Documente Academic
Documente Profesional
Documente Cultură
Contents
Overview 1
Lesson: Preparing for and Protecting
Against Computer Viruses 2
Lesson: Securing Mailboxes 15
Lesson: Implementing Digital Signature
and Encryption Capabilities 28
Lesson: Configuring Firewalls 38
Lesson: Configuring Administrative
Permissions 48
Lesson: Allowing Only the Required
Services to Run on Exchange 2003 61
Discussion: Securing Exchange
Server 2003 70
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, ActiveSync, ActiveX, Active
Directory, Hotmail, MSDN, MSN, Outlook, PowerPoint, Visual Basic, and Windows Media are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 3: Securing Exchange Server 2003 iii
Instructor Notes
Presentation: This module provides students with knowledge and skills that are necessary to
70 minutes implement security on the server running Microsoft® Exchange 2003.
Implementing security on the Exchange server is the final step of getting a new
Practices: Exchange server functioning in the actual environment. Securing Exchange
50 minutes Server 2003 involves implementing antivirus strategies, implementing digital
signatures and encryption features, configuring firewalls, and setting
administrative permissions.
After completing this module, students will be able to:
! Prepare for and protect against computer viruses.
! Secure mailboxes.
! Implement digital signatures and encryption capabilities.
! Configure firewalls.
! Configure administrative permissions.
! Allow only the required services to run on Exchange 2003.
Required materials To teach this module, you need the following materials:
! Microsoft PowerPoint® file 2400B_03.ppt
! Video file 2400B_03_v05.wmv
! Module 3 animation, Connecting MAPI Clients to Exchange Server 2003
Through a Firewall, 2400B_03A_05.swf
! The job aid Creating Virus-Clean Policies and Procedures on the Student
Materials compact disc
Classroom setup The classroom should be set up to use Connectix Virtual PC software, as
discussed in the Manual Classroom Setup Guide. No additional classroom setup
is needed.
iv Module 3: Securing Exchange Server 2003
Tip When this icon appears on the lower-right corner of a slide, it indicates
that students must complete an inline practice before you move on to the next
slide:
Practices Some practices in this module require initial startup time. Consider having
students perform the initial step in these practices before you begin the lecture
on the related content. If a practice begins with a procedure titled “To prepare
for this practice,” then it requires initial startup time.
What Are Computer Ask students what they know about viruses. Discuss differences between
Viruses? viruses, worms, and Trojan horses. Emphasize that worms and Trojan horses
are not technically viruses. However, to provide consistency between the
technical documentation and Course 2400, Implementing and Managing
Microsoft Exchange Server 2003, the topics of worms and Trojan horses are
included as part of the virus topics.
How Are Viruses Use this animated slide to explain the process through which viruses spread in
Spread? an Exchange organization. Use the associated text box that appears with each
click to guide you through your explanation of how viruses spread. Emphasize
to the students that they must always install and configure new computers while
they are disconnected from the network because a virus can also infect secure
resources, such as files, applications, and operating system source files.
Guidelines for Preparing Discuss the three guidelines that must be followed while preparing an antivirus
an Antivirus Strategy strategy for an Exchange organization. Because of the prevalent virus attacks in
many companies, emphasize that students should consider configuring their
messaging systems to block attachments of known exploitable file types, such
as .bat, .com, .scr, .vbs, and embedded Hypertext Markup Language (HTML)
scripts.
Emphasize that students need to understand the capabilities and be aware of the
impacts that their antivirus solution may have on Exchange as well as other
Microsoft Windows® services. Point out that file-level scans should exclude
Exchange database files and that if students are running Windows 2000,
antivirus scanning of the Microsoft Internet Information Services (IIS)
metabase may cause corruption and failure of IIS.
Considerations When Use the table in this slide to discuss the antivirus software features that students
Choosing Antivirus should take into consideration when protecting their company’s components
Software from virus threats.
Explain to students the features that are supported by Exchange Virus Scanning
Application Programming Interface (VSAPI) 2.5 and that for information on
third-party vendors that develop antivirus software for Exchange, refer students
to http://www.microsoft.com/exchange/partners/antivirus.asp.
What Are Virus-Clean Use this slide to explain why virus-clean policies and procedures should be in
Policies and place before a virus attack occurs. Emphasize that if students have the virus-
Procedures? clean policies and procedures in place they can avoid making decisions in haste.
Guidelines for Creating Discuss the guidelines for creating virus-clean policies and procedures. Show
Virus-Clean Policies and students where the job aid Creating Virus-Clean Policies and Procedures
Procedures resides on the Student Materials compact disc. It is also printed at the back of
the student workbooks. This job aid will help the students in answering some
key questions about their Exchange organization that need to be answered when
developing virus-clean policies and procedures.
