Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003."— Presentation transcript:

1 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003

2 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 2 Objectives Understand how to administer permissions within Exchange Server 2003 Understand the process of delegating authority within an Exchange Server 2003 organization Understand the concepts behind a Public Key Infrastructure

3 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 3 Objectives (continued) Describe how to install and configure a Windows 2000/2003 Public Key Infrastructure Describe the use of SSL/TLS for securing communication between two computers Understand how to make use of certificates to encrypt and sign e-mail

4 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 4 Securing Exchange Server 2003 Most Exchange Server security features are provided by Windows 2000/2003 Windows operating system security features: –Mechanisms for address authentication and access control –Public Key Infrastructure (PKI) provided by the OS Exchange Server 2003 features: –Mechanisms securing message delivery (SSL/TLS) –S/MIME uses PKI to send encrypted/signed messages

5 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 5 Administering Permissions Within Exchange Server 2003 Manage security by assigning permissions in Active Directory Utilize security model of Windows 2000/2003 Secure objects with two lists: –Discretionary Access Control List (DACL) –Individual Access Control Entries (ACE) Object permissions are configured using the Security tab in Exchange System Manager Permissions may be granted or denied –Denied permission overrides instances of approvals

6 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 6 Administering Permissions Within Exchange Server 2003 (continued) Permissions are assigned directly or inherited Parent object occupies a higher position in the hierarchy Permissions are inherited through organizational hierarchy –Organization node is at the top of hierarchy –All other nodes inherit from the Organization node Pointers on assigning permissions: –Apply to container objects like administrative groups –Use Exchange System Manager to directly apply –Inheritance of permissions may be blocked

7 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 7 Administering Permissions Within Exchange Server 2003 (continued) Two types of permissions: standard and extended Standard permissions are part of the default permissions for Active Directory –Ex: specify which users are in Administrators group Extended permissions provide specific administrative control –Added when Exchange Server 2003 is installed –Ex: Administer Information Store specifies which users or groups can change Information Store objects

8 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 8

9 9

10 10 Administering Permissions Within Exchange Server 2003 (continued) Two extended permissions to use with care: –Send As: gives a user or group permission to impersonate a user –Receive As: gives user or group the capability to open another user's mailbox Permissions used at different levels: –Organization (global) level: pass to all lower levels –Server level: pass to child nodes of permissioned server –Storage group level: pass to mailbox and public folders –Individual node level: assigned on a particular basis

11 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 11 Activity 10-1: Configuring the Security Tab Within Exchange System Manager Time Required: 10 to 20 minutes Objective: Enable the Security tab for all objects within Exchange System Manager Description: Configure Exchange System Manager to display the Security tab for all objects within the organization. Exchange System Manager should be configured to display the Security tab on each system in your organization.

12 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 12 Activity 10-2: Assigning Permissions Time Required: 10 to 20 minutes Objective: Set the permissions within Exchange System Manager Description: Create the Helpdesk global group and then set the permissions on the First Administrative Group to grant the Helpdesk global group permissions to administer the First Administrative Group. The permissions are then inherited by all objects beneath the First Administrative Group.

13 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 13

14 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 14 Activity 10-3: Blocking Inheritance Time Required: 10 to 20 minutes Objective: Block permission inheritance on an object Description: You override or stop inheriting permissions from the First Administrative Group container. After creating a new global group, you set the permissions on the First Routing Group to disallow inheritance, set the permissions on the First Administrative Group, and then look at the permissions on the First Routing Group to determine if any are inherited.

