Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Microsoft® Exchange Server 2010

Published byGervase Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Microsoft® Exchange Server 2010"— Presentation transcript:

1 Securing Microsoft® Exchange Server 2010
Course 10135A Module 10: Securing Exchange Server 2010 Module 10 Securing Microsoft® Exchange Server 2010 Presentation: 70 minutes Lab: 60 minutes After completing this module, students will be able to: Configure role based access control (RBAC) Configure security for server roles in Microsoft® Exchange Server 2010 Configure secure Internet access Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135A_10.ppt. Important: We recommend that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations: To prepare for the demonstrations, start the 10135A-VAN- DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Microsoft Outlook ® Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time. Make sure that students are aware that the Companion CD has additional module information and resources. 1

2 Module Overview Configuring Role Based Access Control
Course 10135A Module Overview Module 10: Maintaining Exchange Server 2010 Configuring Role Based Access Control Configuring Security for Server Roles in Exchange Server 2010 Configuring Secure Internet Access 2

3 Lesson 1: Configuring Role Based Access Control
Course 10135A Lesson 1: Configuring Role Based Access Control Module 10: Maintaining Exchange Server 2010 What Is Role Based Access Control? What Are Management Role Groups? Built-In Management Role Groups Demonstration: Managing Permissions Using the Built-In Role Groups Process for Configuring Custom Role Groups Demonstration: Configuring Custom Role Groups What Are Management Role Assignment Policies? Working With Management Role Assignment Policies Managing Permissions on Edge Transport Servers

4 What Is Role Based Access Control?
Course 10135A What Is Role Based Access Control? Module 10: Maintaining Exchange Server 2010 RBAC is used to define all Exchange Server 2010 permissions RBAC: If you have students with Exchange Server experience, highlight how RBAC differs from how permissions were assigned in previous versions. Exchange Server 2003 enables you to use Active Directory® directory service groups to assign permissions at the organization or administrative group level. In Exchange Server 2007, you could assign permissions at the organization or individual server level. In both cases, Exchange Server did not provide options for configuring granular permissions, and offered limited options for configuring permissions. In Exchange Server 2010, you can configure very precise permissions, right down to enabling access to specific cmdlets and attributes. Another difference between how you could assign permissions in Exchange Server 2003 and Exchange Sever 2007, and how you assign them in Exchange Server 2010, is that in the previous Exchange Server versions, you assigned permissions by modifying the Access Control Lists (ACLs) on Active Directory objects. In Exchange Server 2010, however, you configure which cmdlets users can run. Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators likely will maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels. Defines which Exchange Management Shell cmdlets a user can run and which objects the user can modify Is applied by all Exchange Server management tools RBAC options include: Using management role groups to assign administrative permissions Management role assignment policies to assign permissions that users can perform on their own mailbox or distribution groups

5 What Are Management Role Groups?
Course 10135A What Are Management Role Groups? Module 10: Maintaining Exchange Server 2010 Management role groups assign administrator permissions in Exchange Server 2010 As you teach this content, explain that a management role is just a container that groups together the other RBAC components. The RBAC components define: Which tasks an administrator can perform Who is granted permission to perform the tasks Where the user can perform the task Stress that you can define each of these components at a high level or at a specific level. A management role entry can allow or deny access to all Exchange Server cmdlets, to a specific Exchange Server cmdlet, or even to a particular parameter on a cmdlet. Management role groups provide an easy way to assign permissions in Exchange Server. By using the default groups, or creating custom groups with specific permissions, you can manage all permissions by just assigning mailboxes to role groups. Component Explanation Role holder Mailbox that is assigned to a role group Management role group Universal security group for managing Exchange Server permissions Management role Container for grouping other RBAC components Management role entry Defines which Exchange Server cmdlets an administrator can run Management role assignment Links the management role group to a management role Management role scope Defines where the administrator can perform the tasks