The goal of this practice is to have students consider their own policies and
procedures for removing viruses in their environment. You should consider
leading this discussion in such a way that students realize the important
components that must be documented for their company that will allow them to
respond to a virus incidence in a fast and efficient manner. You want your
students returning to their companies with an idea of the importance of creating
these procedures before they are needed and to be able to use the job aid to help
them identify the items that they need to be able to create policies and
procedures for responding to a virus incident.
vi Module 3: Securing Exchange Server 2003
What Are Security Use this slide to explain the concept of security updates and how they help to
Updates? eliminate known security vulnerabilities, such as those that are caused by or
exploited by viruses. Emphasize that students should quickly evaluate their
system to determine if the update is relevant to their current situation.
Where to Locate and Use this slide to discuss the bulletins and utilities that can help a student’s
Download Security company to remain current on the latest security issues and fixes. Tell
Updates students that they can download security updates from various Web sites,
including http://www.microsoft.com/exchange/downloads and
http://support.microsoft.com.
Refer students to Course 2596, Deploying and Managing Microsoft Systems
Management Server 2003 for more information about Microsoft Systems
Management Server (SMS).
How to Configure the Use this slide to discuss the high-level steps for configuring the Junk E-mail
Junk E-Mail Feature feature in Outlook 2003 and enabling connection filtering. Then have the
students complete the inline practice on configuring Exchange to enable
connection filtering and answer any questions that they have.
Guidelines for Securing Use this slide to discuss the guidelines that students should follow for securing
Mailboxes mailboxes. Emphasize that this is a critical task because user mailboxes,
mailbox features, and mailbox content are often one of the greatest security
risks within any company.
What Is Recipient and Discuss the concepts of recipient filtering and sender filtering. Remember to tell
Sender Filtering? the students that recipient filtering rules only apply to anonymous connections.
Authenticated users and other Exchange servers bypass these rules.
How to Create and Apply Use this slide to discuss the high-level steps for creating and applying recipient
Recipient and Sender filtering, and creating and applying sender filtering. Then have the students
Filtering complete the inline practice on configuring Exchange to block e-mail addresses
and domains, and answer any questions that they have.
Module 3: Securing Exchange Server 2003 vii
Guidelines for Cleaning Use this slide to discuss the steps for developing specific procedures for
E-Mail of Viruses creating a virus-clean network environment after a virus has attacked the
students’ messaging system. Explain that these procedures can be customized
for their particular situation.
What Is a PKI? Use this slide to discuss a public key infrastructure (PKI) policy that is used for
establishing a secure method for exchanging information.
What Are the PKI Use this slide to briefly discuss the components that enable digital signature and
Components That encryption capabilities. Refer students to Module 5, “Using a PKI to Secure
Enable Digital Signature Information,” in Course 2810, Fundamentals of Network Security, and Course
and Encryption 2821, Designing and Managing a Public Key Infrastructure, for more
Capabilities? information about PKI.
How the Enrollment Use this slide to discuss the enrollment process. Emphasize that although the
Process Enables Digital enrollment process varies with the certification authority (CA) that is used, and
Signature and its policies, the steps in the student workbook outline the general process.
Encryption Capabilities
The Process of Creating Use this slide to discuss the process to digitally sign and encrypt e-mail
and Deploying Digital messages.
Signature and
Encryption Certificates
How to Configure Digital Use this slide to discuss the steps for configuring Outlook to use the certificates
Signature and to enable digital signature and encryption capabilities. Then have the students
Encryption Capabilities complete the inline practice on configuring Exchange to allow users to digitally
sign and encrypt messages, and answer any questions that they have.
Options for Connecting Discuss the options that are required if students have a firewall separating the
a MAPI Client to an MAPI client and the Exchange server. Be prepared to explain to your students
Exchange Server When that there are other options such as Outlook Web Access, for accessing
Separated by a Firewall Exchange and that this topic is intended to explain the configuration
requirements that a MAPI client, such as Outlook, place on their Exchange
network.
Recommended Options Use this slide to discuss the two options for the location of an RPC proxy server
for Connecting a MAPI when students deploy RPC over HTTP in their network.
Client to an Exchange
Server When Separated
by a Firewall
Multimedia: Connecting Use the animation to show the ports that MAPI uses and the client request
MAPI Clients to process, how the firewall is configured to allow messages to travel across the
Exchange Server firewall, and how a MAPI client can use RPC over HTTP to access the
Through a Firewall Exchange Server 2003. Use the animation and the discussion questions to help
your students understand the security requirements when a MAPI client is used
to access Exchange through a firewall.
How to Configure Use this slide to discuss the high-level steps for applying advanced security
Advanced Security settings by using Adsiedit.exe. Then have the students complete the inline
Permissions by Using practice on configuring custom security permissions, and answer any questions
Adsiedit.exe that they have.