15 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 15

16 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 16

17 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 17

18 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 18

19 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 19 Delegating Authority Administrative models for an organization: –Centralized: one group maintains global control –Decentralized: separate administrative groups for each Exchange administrator group –Mixed: combines centralized and decentralized Exchange Administration Delegation Wizard –Grants different types of permissions to different users or groups –Supports three roles: Exchange Full Administrator Exchange Administrator Exchange View Only Administrator

20 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 20

21 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 21

22 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 22

23 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 23 Delegating Authority (continued) Scope of objects on which a user or group has permissions: –Determined by the location where the Delegation Wizard started –Typical starting locations: Organization: propagates down hierarchy Administrative group object: propagates to internal objects

24 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 24 Public Key Infrastructures Public Key Infrastructure (PKI) –Set of digital certificates and certification authorities –Verifies identity of sending and receiving parties on network Exchange Server and Key Management Service –Key Management Service (KMS) has been removed –Key archival and recovery tasks have been passed to the operating system

25 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 25 Key-Based Cryptography Two types of cryptographic algorithms: –Symmetric or secret key –Asymmetric or public key Symmetric cryptography –Sender and receiver share a single, predetermined key –Key encrypts and decrypts transmitted message –Symmetric: same key used on both ends Flaw with symmetric cryptography –Sender/receiver transmit the shared key before encryption –Possibility that the shared key may be intercepted

26 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 26 Key-Based Cryptography (continued) Public key cryptography –Solves problem of insecure transmission of shared key –Utilizes asymmetric keys Key for encryption and decryption are different No need to keep encryption key secret –Uses "trapdoor one-way" mathematical function on plaintext message to create an encrypted message Easy to encrypt in direction of encryption, not decryption

27 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 27 Key-Based Cryptography (continued) Example of public key cryptography –Alice uses public key to encrypt message to Bob –Bob uses private key (not transmitted) to decrypt –Eve cannot intercept Bob's key

28 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 28 Certificates, Certificate Authorities, and Trust Encrypting messages using public key encryption system –Senders need to access public keys of intended recipients –Third party acts as a repository for users' public keys –Third party verifies public keys –Windows Server 2003 built-in PKI performs tasks Two most important PKI features: –Digital certificate contains public key and user data –Certification authority (CA) issues and validates certificate

29 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 29 Certificates, Certificate Authorities, and Trust (continued) Certification authorities: –Third party such as Thawte or VeriSign –Windows Server 2003 configured as a CA Certificate chain –Several CAs are involved in transmission –Trusted root certificate lies at top level of chain

30 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 30 Certificates, Certificate Authorities, and Trust (continued) Example of using a CA –Bob receives encrypted message from Alice –Bob references trusted CA to verify Alice's public key –Another CA verifies public key of CA up the chain to the trusted root

31 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 31 Windows 2003 Public Key Infrastructures Active Directory maintains information for CA –Account names –Group memberships –Certificate templates –CAs installed in domain –Certificate mappings to user accounts For authenticating clients Controlling access to network resources Install Windows 2000/2003 Certificate Services to create a CA

32 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 32 Windows 2003 Public Key Infrastructures (continued) Enterprise certificate servers are Active Directory integrated Stand-alone CAs may be members of a domain or workgroup Differences between stand-alone and enterprise CA –Stand-alone CA stores data in a local database –Stand-alone does not use certificate templates Either rooted or cross-certification hierarchies may be established

33 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 33 Windows 2003 Public Key Infrastructures (continued) Rooted hierarchy is the most common CA structure –Defines either stand-alone or enterprise root CA –Root CA issues itself a certificate (self-signed) –Below root are enterprise or stand-alone CAs –Root CA issues certificates to subordinate CAs –Issuing CAs may exist below subordinate CAs Cross-certification CA: acts as root and subordinate –Used between organizations seeking to establish certificate trust –Used by participants that have existing CA hierarchies

34 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 34

35 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 35

36 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 36 Activity 10-4: Installing Certificate Services Time Required: 10 to 20 minutes Objective: Install Certificate Services into a domain Description: Install Certificate Services on your back-end server. You install an enterprise CA for the forest as you will need to subsequently issue certificates to other entities in future activities.

