Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Exchange Server Security Ward Solutions.

Published byAleesha Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing Exchange Server Security Ward Solutions."— Presentation transcript:

1 Implementing Exchange Server Security Ward Solutions

2 Session Prerequisites Hands-on experience with Microsoft Windows Server 2003 Working knowledge of Microsoft Exchange Server 2003 Working knowledge of Internet protocols including POP3, IMAP4, SMTP, HTTP, and NNTP Working knowledge of networking, including TCP/IP, DNS, and IIS Basic understanding of PKI concepts and technologies Level 300

3 Session Overview Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail

4 Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail

5 Exchange Server 2003 Security Overview Secure by design Secure by default Support for Sender, Recipient and Connection filtering, including Block List services Secure by default Support for Sender, Recipient and Connection filtering, including Block List services Secure by default User logon on server disabled Messaging limits configuration of 10MB User logon on server disabled Messaging limits configuration of 10MB Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/ security_E2k3.mspx

6 Exchange Server Deployment Scenarios ISA Server integrated General deployment FE/BE deployment Exchange server Internet Front-end Exchange server Back-end Exchange servers ISA server Exchange server

7 Hosted Exchange

8 Exchange Server Client Scenarios General client access: Microsoft Outlook Mobile client access: Outlook Web Access Outlook Mobile Access Exchange Server ActiveSync Outlook Web Access Outlook Mobile Access Exchange Server ActiveSync Exchange Server 2003 client scenarios include the following:

9 Configuration and Security Update Recommendations for Exchange Server Component Configuration Operating system and software Microsoft Windows Server 2003 with the latest security updates Exchange Server 2003 with Service Pack 1 (or higher) Microsoft Exchange Intelligent Message Filter Browser Internet Explorer 6 with the latest security updates Security update management Microsoft Baseline Security Analyzer

10 Implementing a Defense-in-Depth Approach to Exchange Server Security Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, backup and restore strategy Data

11 Securing Exchange Server Services and Messaging Protocols Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail

12 Securing Exchange Servers: What Are the Challenges? Challenges to securing an Exchange server include: Maintaining the security of the underlying Windows infrastructure Maintaining baseline security hardening practices Understanding security options for various deployment scenarios Maintaining the security of the underlying Windows infrastructure Maintaining baseline security hardening practices Understanding security options for various deployment scenarios

13 Hardening the Messaging Environment To harden your Exchange messaging environment, deploy the following: Environment Configuration Server environment Domain, Domain Controller, and Member Server Baseline Policy templates Windows Server 2003 Security Guide at http://go.microsoft.com/fwlink/?LinkId=21638 Messaging environment Exchange Domain Controller Baseline Policy template Exchange Server 2003 Security Hardening Guide at http://www.microsoft.com/technet/prodtechnol/ exchange/2003/library/exsecure.mspx

14 Hardening Back-End Exchange Servers Tasks for hardening back-end Exchange servers include: Hardening services Hardening file access control lists (ACLs) Changing privilege rights Enabling additional services (optional) Hardening services Hardening file access control lists (ACLs) Changing privilege rights Enabling additional services (optional) Apply the Exchange 2003 Backend.inf security template to your back-end servers

15 Hardening Front-End Exchange Servers Tasks for hardening front-end Exchange servers include: Hardening services Hardening file access control lists (ACLs) Enabling additional services (optional) Running URLScan (optional but recommended) Dismounting the mailbox store and deleting the public folder store (optional but recommended) Hardening services Hardening file access control lists (ACLs) Enabling additional services (optional) Running URLScan (optional but recommended) Dismounting the mailbox store and deleting the public folder store (optional but recommended) Apply the Exchange 2003 Frontend.inf security template to your front-end servers

16 Understanding SMTP Relaying SMTP Relaying : When an SMTP server accepts mail from one DNS domain addressed to mailboxes in another domain, neither one of which the server owns Relaying may be necessary when: Accepting mail for another organization Supporting clients that use POP3 or IMAP4 Supporting applications that generate SMTP mail Accepting mail for another organization Supporting clients that use POP3 or IMAP4 Supporting applications that generate SMTP mail Prevent open relays by: Allowing only authenticated computers to relay Restricting relaying to specific computers or users Using an SMTP connector to relay mail to particular domains Allowing only authenticated computers to relay Restricting relaying to specific computers or users Using an SMTP connector to relay mail to particular domains

17 Demonstration 1: Securing and Testing SMTP Relaying Securing SMTP relaying and testing for open relays

18 Securing SMTP Communication Between Mail Servers To secure SMTP communication between servers: Install and configure an X.509 certificate on the SMTP server 1 1 Enable and configure TLS encryption for inbound mail 2 2 Enable and configure TLS encryption for outbound mail to specific domains 3 3

19 Securing Exchange Servers: Best Practices Limit Exchange Server functionality to clients that are strictly required Remain current with the latest updates for both Exchange Server 2003 and the operating system Use SSL/TLS and forms-based authentication for Outlook Web Access Use ISA Server 2004 to regulate access for HTTP, RPC over HTTPS, POP3, and IMAP4 traffic

20 Maintaining Security on Exchange Server Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail

21 Maintaining Security on Exchange Server: What Are the Challenges? Challenges to maintaining security on an Exchange server include: Keeping up with the latest security updates Keeping up with recommended best practices Understanding the impact of configuring the various options within Exchange Server Maintaining documentation on configuration and security settings Keeping up with the latest security updates Keeping up with recommended best practices Understanding the impact of configuring the various options within Exchange Server Maintaining documentation on configuration and security settings