What Are the Required Use the table on this slide to discuss the services that must be configured for an
Services on an Outlook Web Access front-end server. Also discuss the additional service
Exchange Front-End considerations. Tell the students that the information in the topic assumes that
Server? they plan to use front-end servers to establish HTTP connections. If they plan to
configure POP3 or IMAP4, they must enable either the POP3 or IMAP4
service, but they must not use the World Wide Web Publishing Service.
What Are the Required Use the table on this slide to discuss how Exchange services can be configured
Services on an for a back-end server. Also discuss the additional service considerations. Refer
Exchange Back-End or students to the white papers Microsoft Exchange Server Front-End and Back-
Mailbox Server? End Topology and Security Operations for Microsoft Exchange 2000 Server in
the Additional Reading section of the Student Materials compact disc for more
information about front-end and back-end servers, and securing the Exchange
server.
Assessment
Assessment questions for this module are located on the Student Materials
compact disc. You can use the assessment questions in whatever way you think
is best for your students. For example, you can use them as pre-assessments to
help students identify areas of difficulty. Or you can use them as post-
assessments to validate learning. Consider using the questions to reinforce
learning at the end of the day or at the beginning of the next day. If you choose
not to use the assessment questions during class, show students where they are
so that they can use them to assess their own learning outside of class.
Module 3: Securing Exchange Server 2003 1
Overview
Important Worms and Trojan horses are not technically viruses. However,
these two programs are typically categorized as viruses in technical
documentation. Therefore, to provide consistency with current documentation,
throughout Course 2400, Implementing and Managing Microsoft Exchange
Server 2003, the topics of worms and Trojan horses are included as part of the
virus topics.
4 Module 3: Securing Exchange Server 2003
Important A virus can also infect secure resources, such as files, applications,
and operating system source files. Therefore, always install and configure new
computers while they are disconnected from the network. Before you reconnect
to the network, you should apply software upgrades, and then install antivirus
software and run a manual scan of the software by using the latest signature
files.
Module 3: Securing Exchange Server 2003 5
Note Any file level scan of your Exchange server must exclude Exchange
database files (*.edb, *.stm, and *.log files) from being scanned to prevent
antivirus software from corrupting the database when it attempts to clean a
virus from one of these files.
Ensure that the antivirus Because new computer viruses (or strains of old viruses) are constantly being
software is current created, one of the most important tasks when implementing an antivirus
strategy is to ensure that your antivirus software is up-to-date. You should also
provide automatic updates for every component such as client computers,
Exchange servers, and firewalls that you want to protect. Automatic updates do
not require administrator or user intervention, and they are particularly
important on client computers because users often do not update their software
regularly. Remember, however, that these updates can introduce new code. By
configuring systems for automatic updates, you will not have a chance to test
the code in your environment, so you will not be able to tell in advance if the
new code conflicts or causes problems such as causing a program to stop
responding.
Module 3: Securing Exchange Server 2003 7
Exchange server Exchange 2003 support Does the software integrate with Exchange 2003 and the
other servers in your environment?
Does the software significantly interfere with Exchange
performance?
Is the software supported by the software vendor for use
with Exchange?
Client Distribution functionality Does the software provide automated deployment of
client-based software?
Administrative tools Are there mechanisms for reporting and monitoring client
desktops from a single, central location?
Are remote systems protected with the same level of
security as locally connected computers?
Server and firewall E-mail scan Does the software scan inbound and outbound e-mail?
8 Module 3: Securing Exchange Server 2003
(continued)
Component to protect Antivirus software feature Antivirus software consideration
All components Software updates Does the software allow for quick and automated
updates?
How often does the vendor release product updates,
especially in the event of a virus attack?
Varied virus detection Does the software guard against viruses, worms, Trojan
horses, and other malicious code such as macro viruses
and malicious scripts?
Does the vendor provide assurance that their product will
be frequently updated to detect new viruses as needed?
Is the vendor (TruSecure ICSA Lab or CheckMark)
certified?
Multiple scan locations Does the software provide virus scanning at the Exchange
client, Exchange information store, Exchange transport,
and firewall level?
Practice: Creating Virus- In this practice, you will use the job aid titled Creating Virus-Clean Policies
Clean Policies and and Procedures at the end of the workbook to help you plan what actions
Procedures should be taken to recover from a virus attack in your company. A copy of this
job aid is also included on the Student Materials compact disc.
Review the checklist, and then prepare to answer the following questions. There
are no correct or incorrect answers in this discussion.
Discussion questions Answer the following questions during the classroom discussion.
1. If a virus were to infect your messaging system, are there specific
individuals that are responsible for responding to the virus attack?
• What are the advantages of having this information documented?
2. To be able to communicate the impact of the attack, do you have a
communication plan in place?