6 Built-In Management Role Groups
Course 10135A Built-In Management Role Groups Module 10: Securing Exchange Server 2010 Management role groups include: Organization Management View-Only Organization Management Recipient Management Unified Messaging Management Discovery Management Similar to previous Exchange Server versions, Exchange Server 2010 contains a default set of groups that you can use to assign permissions in the Exchange Server organization. Mention that for most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission- delegation requirements need to use custom management role groups and management roles. Avoid describing all of the built-in role groups in detail. Instead, highlight a few, and point out the table in the student notes that provides details about all the roles. Records Management Server Management Help Desk Public Folder Management Delegated Setup 6

7 Demonstration: Managing Permissions Using the Built-In Role Groups
Course 10135A Demonstration: Managing Permissions Using the Built-In Role Groups Module 10: Securing Exchange Server 2010 In this demonstration, you will see how to: Add role holders to a role group Verify the permissions assigned to the built-in role groups Stress that for most small- and medium-sized organizations that do not have complicated permission assignment scenarios, the easiest way to manage Exchange Server permissions is to add users or security groups to the built-in Exchange Server security groups in Active Directory Domain Services (AD DS) or Active Directory. These groups are automatically assigned the management role. Ask students which of the built-in role groups they will use in their organization. Answers will vary. Small- or medium-sized organizations, where one set of administrators is the only group that performs any recipient management or Exchange Server management tasks, may use only the Organization Management role group. Organizations with decentralized administrative processes are much more likely to use other management roles to delegate permissions. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd. Log on to 10135A-VAN-EX2 as Conor using a password of Pa$$w0rd. Demonstration Steps 1. On VAN-EX1, open Active Directory Users and Computers. 2. Expand Adatum.com, click Microsoft Exchange Security Groups, and then double-click Recipient Management. 3. On the Members tab, click Add. 4. In the Enter the object names to select field, type Conor, and then press OK twice. 5. On VAN-EX2, ensure that you are logged on as Conor. 6. Open the Exchange Management Console and the Exchange Management Shell. 7. In the Exchange Management Console, expand Microsoft Exchange On-Premises, expand Organization Configuration. Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization. 8. Click Mailbox, and in the Results pane, verify that you do not have sufficient permissions to view the data. 9. Expand Recipient Configuration, click Mailbox, and then double-click Axel Delgado. 10.In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK.

8 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 10135A Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Securing Exchange Server 2010 11.Right-click Axel Delgado, and then click New Local Move Request. 12.On the Introduction page, click Browse. In the Select Mailbox Database dialog box, click Mailbox Database 1, click OK, click Next two times, click New, and then click Finish. Note: If you get an error that no MRS servers are available, verify that the Microsoft Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2. 13.In the Exchange Management Shell, type get-exchangeserver | FL, and then press ENTER. The user account has Read permission to the Exchange server information. 14.At the PS prompt, type Set-User Axel -Title Manager, and then press ENTER. Verify that Conor has permission to modify the Active Directory account. 15.Log off VAN-EX2. 8

9 Process for Configuring Custom Role Groups
Course 10135A Process for Configuring Custom Role Groups Module 10: Securing Exchange Server 2010 Identify the role groups and the role group members 1 Identify the management roles to assign the group 2 Mention that this topic provides a process overview about creating new custom management roles. The following demonstration will provide more details about how to perform the steps. As you describe this process, consider using an example scenario in which users might want to use a custom role. For example: 1. They may be configuring a role group that enables human resources (HR) administrators to configure the organization and personal settings for each user. You will need to create the appropriate group, and identify which users will be group members. 2. Because this group will work with recipients, you will need to identify the management roles that relate to recipient management. 3. In this scenario, you might not need to limit the scope for the role group. If they need to be able to manage recipients in the entire organization, do not limit the scope. If you want to limit which recipients you want the HR administrators to manage, you could limit the scope to specific recipients. 4. Run the cmdlet to create the role group. Identify the management scope 3 4 Create the role group using the New-RoleGroup cmdlet

