail Servers To secure SMTP communication between servers:

  19. Securing Exchange Servers: Best Practices Limit Exchange Server functionality to clients that are strictly required ü Remain current with the latest updates for both Exchange Server 2003 and the operating system ü Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic ü Use SSL/TLS and forms-based authentication for Outlook Web Access ü

  20. Maintaining Security on Exchange Server • Implementing Exchange Server • Securing Exchange Server Services and Messaging Protocols • Maintaining Security on Exchange Server • Configuring Exchange to Protect Against Unwanted E-Mail

  21. Maintaining Security on Exchange Server: What Are the Challenges? Challenges to maintaining security on an Exchange server include: • Keeping up with the latest security updates • Keeping up with recommended best practices • Understanding the impact of configuring the various options within Exchange Server • Maintaining documentation on configuration and security settings

  22. Analyzing Exchange Server 2003 Using MBSA MBSA checks for issues related to the following: ü Known Windows and Internet Explorer security issues ü Missing security updates ü Weak account passwords ü Internet Information Services (IIS) security issues ü SQL Server security issues ü Exchange Server security issues

  23. Validating Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options ü ü Judge the general health of a system ü Help troubleshoot specific problems

  24. Demonstration 2: Analyzing Configuration Settings on Exchange Server 2003 Analyze Exchange Server using MBSA and the ExBPA Tool

  25. Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution: • Design a defense-in-depth approach • Implement an antivirus scanner that supports AVAPI 2.5 • Prevent file-based scanning on Exchange Server folders

  26. Configuring Exchange to Protect Against Unwanted E-Mail • Implementing Exchange Server • Securing Exchange Server Services and Messaging Protocols • Maintaining Security on Exchange Server • Configuring Exchange to Protect Against Unwanted E-Mail

  27. Preparing for and Installing IMF - what is Spam? • Unsolicited Commercial E-mail • More than 50% of email traffic • Costly use of resources • IT • Personnel • Potentially offensive

  28. Phishing

  29. Preparing for and Installing IMF Microsoft’s Anti-UCE Strategy • Innovative Technologies • Industry Self-Regulation and Cooperation • Working with Governments``

  30. What Are the Exchange Options for Limiting Unwanted E-Mail? Options to limit unwanted e-mail include: • Recipient filtering • Sender filtering • Connection filtering • Microsoft Exchange Intelligent Message Filter

  31. Preparing for and Installing IMF Accept/ Deny Lists Information Store 3rd ptyBlock Lists Recipient Filter Sender Filtering Intelligent Message Filter

  32. Preparing for and Installing IMF - Exchange 2003 Anti Spam Strategy

  33. Configuring Filtering by Recipient Address Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

  34. Configuring Filtering by Sender Address or Domain Sender filtering blocks mail from specified senders or domains

  35. Implementing Real-Time Block List Support Using Connection Filtering Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

  36. Demonstration 3: Implementing Real-Time Block List Support Configure Real-Time Block List Support

  37. Overview of Exchange Intelligent Message Filter Exchange Intelligent Message Filter is an add-on product to help companies reduce the amount of unsolicited commercial e-mail received by users

  38. Preparing for and Installing IMF Intelligent Message Filtering • Utilizes Smart Screen Machine Learning • Applied at the gateway • Marks message with Spam Confidence Level (SCL) rating • Utilized throughout the mail stream • Scans headers, body of message and other attributes. • Hotmail and MSN • Outlook 2003 – Junk Folder • 3rd Party products

  39. Deploying the Intelligent Message Filter Exchange Gateway Servers Exchange Intranet Servers Internet Intelligent Message Filter Firewall Intelligent Message Filter handles e-mail based upon two thresholds: • Gateway blocking configuration • Store junk e-mail configuration

  40. 3rd Party Tools SCL 5 SCL 8 SCL 5 Smart Screen Algorithm Client Smart Screen Technology Gateway Server Mailbox Store Server

  41. How the Intelligent Message Filter Works with Exchange and Outlook Exchange Server 2003 Back-end Exchange Server 2003 Gateway Server Store threshold User mailbox Connection filtering Spam Recipient filtering Internet Yes No Sender filtering Blocked sender Safe sender Intelligent Message Filter (GatewayThreshold) Y N Y N Inbox Junk Inbox

  42. Managing IMF Archived Messages Using the Archive Manager • Archive Manager C# tool released with source on GotDotNet • http://workspaces.gotdotnet.com/imfarchive • Supports the following features: • Tree view of the Archive directory of messages • View of RFC2822 decoded headers and raw message • Resubmission of message to pickup directory • Deletion of messages • Forwarding of message as attachment to third-party address

  43. Demonstration 4: Implementing Exchange Intelligent Message Filter Implement and configure Intelligent Message Filter

  44. Session Summary Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements ü Implement the appropriate base and incremental security templates to fully secure Exchange Server ü Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools ü Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility ü

  45. Next Steps • Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx • Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx • Find additional e-learning clinics https://www.microsoftelearning.com/security • Get additional security information on Exchange Server 2003: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx

  46. Questions and Answers

More Related