• Would the best mechanism for communicating information about a virus
be by notifying your users through e-mail?
• Why or why not?
3. Would the actions that you take to get rid of a virus change if more than one
person were impacted by the virus?
• What if your whole company was impacted?
4. Do you know the Web site and support numbers for your virus vendor in
case of a virus attack?
5. Does your backup routine give you the ability to recover from a severe virus
attack where the virus cannot be removed from a server?
12 Module 3: Securing Exchange Server 2003
Note For more information about SMS, see Course 2596, Deploying and
Managing Microsoft Systems Management Server 2003.
Module 3: Securing Exchange Server 2003 15
What is a block list? A block list is a list of domain names and Internet Protocol (IP) addresses that
are known to send unsolicited commercial e-mail. You can develop a block list
for your company by routinely adding to your Global Accept and Deny List
Configuration new IP addresses that define which IP addresses you will accept
or deny e-mail from. Or, you can subscribe to a block list that is maintained by
a third-party company, such as Mail Abuse Prevention System (MAPS). Block
lists that are maintained by third-party companies are typically called Realtime
Blackhole Lists or Relay Blocking Lists. To use block lists, you must configure
your server to use these third-party services.
While block lists can reduce the amount of unsolicited e-mail that you receive,
they have some limitations, which are as follows:
! Block lists cannot completely prevent unsolicited e-mail because people
who send this type of e-mail use a variety of tactics, such as spoofing (or
forging) subject headers or using third-party servers to send the mail to
evade block lists.
! Block lists can also block legitimate e-mail because some domains may be
incorrectly listed in the block list.
What is connection Connection filtering is an Exchange 2003 junk e-mail protection feature that
filtering? enables you to check the IP address of the connecting SMTP server against
those that are listed on a block list. If a match is found between IP addresses,
Exchange rejects every intended message recipient unless it is a recipient who
is defined as an exception. Exchange 2003 connection filtering also enables you
to:
! Configure multiple connection filter rules. You can configure multiple
connection filter rules and then prioritize the order in which the rules are
applied to the IP address of the connecting SMTP server. When you
configure multiple connection filter rules, the rules are checked in the order
that they appear. Creating multiple rules enables you to use the same IP
address with a different set of rules—for example, when you subscribe to
two different block list providers.
18 Module 3: Securing Exchange Server 2003
The connection filtering When you configure connection filtering, you establish a rule that SMTP uses
process to perform a Domain Name System (DNS) lookup on a block list. The
connection filter examines each incoming IP address and matches it against the
block list. When an e-mail message is sent to your organization, Exchange
contacts the block list provider. The provider then checks for the existence of a
host record in DNS. Exchange queries for this information are in a specific
format—for example, if the connecting IP address is 192.168.5.1 and the block
list provider is contoso.blocklist.msft, Exchange queries for the existence of the
following record:
1.5.168.192.contoso.blocklist.msft IN A 127.0.0.x
If this IP address is found on the block list, the block list provider issues one of
two responses:
! 127.0.0.x status code. This response indicates that the IP address was found
on the block list, and it also lists the type of offense, such as known source
of unsolicited e-mail or known relay server.
! Host not found. This response indicates that the IP address was not found on
the block list.
Module 3: Securing Exchange Server 2003 19
• If the sender is not listed in the user’s Contacts folder, in the GAL, or on
the Trusted Senders or Trusted Recipients list, the message is checked
against the Junk Senders list. If a match is found, the message is sent to
the Junk E-mail folder.
• If the message has not been stopped, it is then passed through the junk
e-mail filter. The filter ranks the message on a scale from 1 to 10 (1
indicates that the message is junk e-mail and 10 indicates that it is not
junk e-mail). When the filter is set to Low, any message ranked below 4
is sent to the Junk E-mail folder. When the filter is set to High, any
message ranked below 7 is sent to the Junk E-mail folder.
Module 3: Securing Exchange Server 2003 21
To enable connection The high-level steps to enable connection filtering in Exchange 2003 are as
filtering follows:
1. In Exchange System Manager, configure the Connection Filtering tab on
the global Message Delivery object.
2. Apply the filter at the SMTP virtual server level by selecting Advanced on
the General tab of the SMTP virtual server object.
Detailed steps for enabling connection filtering in Exchange are included in the
practice that follows.
Practice: Configuring In this practice, you will configure Exchange to enable connection filtering.
Exchange to enable
connection filtering ! To prepare for this practice
1. Start up 2400_London-Virtual PC, if not already started.
Note This procedure may take 5 minutes to complete before you can
continue.
4. If not already open, open Outlook Web Access by using Microsoft Internet
Explorer to open the URL http://london/exchange/londonadmin. When
prompted for credentials, use nwtraders\londonadmin with a password of
P@ssw0rd.