10 Demonstration: Configuring Custom Role Groups
Course 10135A Demonstration: Configuring Custom Role Groups Module 10: Securing Exchange Server 2010 In this demonstration, you will see how to create a custom role group Discuss scenarios in which organizations might choose to create a new custom role group. The slide and notes below describe one possible scenario for choosing to create a custom role group. Encourage students to provide other suggestions, and then describe the components required to implement the custom role group. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and 10135A-VAN-EX2 virtual machines are running. Log on to 10135A-VAN-DC1 and 10135A-VAN-EX1 as Administrator with a password of Pa$$w0rd. Do not log on to 10135A-VAN-EX2 at this point. Demonstration Steps 1. On VAN-EX1, open the Exchange Management Shell. 2. At the PS prompt, type the following command, and then press ENTER. New-ManagementScope –Name MarketingMailboxes –recipientroot "adatum.com/Marketing" - RecipientRestrictionFilter {RecipientType -eq "UserMailbox"} 3. Create a new management role group that uses the custom management scope by using the following command: New-RoleGroup –Name MarketingAdmins –roles “Mail Recipients”, "Mail Recipient Creation " - CustomRecipientWriteScope MarketingMailboxes 4. In the Exchange Management Shell, type the following command, and then press ENTER: Add-rolegroupmember –id MarketingAdmins –member Andreas 4. On VAN-EX1, open Active Directory Users and Computers. 5. Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group. 6. On VAN-EX2, log on as Adatum\Andreas using a password of Pa$$w0rd. 7. Open the Exchange Management Console. 8. In the Exchange Management Console, expand Microsoft Exchange On-Premises, and then expand Recipient Configuration. 9. Click Mailbox, and then double-click Axel Delgado.

11 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 10135A Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Securing Exchange Server 2010 10. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is not saved. 11. Double-click Manoj Syamala. 12. In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK. Verify that the change is saved. 13. Click New Mailbox. Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container. Click New Mailbox. Create a new mailbox in the Marketing OU. Verify that the user can create mailboxes in the Marketing OU. Question: Will you implement custom management roles in your organization? If so, how will you configure the management roles? Answer: Answers will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles. 11

12 What Are Management Role Assignment Policies?
Course 10135A What Are Management Role Assignment Policies? Module 10: Securing Exchange Server 2010 Management role assignment policies assign permissions to users to manage their mailboxes or distribution groups Highlight the similarities between management role assignment policies and role groups. In both cases, group management roles assign all the permissions, and each role contains a set of management role entries. The primary difference between management role assignment policies and role groups is that you can use role assignment policies to configure permissions for the objects that users own. Because of this, you cannot configure a scope for management role assignment policies. Component Explanation Mailbox Each mailbox is assigned one role assignment policy Management role assignment policy Object for associating management roles with mailboxes Management role Container for grouping other RBAC components Management role assignment Associates management roles with management role assignment policies Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups

13 Working with Management Role Assignment Policies
Course 10135A Working with Management Role Assignment Policies Module 10: Securing Exchange Server 2010 In most organizations, the default management role assignment policy will meet all requirements If can be difficult for students to understand which permissions Exchange Server assigns by default for the organization. To do this, run the Get-ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet. This cmdlet lists all the management roles that Exchange Server assigns to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, run the get-managementrole Mybaseoptions | FL cmdlet, and describe the role entries assigned to this management role. Question: How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes. You can modify the default configuration by: Modifying the default management role assignment policy to add or remove management roles Defining a new default management role assignment policy Creating a new management role assignments and explicitly assigning them to mailboxes

14 Managing Permissions on Edge Transport Servers
Course 10135A Managing Permissions on Edge Transport Servers Module 10: Securing Exchange Server 2010 RBAC requires an Active Directory site so you cannot use it to assign permissions on Edge Transport servers Use local groups to assign permissions Emphasize that RBAC requires AD DS or Active Directory because it is based on assigning access to specific Active Directory objects. This means that you cannot use RBAC to configure permissions on Edge Transport servers. Mention that, by default, administrators have full control of all Edge Transport server settings, and the only tasks they can delegate are backup and recovery, and viewing message queues on the server. To enable users to perform administrative tasks on the Edge Transport server, simply add them to the appropriate local group. Administrative Task Local Group Backup and restore Backup operators Configure Edge Transport server settings Administrators Configure edge subscriptions Connect using Remote Desktop View queues and messages Users 14

