Download presentation
Presentation is loading. Please wait.
1
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003
2
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 2 Objectives Understand how to administer permissions within Exchange Server 2003 Understand the process of delegating authority within an Exchange Server 2003 organization Understand the concepts behind a Public Key Infrastructure
3
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 3 Objectives (continued) Describe how to install and configure a Windows 2000/2003 Public Key Infrastructure Describe the use of SSL/TLS for securing communication between two computers Understand how to make use of certificates to encrypt and sign e-mail
4
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 4 Securing Exchange Server 2003 Most Exchange Server security features are provided by Windows 2000/2003 Windows operating system security features: –Mechanisms for address authentication and access control –Public Key Infrastructure (PKI) provided by the OS Exchange Server 2003 features: –Mechanisms securing message delivery (SSL/TLS) –S/MIME uses PKI to send encrypted/signed messages
5
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 5 Administering Permissions Within Exchange Server 2003 Manage security by assigning permissions in Active Directory Utilize security model of Windows 2000/2003 Secure objects with two lists: –Discretionary Access Control List (DACL) –Individual Access Control Entries (ACE) Object permissions are configured using the Security tab in Exchange System Manager Permissions may be granted or denied –Denied permission overrides instances of approvals
6
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 6 Administering Permissions Within Exchange Server 2003 (continued) Permissions are assigned directly or inherited Parent object occupies a higher position in the hierarchy Permissions are inherited through organizational hierarchy –Organization node is at the top of hierarchy –All other nodes inherit from the Organization node Pointers on assigning permissions: –Apply to container objects like administrative groups –Use Exchange System Manager to directly apply –Inheritance of permissions may be blocked
7
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 7 Administering Permissions Within Exchange Server 2003 (continued) Two types of permissions: standard and extended Standard permissions are part of the default permissions for Active Directory –Ex: specify which users are in Administrators group Extended permissions provide specific administrative control –Added when Exchange Server 2003 is installed –Ex: Administer Information Store specifies which users or groups can change Information Store objects
8
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 8
9
9
10
10 Administering Permissions Within Exchange Server 2003 (continued) Two extended permissions to use with care: –Send As: gives a user or group permission to impersonate a user –Receive As: gives user or group the capability to open another user's mailbox Permissions used at different levels: –Organization (global) level: pass to all lower levels –Server level: pass to child nodes of permissioned server –Storage group level: pass to mailbox and public folders –Individual node level: assigned on a particular basis
11
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 11 Activity 10-1: Configuring the Security Tab Within Exchange System Manager Time Required: 10 to 20 minutes Objective: Enable the Security tab for all objects within Exchange System Manager Description: Configure Exchange System Manager to display the Security tab for all objects within the organization. Exchange System Manager should be configured to display the Security tab on each system in your organization.
12
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 12 Activity 10-2: Assigning Permissions Time Required: 10 to 20 minutes Objective: Set the permissions within Exchange System Manager Description: Create the Helpdesk global group and then set the permissions on the First Administrative Group to grant the Helpdesk global group permissions to administer the First Administrative Group. The permissions are then inherited by all objects beneath the First Administrative Group.
13
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 13
14
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 14 Activity 10-3: Blocking Inheritance Time Required: 10 to 20 minutes Objective: Block permission inheritance on an object Description: You override or stop inheriting permissions from the First Administrative Group container. After creating a new global group, you set the permissions on the First Routing Group to disallow inheritance, set the permissions on the First Administrative Group, and then look at the permissions on the First Routing Group to determine if any are inherited.
15
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 15
16
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 16
17
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 17
18
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 18
19
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 19 Delegating Authority Administrative models for an organization: –Centralized: one group maintains global control –Decentralized: separate administrative groups for each Exchange administrator group –Mixed: combines centralized and decentralized Exchange Administration Delegation Wizard –Grants different types of permissions to different users or groups –Supports three roles: Exchange Full Administrator Exchange Administrator Exchange View Only Administrator
20
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 20
21
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 21
22
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 22
23
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 23 Delegating Authority (continued) Scope of objects on which a user or group has permissions: –Determined by the location where the Delegation Wizard started –Typical starting locations: Organization: propagates down hierarchy Administrative group object: propagates to internal objects
24
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 24 Public Key Infrastructures Public Key Infrastructure (PKI) –Set of digital certificates and certification authorities –Verifies identity of sending and receiving parties on network Exchange Server and Key Management Service –Key Management Service (KMS) has been removed –Key archival and recovery tasks have been passed to the operating system
25
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 25 Key-Based Cryptography Two types of cryptographic algorithms: –Symmetric or secret key –Asymmetric or public key Symmetric cryptography –Sender and receiver share a single, predetermined key –Key encrypts and decrypts transmitted message –Symmetric: same key used on both ends Flaw with symmetric cryptography –Sender/receiver transmit the shared key before encryption –Possibility that the shared key may be intercepted
26
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 26 Key-Based Cryptography (continued) Public key cryptography –Solves problem of insecure transmission of shared key –Utilizes asymmetric keys Key for encryption and decryption are different No need to keep encryption key secret –Uses "trapdoor one-way" mathematical function on plaintext message to create an encrypted message Easy to encrypt in direction of encryption, not decryption
27
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 27 Key-Based Cryptography (continued) Example of public key cryptography –Alice uses public key to encrypt message to Bob –Bob uses private key (not transmitted) to decrypt –Eve cannot intercept Bob's key
28