5. Read the message with the subject “Configuring Security” from your team
lead, Samantha Smith.
What is sender filtering? Sender filtering reduces unsolicited commercial e-mail by filtering inbound
e-mail based on the sender of the e-mail. Sender filtering enables you to create
filters that specify how e-mail messages are managed, based on the sender of
the message. For example, you can filter messages that are sent by specific
users or messages that are sent without sender addresses. You can archive
filtered messages or drop the connection if the sender’s address matches the
filter.
Module 3: Securing Exchange Server 2003 25
Detailed steps for creating and applying recipient filtering are included in the
practice “Blocking E-Mail Addresses and Domains,” later in this lesson.
To create and apply The high-level steps for creating and applying sender filtering are as follows:
sender filtering
1. In Exchange System Manager, configure the Sender Filtering tab on the
global Message Delivery object.
2. Apply the filter at the SMTP virtual server level by selecting Advanced on
the General tab of the SMTP Virtual Server object.
Detailed steps for creating and applying sender filtering are included in the
practice that follows.
Practice: Blocking In this practice, you will configure Exchange to block e-mail addresses and
e-mail addresses and domains.
domains
1. In Exchange System Manager, in the console tree, click Global Settings.
2. In the details pane, right-click Message Delivery, and then click
Properties.
3. In the Message Delivery Properties dialog box, click Sender Filtering.
26 Module 3: Securing Exchange Server 2003
You would like to retain a copy of messages that are filtered by your
sender filter. How can you enable Exchange to keep these messages?
In the Message Delivery Properties dialog box, on the Sender
Filtering tab, you should select the Archive filtered messages check
box.
Module 3: Securing Exchange Server 2003 27
Tip Even if you follow the preceding steps, your messaging system can be
re-infected with a virus. For example, after you clean your messaging system,
an employee returning from time off could inadvertently infect the system again
when opening a piece of e-mail that contains the virus.
28 Module 3: Securing Exchange Server 2003
Benefits of digital Exchange 2003, Outlook, and Outlook Web Access implement digital signature
signature and and encryption capabilities by using Secure Multi-Purpose Internet Mail
encryption capabilities Extensions (S/MIME), which is the version of the MIME protocol that supports
encryption. Digital signature and encryption capabilities enable you to
strengthen the security of your Exchange 2003 organization by:
! Protecting e-mail from being read by anyone other than the intended
recipient while the message is in transit, or while the message is stored
either on the client in a .pst file or on the Exchange server in the mailbox
store.
! Protecting e-mail from being altered by anyone other than the sender while
the message is in transit, or while the message is stored either on the client
in a .pst file or on the Exchange server in the mailbox store.
Module 3: Securing Exchange Server 2003 31
What Is a PKI?
What Are the PKI Components That Enable Digital Signature and
Encryption Capabilities?
(continued)
PKI component Description
Note For more information about PKI, read Module 5, “Using a PKI to Secure
Information” in Course 2810, Fundamentals of Network Security, and Course
2821, Designing and Managing a Public Key Infrastructure or see Security
Services on the Windows Server 2003 Technology CentersWeb site at
http://www.microsoft.com/windowsserver2003/technologies/.
34 Module 3: Securing Exchange Server 2003
Caution If you receive a multipurpose certificate, you can designate the same
certificate in both the Signing Certificate box and the Encryption Certificate
box.
Practice: Implementing In this practice, you will configure Exchange to allow users to digitally sign and
digital signature and encrypt messages:
encryption capabilities
on Exchange 1. From the desktop, click Start, point to Administrative Tools, and then
click Certification Authority.
2. In Certification Authority, expand Northwind Traders CA.
3. In the console tree, right-click Certificate Templates, point to New, and
then click Certificate Template to Issue.
4. In the Enable Certificate Templates dialog box, click Exchange User and
then click OK.
5. In Certification Authority, right-click Certificate Templates and then click
Manage.
6. In the certtmpl - [Certificate Templates] console, in the details pane,
right-click Exchange User and then click Properties.
7. In the Exchange User Properties dialog box, click Security.
8. On the Security tab, in the Group or user names box, click Authenticated
Users, in the Permissions for Authenticated Users box, for the Enroll
permission, select the Allow check box, and then click OK.
9. Close the Certificate Templates console and close Certification Authority.
What Is a Firewall?
! Use a firewall to filter Internet traffic. You can use a firewall to allow only
essential Internet traffic to pass through each TCP port that you specify. For
example, you can configure your network to allow only SMTP (port 25)
traffic to pass through your firewall, thereby preventing connections on all
of the other ports. You can also connect a server running Exchange 2000 or
Exchange 2003 to the Internet by using an SMTP virtual server. In this
configuration, the server running Exchange only accepts connections on
port 25 because the firewall blocks all of the other ports.