15 Course 10135A Lesson 2: Configuring Security for Server Roles in Exchange Server 2010 Module 10: Securing Exchange Server 2010 Discussion: What Are the Exchange Server Security Risks? Exchange Server Security Guidelines 15

16 Discussion: What Are the Exchange Server Security Risks?
Course 10135A Discussion: What Are the Exchange Server Security Risks? Module 10: Securing Exchange Server 2010 What security risks do you need to protect against when deploying Exchange Server? Which risks are the most serious? Question: What security risks do you need to protect against when deploying Exchange Server? Answer: Answers will vary, but students should mention threats such as: Malicious , such as viruses and phishing s SMTP-based attacks on Simple Mail Transfer Protocol (SMTP) servers that your organization exposes to the Internet Web-based attacks on Client Access servers Compromised user credentials, either when user credentials are submitted in clear text or are captured on an unsecure kiosk Compromised data, such as when mobile devices are lost or stolen, or when users access attachments through Outlook Web App from unsecure client computers Question: What risks are the most serious? Answer: The most serious threat to most Exchange Server organizations relates to malicious s. Although most organizations now use excellent anti-virus and antiphishing applications, new types of malicious software still pose a serious threat. Additionally, when users access from unsecure mobile clients or public computers, such as kiosks, this poses an additional, more serious threat in most organizations.

17 Exchange Server Security Guidelines
Course 10135A Exchange Server Security Guidelines Module 10: Securing Exchange Server 2010 Implement the following best practices security measures: This topic describes the general security practices that students should implement on their Exchange servers and in their Exchange environments. Stress that these are best practices for all types of servers, not just Exchange servers. Ask students if they have other guidelines to add to the list. What processes do they use in their organizations to secure servers, including Exchange servers? Mention that Exchange Server 2010 setup now applies the Windows Firewall rules that each Exchange server role requires. Install all security updates and software updates Run Exchange Best Practices Analyzer regularly Run Microsoft Baseline Security Analyzer Avoid running additional software on Exchange servers Install and maintain anti-virus software Enforce complex password policies 17

18 Lesson 3: Configuring Secure Internet Access
Course 10135A Lesson 3: Configuring Secure Internet Access Module 10: Securing Exchange Server 2010 Secure Internet Access Components Deploying Exchange Server 2010 for Internet Access Securing Client Access Traffic from the Internet Securing SMTP Connections from the Internet What Is a Reverse Proxy? Demonstration: Configuring the Threat Management Gateway for Outlook Web App 18

19 Secure Internet Access Components
Course 10135A Secure Internet Access Components Module 10: Securing Exchange Server 2010 Providing Internet access for Exchange Server may include: Enabling messaging clients to connect to the Client Access server Enabling IMAP4/POP3 clients to send SMTP Discuss the option of using a virtual private network (VPN) to provide access to Exchange servers for external clients. Many organizations use this as an option, rather than providing direct access to the Client Access servers. A VPN can have several advantages, such as enabling multifactor authentication and access to internal network resources other than Exchange servers. However, in most cases, a VPN is more complicated to configure than other access methods, and it requires additional configuration in each client computer. Question: What type of access are you enabling from the Internet to your organization’s Exchange servers? Answer: Answers will vary. Many organizations require access to the Client Access servers using a variety of messaging clients such as Microsoft Office Outlook Anywhere, Outlook Web App, or Exchange ActiveSync®. Fewer organizations are enabling Internet Message Access Protocol 4 (IMAP4) or Post Office Protocol 3 (POP3) access to the Exchange servers, so fewer organizations need to provide SMTP relay services for these clients. Enabling secure access to the Exchange servers may require: VPN Firewall configuration Reverse proxy configuration 19