22 Analyzing Exchange Server 2003 Using MBSA MBSA checks for issues related to the following: Known Windows and Internet Explorer security issues Missing security updates Weak account passwords Internet Information Services (IIS) security issues Exchange Server security issues SQL Server security issues

23 Validating Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options Judge the general health of a system Help troubleshoot specific problems

24 Demonstration 2: Analyzing Configuration Settings on Exchange Server 2003 Analyze Exchange Server using MBSA and the ExBPA Tool

25 Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution: Design a defense-in-depth approach Implement an antivirus scanner that supports AVAPI 2.5 Prevent file-based scanning on Exchange Server folders Design a defense-in-depth approach Implement an antivirus scanner that supports AVAPI 2.5 Prevent file-based scanning on Exchange Server folders

26 Configuring Exchange to Protect Against Unwanted E-Mail Implementing Exchange Server Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-Mail

27 Preparing for and Installing IMF - what is Spam? Unsolicited Commercial E-mail More than 50% of email traffic Costly use of resources  IT  Personnel Potentially offensive

28 Phishing

29

30

31

32 Preparing for and Installing IMF Microsoft’s Anti-UCE Strategy Innovative Technologies Industry Self-Regulation and Cooperation Working with Governments``

33 What Are the Exchange Options for Limiting Unwanted E-Mail? Options to limit unwanted e-mail include: Recipient filtering Sender filtering Connection filtering Microsoft Exchange Intelligent Message Filter Recipient filtering Sender filtering Connection filtering Microsoft Exchange Intelligent Message Filter

34 Preparing for and Installing IMFAccept/ Deny Lists 3 rd ptyBlock Lists Recipient Filter Sender Filtering Intelligent Message Filter Information Store

35 Preparing for and Installing IMF - Exchange 2003 Anti Spam Strategy FeatureFilter PointResource Cost Accept/Deny ListsSMTP Session Block Lists SMTP Session Exchange Sender FilterSMTP Gateway Recipient FilteringSMTP Gateway Intelligent Message FilterGateway/User Mailbox

36 Configuring Filtering by Recipient Address Recipient filtering blocks mail to specified addresses within your domain and filters e-mail addressed to users who are not in your Active Directory

37 Configuring Filtering by Sender Address or Domain Sender filtering blocks mail from specified senders or domains

38 Implementing Real-Time Block List Support Using Connection Filtering Connection filtering is used to configure Exchange Server to contact a Real-Time Block List (RBL) provider

39 Demonstration 3: Implementing Real-Time Block List Support Configure Real-Time Block List Support

40 Overview of Exchange Intelligent Message Filter Exchange Intelligent Message Filter is an add- on product to help companies reduce the amount of unsolicited commercial e-mail received by users

41 Preparing for and Installing IMF Intelligent Message Filtering Utilizes Smart Screen Machine Learning Applied at the gateway  Marks message with Spam Confidence Level (SCL) rating Utilized throughout the mail stream Scans headers, body of message and other attributes. Hotmail and MSN Outlook 2003 – Junk Folder 3 rd Party products

42 Deploying the Intelligent Message Filter Exchange Gateway Servers Intelligent Message Filter Firewall Internet Exchange Intranet Servers Intelligent Message Filter handles e-mail based upon two thresholds: Gateway blocking configuration Store junk e-mail configuration Gateway blocking configuration Store junk e-mail configuration

43 Client SCL 5 Smart Screen Technology SCL 8 Smart Screen Algorithm Gateway Server Mailbox Store Server 3 rd Party Tools SCL 5

44 How the Intelligent Message Filter Works with Exchange and Outlook Exchange Server 2003 Gateway Server Connection filtering Recipient filtering Sender filtering Intelligent Message Filter (Gateway Threshold) Exchange Server 2003 Back-end Store threshold User mailbox Inbox Junk Inbox YNYN Internet Safe sender Blocked sender Yes No Spam

45 Managing IMF Archived Messages Using the Archive Manager Archive Manager C# tool released with source on GotDotNet  http://workspaces.gotdotnet.com/imfarchive Supports the following features:  Tree view of the Archive directory of messages  View of RFC2822 decoded headers and raw message  Resubmission of message to pickup directory  Deletion of messages  Forwarding of message as attachment to third-party address

46 Demonstration 4: Implementing Exchange Intelligent Message Filter Implement and configure Intelligent Message Filter

47 Session Summary Deploy Exchange Server 2003 and Microsoft Office Outlook 2003 to take advantage of the latest security enhancements Implement the appropriate base and incremental security templates to fully secure Exchange Server Install Exchange-aware antivirus applications and maintain security using the MBSA and ExBPA tools Protect against unwanted e-mail by implementing a layered approach using features such as filtering and the Intelligent Message Filter utility

48 Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Find additional e-learning clinics https://www.microsoftelearning.com/security Get additional security information on Exchange Server 2003: http://www.microsoft.com/technet/prodtechnol/exchange/ 2003/library/default.mspx

49 Questions and Answers

Download ppt "Implementing Exchange Server Security Ward Solutions."

Similar presentations

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Installation and Deployment in Microsoft Dynamics CRM 4.0

Installation and Deployment in Microsoft Dynamics CRM 4.0
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.

Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

© 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Implementing Application and Data Security Presenter Name Job Title Company.

Implementing Application and Data Security Presenter Name Job Title Company.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS.

Approaches to Fighting Spam in an Exchange Environment Greg Taylor Senior Consultant - MCS.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Securing Exchange Server 2003. Session Goals: Introduce you to the concepts and mechanisms for securing Exchange 2003. Examine the techniques and tools.

Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Managing Client Access

Managing Client Access

Similar presentations

Ads by Google