! Use a firewall to maintain Internet connectivity. Although you can use
firewalls in an Exchange environment, for remote clients and servers to
communicate with your network through a firewall, you must open the ports
that Exchange supports.
Exchange 2003 ports An effective security strategy identifies the ports that are associated with each
and services service that your Exchange 2003 organization uses. To reduce your system’s
vulnerability to intruders, you should shut down access to ports that you are not
using and filter any remaining ports. The following table lists the Exchange
2003 ports and their associated services.
Port Service
25 SMTP
80 HTTP
88 Kerberos authentication protocol
102 MTA—X.400 connector over TCP/IP
110 Post Office Protocol 3 (POP3)
119 Network News Transfer Protocol (NNTP)
135 Client/server communication
RPC
Exchange administration
143 Internet Message Access Protocol (IMAP)
389 LDAP
443 HTTP (Secure Sockets Layer (SSL))
563 NNTP (SSL)
636 LDAP (SSL)
993 IMAP4 (SSL)
995 POP3 (SSL)
3268 and 3269 Global catalog lookups
42 Module 3: Securing Exchange Server 2003
! Configure RPC over HTTP. You can configure RPC over HTTP to enable
Outlook 2003 users to connect to the Exchange 2003 server running on
Windows 2003 by using HTTP or Secure HTTP (HTTPS).
! Configure a virtual private network (VPN) connection. You can configure a
VPN connection to allow your users to connect to the Exchange server.
! Configure ISA Server. You can configure ISA Server to route all of the
Internet traffic through a single ISA server to protect the servers that are
inside your Exchange organization.
Module 3: Securing Exchange Server 2003 45
Discussion question 1 You are the messaging administrator for Northwind Traders. Northwind
Traders is in the process of planning to deploy Exchange Server 2003 on
Windows Server 2003. Your current e-mail client is Outlook 2000 but
eventually you will be upgrading your users to Outlook 2003. During the initial
planning stage of the project a decision was made that all the users, including
remote users, will use Outlook to access their Exchange mailboxes.
You have scheduled a meeting with the network infrastructure group to discuss
the impact that this deployment will have on firewall configurations and what
changes will need to be made. The network infrastructure group has made it
clear that they are only willing to open a limited number of ports on the firewall
to support your Outlook clients. What will you need to configure on your
servers to allow this?
You can use the Registry Editor to assign static port numbers to be
returned to MAPI clients accessing the Exchange store on the server
running Exchange and the Name Service Provider Interface (NSPI), on
domain controllers and servers running Exchange. After you have
configured your domain controllers and your servers running Exchange to
respond with static port numbers, enable those ports and the endpoint
mapper port on your firewall. This reduces the number of ports that you
will need to open in the firewall.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Discussion question 2 After your meeting, one member of the network infrastructure group did a little
more research and realized that other options were available for configuring
MAPI client access to Exchange and scheduled another meeting. The network
infrastructure group feels that a more secure solution for allowing MAPI client
access to Exchange through the corporate firewall would be to use RPC over
HTTP and deploy ISA Server in the perimeter network.
What ports will need to be enabled on the external firewall? What will you, as
the Exchange administrator, need to do to enable using RPC over HTTP?
Only HTTP ports (port 80 or port 443) will need to be enabled on the
external firewall.
To allow RPC over HTTP to be used you will need to:
• Ensure your external MAPI clients are configured to use Outlook 2003.
• Enable your front-end server running Exchange as an RPC proxy
server and place it on your internal network.
This option eliminates the need to open the ports for the RPC proxy server
to communicate with other computers. The ISA server is responsible for
routing RPC over HTTP requests to the Exchange front-end server, which
acts as an RPC proxy server.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
48 Module 3: Securing Exchange Server 2003
Detailed steps for displaying the Administrative Groups container are included
in the practice “Practice: Creating an Administrative Group” later in this lesson.
To create a new The high-level step for creating a new Administrative Group is as follows:
administrative group
! In Exchange System Manager, right-click the Administrative Groups
container, point to New, and then click Administrative Group.
Detailed steps for creating a new administrative group are included in the
practice that follows.
Roles and associated The Exchange Administration Delegation Wizard supports the following three
permissions supported roles:
by the wizard
! Exchange Full Administrator. With this permission, users can fully
administer Exchange system information (for example: add, delete, and
rename objects) and modify permissions. You should delegate this role to
administrators who need to configure and control access to your e-mail
system.
! Exchange Administrator. With this permission, users can fully administer
Exchange system information; however, they cannot modify permissions.
You should delegate this role to groups or users who are responsible for the
day-to-day administration of Exchange (for example, those groups or users
who are responsible for adding, deleting, and renaming objects).
! Exchange View Only Administrator. With this permission, users can view
Exchange configuration information. You should delegate this role to
administrators who do not need to modify Exchange objects.