20 Deploying Exchange Server 2010 for Internet Access
Course 10135A Deploying Exchange Server 2010 for Internet Access Module 10: Securing Exchange Server 2010 Client Access Server Firewall Spend time describing the firewall and server deployment as shown in the diagram. Students should understand that you must deploy all Exchange server roles, except for the Edge Transport server role, on the internal network, not the perimeter network. Students should be familiar with the port numbers, so you can probably review the default ports quickly. Client Edge Transport Server Firewall or Reverse Proxy Protocol Unsecure Port TLS/SSL Port HTTP 80 443 POP3 110 993 IMAP4 143 995 SMTP 25 SMTP client submission 587 Hub Transport Server Domain Controller Mailbox Server 20

21 Securing Client Access Traffic from the Internet
Course 10135A Securing Client Access Traffic from the Internet Module 10: Securing Exchange Server 2010 To provide secure client access from the Internet: Create and configure a server certificate Require SSL for all virtual directories Enable only required client access methods Require secure authentication Enforce remote client security Require TLS/SSL for IMAP4 and POP3 access Implement an application layer firewall or reverse proxy Stress that the most critical component in configuring secure client access from the Internet is to configure server certificates on the Client Access server, and to require TLS/SSL authentication protocols for all connections to the server. If you do not implement the certification and Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol, the user credentials may be sent across the Internet in clear text. One of the key goals of Internet security is to reduce the server attack surface by enabling only required services. If your organization only requires Outlook Web App from the Internet, then disable all other options. Module 3 detailed the authentication options for client access connections. When you discuss these options, the most important point is that Exchange administrators should choose the most secure option available for each client access protocol. Enforcing remote client security may restrict which types of clients you can use to connect to the Client Access server. For example, you cannot enforce security settings on public kiosks, so you may want to block users from using Outlook Web App, and instead force them to use Outlook Anywhere, which you can install on a domain-managed computer. 21

22 Securing SMTP Connections from the Internet
Course 10135A Securing SMTP Connections from the Internet Module 10: Securing Exchange Server 2010 Secure SMTP connections from the Internet may be required for IMAP4 or POP3 clients Stress the importance of using TLS/SSL for all client connections. Students may not be familiar with the client receive connector that is enabled on each Hub Transport server. This connector uses TCP port 587 rather than TCP port 25, and it enables POP3 and IMAP4 clients to send through an server. RFC 2476 describes using this port to enable message submission from e- mail clients. Consider showing the configuration of the client receive connector. Also, consider demonstrating how to check whether a SMTP server is configured to allow open relay. To do this, open the command prompt on a server with the Telnet client installed, and then type the following commands: Ehlo IS Mail from: (where the domain name is not the internal SMTP domain name on the SMTP server) Rcpt to: (where the domain name is not the internal SMTP domain name on the SMTP server) If you receive an OK response, the server is enabled for open relay. If you receive a relay-denied response, the server is configured correctly. To secure the SMTP connections: Enable TLS/SSL for SMTP client connections Use the Client Receive Connector (Port 587) Ensure that anonymous relay is disabled Enable IMAP4 and POP3 selectively 22

23 What Is a Reverse Proxy? A reverse proxy provides:
Course 10135A What Is a Reverse Proxy? Module 10: Securing Exchange Server 2010 A reverse proxy provides: Security: Internet client connections are terminated on the reverse proxy Application layer filtering: Inspect the contents of network traffic SSL bridging: All connections to the reverse proxy and to the Client Access server are encrypted Load balancing: Arrays of reverse proxy servers can distribute network traffic for a single URL SSL offloading: SSL requests can be terminated on the reverse proxy If students are not familiar with a reverse proxy, consider drawing a diagram on the white board that shows the location of a reverse proxy. Then show how the reverse proxy acts as the termination point for all client connections– both unsecure and secure. Show how you can decrypt SSL connections on the reverse proxy, and how you can re-encrypt it before forwarding it to the Client Access server. Mention that reverse proxies only work with Web-based protocols, such as HTTP. You can configure a reverse proxy to forward SMTP, POP3, or IMAP4 connections, but the reverse proxy does not intercept or scan the client connections for these protocols. 23