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 28 Certificates, Certificate Authorities, and Trust Encrypting messages using public key encryption system –Senders need to access public keys of intended recipients –Third party acts as a repository for users' public keys –Third party verifies public keys –Windows Server 2003 built-in PKI performs tasks Two most important PKI features: –Digital certificate contains public key and user data –Certification authority (CA) issues and validates certificate
29
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 29 Certificates, Certificate Authorities, and Trust (continued) Certification authorities: –Third party such as Thawte or VeriSign –Windows Server 2003 configured as a CA Certificate chain –Several CAs are involved in transmission –Trusted root certificate lies at top level of chain
30
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 30 Certificates, Certificate Authorities, and Trust (continued) Example of using a CA –Bob receives encrypted message from Alice –Bob references trusted CA to verify Alice's public key –Another CA verifies public key of CA up the chain to the trusted root
31
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 31 Windows 2003 Public Key Infrastructures Active Directory maintains information for CA –Account names –Group memberships –Certificate templates –CAs installed in domain –Certificate mappings to user accounts For authenticating clients Controlling access to network resources Install Windows 2000/2003 Certificate Services to create a CA
32
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 32 Windows 2003 Public Key Infrastructures (continued) Enterprise certificate servers are Active Directory integrated Stand-alone CAs may be members of a domain or workgroup Differences between stand-alone and enterprise CA –Stand-alone CA stores data in a local database –Stand-alone does not use certificate templates Either rooted or cross-certification hierarchies may be established
33
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 33 Windows 2003 Public Key Infrastructures (continued) Rooted hierarchy is the most common CA structure –Defines either stand-alone or enterprise root CA –Root CA issues itself a certificate (self-signed) –Below root are enterprise or stand-alone CAs –Root CA issues certificates to subordinate CAs –Issuing CAs may exist below subordinate CAs Cross-certification CA: acts as root and subordinate –Used between organizations seeking to establish certificate trust –Used by participants that have existing CA hierarchies
34
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 34
35
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 35
36
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 36 Activity 10-4: Installing Certificate Services Time Required: 10 to 20 minutes Objective: Install Certificate Services into a domain Description: Install Certificate Services on your back-end server. You install an enterprise CA for the forest as you will need to subsequently issue certificates to other entities in future activities.
37
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 37
38
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 38 Securing Communications Require SSL/TLS for secure SMTP connections SSL 3.0 is the basis for Transport Layer Security protocol (TLS 1.0) SLS/TLS secures client-to-server and server-to- server traffic SLS/TLS secures POP/IMAP and OWA traffic in a client-server scenario SLS/TLS secures traffic between two back-end servers in server-server scenario
39
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 39 Securing Communications (continued) SMTP servers use port 25 by default Servers not using SSL/TLS cannot use port 25 Solution to port 25 problem: Extended SMTP protocol (ESMTP) ESMTP features: –Clients query servers to discover supported features –Keyword STARTTLS determines if SSL/TLS is available on port –If SSL/TLS is available, servers may transmit securely
40
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 40 Securing Communications (continued) Select one of the following three scenarios when enabling SSL/TLS: –Force SSL/TLS for all e-mail traffic –Enable SSL/TLS for specific domains –Enable SSL/TLS for inbound e-mail To secure client-to-server traffic: –Install certificates on virtual servers involved –Enable servers to require TLS encryption Acquire digital certificate for POP3 SMTP virtual servers
41
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 41 Activity 10-5: Configuring a POP3 Server SSL/TLS Encryption Time Required: 20 to 40 minutes Objective: Configure POP3 and SMTP for SSL/TLS encryption with a POP3 client Description: Configure your back-end server to force the POP3 client to negotiate an SSL/TLS connection before user credentials are sent to the server. You also need to encrypt the client traffic being sent by requesting and installing a certificate on the back-end server’s default SMTP virtual server.
42
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 42
43
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 43
44
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 44 Activity 10-6: Configuring a POP3 Client for Access to a Secure POP3 Server Time Required: 20 to 40 minutes Objective: Configure Outlook Express for communication with a secure POP3 server Description: Your front-end server acts as the client. On the front-end server, you configure Outlook Express to support SSL/TLS encryption with the back-end server. Prior to configuring your client, you need to download the root certificate to establish a trust with the certificate that was installed on the back-end server.
45
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 45
46
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 46 E-Mail Encryption S/MIME protocol is an updated version of MIME –Ensures "end-to-end" security –Sends secure e-mail by digitally signing or encrypting –Recipients decrypt messages upon receipt S/MIME enables compatibility and authentication between different organizations and vendors Obtain client certificate before configuring Outlook 2003 for secure messaging
47
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 47 Activity 10-7: Configuring Outlook 2003 for S/MIME Time Required: 20 to 40 minutes Objective: Obtain a digital certificate for your Outlook client Description: You obtain a digital certificate for your Outlook clients to enable secure transfer of e- mail between them. Each client will obtain a certificate from the CA.
48
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 48
49
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 49 Activity 10-8: Sending Encrypted and Signed E-Mail Time Required: 10 to 20 minutes Objective: Send encrypted and signed e-mail between two Outlook clients Description: You send an encrypted and digitally signed e-mail between two Outlook e-mail clients and reply to the e-mail that was sent.
50
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 50
51
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 51 Summary Permissions may be assigned directly or inherited Two permission types: standard and extended Standard permissions are part of Active Directory Extended permissions are added when Exchange is installed Exchange Administration Delegation Wizard assigns administrative roles
52
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 52 Summary (continued) PKI manages public key–based applications using public key cryptography In symmetric key cryptography, encryption and decryption keys are identical Public key cryptography uses asymmetric keys Certificates verify the identities of senders and receivers CA issues and validates digital certificates
53
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 53 Summary (continued) Root certificate: forms root of certificate authority that a receiver accepts as authentic SSL/TLS encrypts and secures client-to-server and server-to-server traffic Utilize SMTP connector for server-to-server SSL/TLS S/MIME protocol digitally signs or encrypts e-mails S/MIME is an updated version of MIME encoding standard
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.