37 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 37

38 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 38 Securing Communications Require SSL/TLS for secure SMTP connections SSL 3.0 is the basis for Transport Layer Security protocol (TLS 1.0) SLS/TLS secures client-to-server and server-to- server traffic SLS/TLS secures POP/IMAP and OWA traffic in a client-server scenario SLS/TLS secures traffic between two back-end servers in server-server scenario

39 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 39 Securing Communications (continued) SMTP servers use port 25 by default Servers not using SSL/TLS cannot use port 25 Solution to port 25 problem: Extended SMTP protocol (ESMTP) ESMTP features: –Clients query servers to discover supported features –Keyword STARTTLS determines if SSL/TLS is available on port –If SSL/TLS is available, servers may transmit securely

40 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 40 Securing Communications (continued) Select one of the following three scenarios when enabling SSL/TLS: –Force SSL/TLS for all e-mail traffic –Enable SSL/TLS for specific domains –Enable SSL/TLS for inbound e-mail To secure client-to-server traffic: –Install certificates on virtual servers involved –Enable servers to require TLS encryption Acquire digital certificate for POP3 SMTP virtual servers

41 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 41 Activity 10-5: Configuring a POP3 Server SSL/TLS Encryption Time Required: 20 to 40 minutes Objective: Configure POP3 and SMTP for SSL/TLS encryption with a POP3 client Description: Configure your back-end server to force the POP3 client to negotiate an SSL/TLS connection before user credentials are sent to the server. You also need to encrypt the client traffic being sent by requesting and installing a certificate on the back-end server’s default SMTP virtual server.

42 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 42

43 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 43

44 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 44 Activity 10-6: Configuring a POP3 Client for Access to a Secure POP3 Server Time Required: 20 to 40 minutes Objective: Configure Outlook Express for communication with a secure POP3 server Description: Your front-end server acts as the client. On the front-end server, you configure Outlook Express to support SSL/TLS encryption with the back-end server. Prior to configuring your client, you need to download the root certificate to establish a trust with the certificate that was installed on the back-end server.

45 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 45

46 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 46 E-Mail Encryption S/MIME protocol is an updated version of MIME –Ensures "end-to-end" security –Sends secure e-mail by digitally signing or encrypting –Recipients decrypt messages upon receipt S/MIME enables compatibility and authentication between different organizations and vendors Obtain client certificate before configuring Outlook 2003 for secure messaging

47 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 47 Activity 10-7: Configuring Outlook 2003 for S/MIME Time Required: 20 to 40 minutes Objective: Obtain a digital certificate for your Outlook client Description: You obtain a digital certificate for your Outlook clients to enable secure transfer of e- mail between them. Each client will obtain a certificate from the CA.

48 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 48

49 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 49 Activity 10-8: Sending Encrypted and Signed E-Mail Time Required: 10 to 20 minutes Objective: Send encrypted and signed e-mail between two Outlook clients Description: You send an encrypted and digitally signed e-mail between two Outlook e-mail clients and reply to the e-mail that was sent.

50 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 50

51 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 51 Summary Permissions may be assigned directly or inherited Two permission types: standard and extended Standard permissions are part of Active Directory Extended permissions are added when Exchange is installed Exchange Administration Delegation Wizard assigns administrative roles

52 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 52 Summary (continued) PKI manages public key–based applications using public key cryptography In symmetric key cryptography, encryption and decryption keys are identical Public key cryptography uses asymmetric keys Certificates verify the identities of senders and receivers CA issues and validates digital certificates

53 70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration 53 Summary (continued) Root certificate: forms root of certificate authority that a receiver accepts as authentic SSL/TLS encrypts and secures client-to-server and server-to-server traffic Utilize SMTP connector for server-to-server SSL/TLS S/MIME protocol digitally signs or encrypts e-mails S/MIME is an updated version of MIME encoding standard

Download ppt "70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 14 Upgrading to Exchange Server 2003.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Similar presentations

Ads by Google