Other required In addition to the roles that are supported by the Exchange Administration
administrative Delegation Wizard, there are other Windows 2000 Server or
permissions Windows Server 2003 group memberships that are required to manage
Exchange. For example, if you assign Write permission to an administrator for
objects in an organization or administrative group, the administrator must be a
local computer administrator for each computer running Exchange that he or
she needs to manage.
Exchange built-in When Exchange 2000 or Exchange 2003 is installed, two groups are
groups automatically created: Exchange Domain Servers and Exchange Enterprise
Servers. These two groups have permissions that allow Exchange servers to
gain access to Exchange configuration and recipient information in Active
Directory. These groups are intended for use by Exchange only and neither of
the groups should be used to give other groups or users administrative
privileges to Exchange.
Note For more information about the permissions that are required to perform
Exchange administrative tasks, see the Microsoft Exchange 2000 Permissions
Guide v4.0 under Additional Reading on the Student Materials compact disc.
Module 3: Securing Exchange Server 2003 55
Practice: Delegating In this practice, you will delegate control of an administrative group.
control of an
administrative group
Important To complete this practice, you must have at least two administrative
groups in your Exchange organization. If you only have one administrative
group in your organization, you must create another group by completing the
practice “Creating an Administrative Group” located earlier in this module.
Why did you not grant Greg Weber Full Administrator permissions on
the Policy AG?
Although Full Administrator permissions would allow Greg Weber
to manage policies, this permission would also allow him to
configure permissions on the Policy AG and the policies it contains.
Because Greg Weber only needs to be able to manage policies, you
should grant him Administrator permissions.
56 Module 3: Securing Exchange Server 2003
Caution Before making any changes to inherited permissions, be sure you fully
understand the impact that the change will have on parent and child objects.
To modify inherited The steps to modify permissions to prevent propagating to child objects are as
permissions follows:
1. On the Security tab of the child object, click Advanced.
2. In the Advanced Security Settings dialog box, clear the Allow inheritable
permissions from the parent to propagate to this object and all child
objects check box.
Module 3: Securing Exchange Server 2003 57
To prevent inherited You can prevent inherited permissions from propagating to child objects by
permissions modifying the access control settings. For each access control setting, you can
specify whether the permissions should apply only to the parent object, or to the
parent object as well to its child objects.
The steps to prevent individual permissions from propagating to child objects
are as follows:
1. On the Security tab, click Advanced.
2. In the Advanced Security Settings dialog box, modify the access control
settings.
Note If you remove inherited permissions and specify that permissions must be
applied to the parent object only, the child objects are left with no permissions
(an implicit Deny permission). Removing permissions prevents access to
Exchange objects in Exchange System Manager. However, you can restore the
permissions by using the Adsiedit.exe utility.
58 Module 3: Securing Exchange Server 2003
2. In the Properties dialog box of the object you want to modify, on the
Security tab, click Advanced.
Practice: Configuring In this practice, you will enable the Security tab for all Exchange objects, and
custom security then configure custom security permissions.
permissions
1. From the desktop, click Start, click Run, type regedit and then click OK.
2. In the Registry Editor dialog box, browse to
HKEY_CURRENT_USER\Software\Microsoft\Exchange.
3. Right-click EXAdmin, point to New, and then click DWORD Value.
4. In the New Value #1 box, type ShowSecurityPage and press ENTER.
Module 3: Securing Exchange Server 2003 59
Why did you not use the delegation wizard to accomplish this task?
The delegation wizard does not allow you to grant permissions at
this level.
60 Module 3: Securing Exchange Server 2003
Setup For Exchange 2003 Setup to run, you must install and enable, but
not necessarily start:
• NNTP
• SMTP
• World Wide Web Publishing Service
• IIS Admin Service
(continued)
Processes Service dependencies
(continued)
Service name Startup mode Reason
Using front-end servers The information in this topic assumes that you plan to use front-end servers to
to establish POP3, establish HTTP connections. If you plan on configuring POP3, IMAP4 or
IMAP4, or SMTP SMTP, do not enable the World Wide Web Publishing Service, and use the
connections following table to enable the required services.
Front-end server Required services
Microsoft Exchange Information Automatic Back-end servers or mailbox servers contain user
Store mailboxes and public folders, and they require the
information store services to be enabled.
Microsoft Exchange Management Automatic This service is enabled to provide message tracking and to
audit message flow.
Windows Management Automatic This service is enabled and it is dependent on Microsoft
Instrumentation Exchange Management.
Microsoft Exchange MTA Stacks Automatic This service is required for compatibility with previous
versions of Exchange or if there are X.400 connectors.
Microsoft Exchange System Automatic This service is enabled to perform Exchange
Attendant administration and for Exchange maintenance to run.