24 Course 10135A Demonstration: Configuring Threat Management Gateway for Outlook Web App Module 10: Securing Exchange Server 2010 In this demonstration, you will see how to configure an Outlook Web Access publishing role Mention that the Microsoft Forefront™ Threat Management Gateway (TMG) is Microsoft’s replacement for Internet Security and Acceleration Server. This server is one example of a reverse proxy, and it functions the same way as all reverse proxies. Preparation Ensure that the 10135A-VAN-DC1, and the 10135A-VAN-EX1, and 10135A-VAN-TMG virtual machines are running. Log on to all virtual machines as Administrator with a password of Pa$$w0rd. Demonstration Steps 1. On VAN-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management. 2. Expand Forefront TMG, and then click Firewall Policy. 3. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access. 4. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule, and then click Next. 5. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the Outlook Web Access check box, and then click Next. 6. On the Publishing Type page, click Next. 7. On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next. When you configure this option, the TMG server re- encrypts all network traffic sent to the Client Access server. 8. On the Internal Publishing Details page, in the Internal site name text box, type VAN- EX1.Adatum.com, and then click Next. 9. On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com, and then click Next. 10.On the Select Web Listener page, in the Web Listener drop-down list, click New. Web listeners are configuration objects on the TMG server that define how the server accepts client connections. 11.On the Welcome to the New Web Listener Wizard page, type HTTP Listener, and then click Next. 12.On the Client Connection Security page, click Do not require SSL secure connections from clients, and then click Next. Important: In a production environment, you always should use the option to Require SSL secured connections with clients. In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible.

25 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 10135A Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Securing Exchange Server 2010 13.On the Web Listener IP Addresses page, select the External check box, and then click Next. 14.On the Authentication Settings page, accept the default of HTML Form Authentication, and then click Next. 15.On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next, and then click Finish. Click OK. 16.Click Edit, and then on the Authentication tab, click Advanced. 17. Select the Allow client authentication over HTTP check box, and then click OK three times. 16.On the Select Web Listener page, click Next. 17.On the Authentication Delegation page, accept the default of Basic authentication, and then click Next. 18.On the User Sets page, accept the default, and then click Next. 19.On the Completing the New Exchange Publishing Rule Wizard page, click Finish. 20.Click Apply twice to apply the changes, and then click OK once the changes are applied. Question: Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG? Answer: Answers will vary. Many companies have deployed Internet Security and Acceleration (ISA) Server 2006, and are using it to secure messaging client connections. Other companies have deployed hardware-based reverse proxies. Most of the reverse proxies provide the same functionality, but the process for configuring the settings may be very different. 25

26 Lab: Securing Exchange Server 2010
Course 10135A Lab: Securing Exchange Server 2010 Module 10: Securing Exchange Server 2010 Exercise 1: Configuring Exchange Server Permissions Exercise 2: Configuring a Reverse Proxy for Exchange Server Access In this lab, students will configure Exchange Server permissions, and then configure a reverse proxy for Exchange Server access. Exercise 1 Inputs: Students will be provided with instructions for configuring Exchange Server permission. The instructions will require that students use both the Exchange security groups and RBAC. Outputs: Students will configure Exchange Server organization security using both built-in management roles and custom management roles. Exercise 2 Inputs: Students will be provided with a set of instructions for configuring a proxy server to provide secure access to the Client Access server and Hub Transport server. Outputs: Students will configure security for the Client Access server and Hub Transport server roles by configuring a reverse proxy. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting, and will help to facilitate the lab discussion at the module’s end. Remind the students to complete the discussion questions after the last lab exercise. Logon information Virtual machines 10135A-VAN-DC A-VAN-EX A-VAN-EX2 User name Administrator Password Pa$$w0rd Estimated time: 60 minutes

27 Course 10135A Lab Scenario Module 10: Securing Exchange Server 2010 A. Datum Corporation has deployed Exchange Server The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include: Exchange Server administrators should have minimal permissions, which means that whenever possible, you should delegate Exchange Server management permissions. Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.