Microsoft Exchange Routing Engine Automatic This service is enabled to coordinate message transfer
between Exchange servers.
IPSEC Services Automatic This service is required to implement an IPSec policy on
the back-end server.
IIS Admin Service Automatic This service is required by the MSExchange routing
engine.
NTLM Security Support Provider Automatic This service is enabled and it is dependent on System
Attendant.
Module 3: Securing Exchange Server 2003 69
(continued)
Service name Startup mode Reason
Simple Mail Transfer Protocol Automatic This service is required for Exchange to transfer messages.
(SMTP)
World Wide Web Publishing Service Automatic This service is enabled to provide communication with
Outlook Web Access and Outlook Mobile Access front-
end servers.
Microsoft Exchange IMAP4 Disabled This service is not required because the back-end server is
not configured for IMAP4. This service must be enabled if
the front-end server is configured for IMAP4 access.
Microsoft Exchange POP3 Disabled This service is not required because the back-end server is
not configured for POP3. This service must be enabled if
the front-end server is configured for POP3 access.
Microsoft Search Disabled This service is only required for full-text indexing of
mailbox or public folder stores.
Microsoft Exchange Event Service Disabled This service is only required for compatibility with
previous versions of Exchange.
Microsoft Exchange Site Replication Disabled This service is only required for compatibility with
Service previous versions of Exchange.
Remote Procedure Call (RPC) Disabled This service is now not required for communication with
Locator domain controllers and clients.
Network News Transfer Protocol Disabled This service is only required for installation and if
(NNTP) newsgroup functionality is required.
Note For more information about front-end and back-end servers, see the
white paper Microsoft Exchange Server Front-End and Back-End Topology
under Additional Reading on the Student Materials compact disc. For more
information about securing your Exchange server, see the white paper
Security Operations for Microsoft Exchange 2000 Server under Additional
Reading on the Student Materials compact disc.
70 Module 3: Securing Exchange Server 2003
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Module 3: Securing Exchange Server 2003 71
Scenario 2 Although you have a block-list service provider configured, you find that you
continue to receive unsolicited commercial e-mail from several senders. You
would like to block the messages coming from these troublesome domains.
How can you accomplish this?
Block lists cannot completely prevent unsolicited commercial e-mail.
Because there will always be domains that are ahead of block lists, you
must be vigilant about monitoring your incoming e-mail. When you do
identify troublesome domains, you should add the domain to the
Connection properties on the Access tab of the default SMTP virtual
server that is used to receive incoming messages from the Internet.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Scenario 3 You have just been directed to configure your forest to support e-mail digital
signatures and encryption. What are some reasons why your manager decided
to enable this feature?
Digital signatures enable your users to verify that a message was sent by
the person identified in the From box and to assure the message recipient
that the message was not altered in any way during transmission.
Encryption enables users to protect messages so that even if the message is
intercepted, the message content cannot be interpreted by the attacker.
Only a user with the correct certificates can read encrypted messages.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
72 Module 3: Securing Exchange Server 2003
Scenario 4 Your company has a firewall between your company’s intranet and the Internet.
What purpose is this firewall serving?
Firewalls are used to prevent unauthorized traffic from entering or leaving
your private network. Firewalls block attackers from being able to access
internal data, they allow packet filtering so that you can prevent both
internal and external users from transmitting particular types of
information, and they can provide proxy services which mask internal IP
addresses from external resources.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Scenario 5 Your company has a central Information Technology (IT) office that manages
all the messaging administration. You also have several branch offices that have
local IT groups that manage their own servers. You are installing Exchange in
your company and need to be sure that the correct administrators can manage
the servers in their location. What should you do?
To best delegate this administrative model, you need an administrative
group for each branch office. Because moving servers between
administrative groups is not supported, you must create your
administrative groups before you install servers running Exchange in the
branch offices. When you install the servers, choose the correct
administrative group for that particular server. You should then delegate
permissions on each administrative group to the local IT group, and
delegate permissions on the organization to the central IT group. By
configuring your permissions this way you will prevent the local IT groups
from managing servers that are outside of their group and will allow the
central group to access all the servers that are in all the administrative
groups.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Module 3: Securing Exchange Server 2003 73
Scenario 6 You have Exchange installed as a mailbox server. To reduce the probability of a
security breach, you want to disable unused and unnecessary services on this
Exchange server. Currently the exchange server is running Microsoft Exchange
Information Store, Microsoft Search, IPSec Policy Agent, and RPC Locator.
Which of these services must be running on this server?
A mailbox server will require the use of the IPSec Policy Agent service to
implement IPSec filters on the server. The mailbox server will also need
the Exchange Information Store service to access Mailbox and Public
Folder Stores.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
THIS PAGE INTENTIONALLY LEFT BLANK