28 Course 10135A Lab Review Module 10: Securing Exchange Server 2010 In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? Use the questions on the slide to guide the debriefing after students complete the lab exercises. Question: In the lab, you configured Exchange Server permissions by using a custom role. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? Answer: You limited the types of tasks the delegated administrators could perform by removing some of the management role entries assigned to the OrganizationAdministrators management role. You limited what objects the delegated administrators could manage by limiting the management role scope to only specific Exchange Server cmdlets. Question: How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? Answer: You would need to configure a server publishing rule to publish the IMAP4 protocol on the Client Access server. You also need to configure a server-publishing rule to publish a SMTP server on a Hub Transport server.

29 Module Review and Takeaways
Course 10135A Module Review and Takeaways Module 10: Securing Exchange Server 2010 Review Questions Common Issues and Troubleshooting Tips Real-World Issues and Scenarios Best Practices Review Questions Question: You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Answer: In most cases, you can accomplish this by just adding the members of the Human Resources department to the Recipient Management role group in AD DS or Active Directory. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group. Question: Users in your organization are using POP3 clients from the Internet. These users report that they can receive , but not send, . What should you do? Answer: You will need to provide the users with a SMTP server that they can use to send . You should configure a Hub Transport server Receive Connector. Question: Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do? Answer: You will need to configure an Exchange ActiveSync publishing rule in TMG that enables access to the required virtual directories on the Client Access server. Common Issues and Troubleshooting Tips Point the students to possible troubleshooting tips for the issues that this section presents. Real-World Issues and Scenarios Question: Your organization has configured an SMTP Receive connector on an Edge Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do? Answer: When you configured the Edge Transport server to relay messages for IMAP4 users, you enabled anonymous relaying for all users. You will need to disable message relaying on the Edge Transport server, and enable authenticated relaying on a Hub Transport server. Question: You have added the ServerAdmins group in your organization to the Exchange Server Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do? Answer: You need to enable all of the members of the ServerAdmins group to run remote Windows PowerShell™ cmdlets. 29

30 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 10135A Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 10: Securing Exchange Server 2010 Question: Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do? Answer: To ensure that users do not receive certificate errors, you will need to purchase a certificate from a public CA. You can request a certificate with multiple SANs or use a wildcard certificate to ensure that the one certificate can be used for all client connections. You then can use the same certificate on the Client Access server, or use a certificate from a private CA on the Client Access server. Best Practices Help the students understand the best practices that this section presents. Ask students to consider these best practices in the context of their own business situations. 30

Download ppt "Securing Microsoft® Exchange Server 2010"

Similar presentations

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 11 Maintaining Microsoft Exchange Server 2010.

Module 11 Maintaining Microsoft Exchange Server 2010.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Deploying Microsoft® Exchange Server 2010

Deploying Microsoft® Exchange Server 2010
Implementing High Availability

Implementing High Availability
Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.

Module 8 Implementing Backup and Recovery. Module Overview Planning Backup and Recovery Backing Up Exchange Server 2010 Restoring Exchange Server 2010.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects
Module 2 Configuring Mailbox Servers. Module Overview Overview of Exchange Server 2010 Administrative Tools Configuring Mailbox Server Roles Configuring.

Module 2 Configuring Mailbox Servers. Module Overview Overview of Exchange Server 2010 Administrative Tools Configuring Mailbox Server Roles Configuring.
Module 13: Configuring Availability of Network Resources and Content.

Module 13: Configuring Availability of Network Resources and Content.
Module 8: Managing Client Configuration and Connectivity.

Module 8: Managing Client Configuration and Connectivity.
Module 4: Add Client Computers and Devices to the Network.

Module 4: Add Client Computers and Devices to the Network.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Similar presentations

Ads by Google