Transcript Securing Exchange Server 2003

Securing Exchange Server 2003
Session Goals:
• Introduce you to the concepts and
mechanisms for securing Exchange 2003.
• Examine the techniques and tools used to
help remove unwanted messages such as
Spam.
• Demonstrate the ways in which we can
enable Secure External Client Access.
• Best Practices, tools and tips.
Agenda
•
•
•
•
Exchange 2003 Security Overview
Smart Screen and Spam Filtering Technology
Secure External Client Access
Best Practices and tools for Securing Exchange
Exchange 2003 Security Considerations:
Features and considerations:
Secure by design and default
Many different clients and connection methods
Deployment Scenarios
Firewall implementations at the perimeter
SMTP Anti-Relay
Email filtering by Sender, Recipient and Connection
filtering, including Block List services
SPAM filtering
Anti Virus Support
Outlook Web Access publishing
Exchange Server Deployment
Scenarios
General deployment
FE/BE deployment
Front-end
Exchange
server
Back-end
Exchange
servers
Exchange
server
ISA Server integrated
ISA server
Internet
Exchange
server
Securing Exchange at the perimeter
ISA 2004 Firewall Interaction (SMTP)
Exchange
Server
OWA Publishing without ISA 2004
Web server prompts for
authentication — any
Internet user can
access this prompt
…which allows viruses
and worms to pass
through undetected…
SSL
Internet
client
Traditional
firewall
SSL tunnels through
traditional firewalls
because it is encrypted…
Web
Srv/
OWA
…and infect internal servers!
OWA Publishing with ISA 2004
ISA Server with HTTP Filtering
ISA Server pre-authenticates
users, eliminating multiple
dialog boxes and only allowing
valid traffic through
SSL
URLScan for ISA Server can stop
Web attacks at the network edge,
even over encrypted SSL
SSL or
HTTP
Internet
client
ISA Server can
decrypt and inspect
SSL traffic
ISA Server 2004
Web
Srv/
OWA
inspected traffic can be sent to the internal
server re-encrypted or in the clear.
demonstration
Securely Publishing Exchange
with ISA 2004
SMTP Publishing
SMTP Keyword / Attachment Filtering
OWA Publishing
Agenda
•
•
•
•
Exchange 2003 Security Overview
Smart Screen and Spam Filtering Technology
Secure External Client Access
Best Practices and tools for Securing Exchange
Exchange Message Filtering
Accept/
Deny Lists
Block Lists
Recipient Filter
Sender Filtering
Intelligent Message Filter
Information Store
Intelligent Message Filtering
• Utilizes Smart Screen Machine Learning
• Applied at the gateway
– Marks message with Spam Confidence Level (SCL)
rating
• Utilized throughout the mail stream
• Scans headers, body of message and other
attributes.
Spam Filtering with IMF
Smart Screen Technology
Gateway Server
Smart Screen
Algorithm
3rd Party Tools
Mailbox Store Server (Anti-Virus)
Junk E-mail
Folder
Inbox
demonstration
The Intelligent Message Filter
Exchange 2003 UCE Control Features
Installing IMF
Configuring IMF
Agenda
•
•
•
•
Exchange 2003 Security Overview
Smart Screen and Spam Filtering Technology
Secure External Client Access
Best Practices and tools for Securing Exchange
Secure External Client Access to
Exchange Server: What Are the
Outlook mobile access
ActiveSync-Enabled
Challenges?
XHTML, cHTML, HTML
mobile devices
Exchange
front-end
server
Wireless
network
ISA
server
Exchange
back-end
servers
Outlook web access
Outlook using RPC
Outlook using RPC
over HTTP(S)
Outlook express
using IMAP4 or
POP3
Configuring Secure Outlook RPC /
RPC over HTTP(S) Client Access
ISA
server
Exchange
servers
Use the mail server
publishing rule to enable
Outlook RPC connections
Outlook
client
Configuring RPC over HTTP(S)
Client Access Considerations
RPC over HTTP(S) requires:
Outlook 2003 running on Windows XP
Exchange Server 2003 running on Windows Server 2003
and Windows Server 2003 global catalog servers
Windows Server 2003 server running RPC proxy server
Modifying the Outlook profile to use RPC over HTTP(S) to
connect to the Exchange server
To enable RPC over HTTP(S) connections through ISA
Server, use the Secure Web Publishing Wizard to
publish the /rpc/*virtual directory
demonstration
RPC over HTTPS
Installing RPC over HTTPS
Configuration of ISA Server
Agenda
•
•
•
•
Exchange 2003 Security Overview
Smart Screen and Spam Filtering Technology
Secure External Client Access
Best Practices and tools for Securing Exchange
Maintaining Security on Exchange
Server: What Are the Challenges?
Challenges to maintaining security on an Exchange
server include:
Hardening the Servers
Keeping up with the latest security updates
Keeping up with recommended best practices
Understanding the impact of configuring the various
options within Exchange Server
Maintaining documentation on configuration and
security settings
Hardening Back-End Exchange
Servers
Tasks for hardening back-end Exchange
servers include:
Hardening services (Reduce Attack Surface)
Hardening file access control lists (ACLs)
Changing privilege rights
Enabling additional services (optional)
Apply the Exchange 2003 Backend.inf security
template to your back-end servers
Hardening Front-End Exchange
Servers
Tasks for hardening front-end Exchange
servers include:
Hardening services (Reduce Attack Surface)
Hardening file access control lists (ACLs)
Enabling additional services (optional)
Running URLScan (optional but recommended)
Dismounting the mailbox store and deleting the public
folder store (optional but recommended)
Apply the Exchange 2003 Frontend.inf security
template to your front-end servers
Analyzing Exchange Server 2003
Using MBSA
MBSA checks for issues related to the following:
 Known Windows and Internet Explorer security issues
 Missing security updates
 Weak account passwords
 Internet Information Services (IIS) security issues
 SQL Server security issues
 Exchange Server security issues
Validating Exchange Server
Configuration Settings
ExBPA can examine your Exchange servers to:
 Generate a list of issues, such as misconfigurations or
unsupported or non-recommended options
 Judge the general health of a system
 Help troubleshoot specific problems
 Includes the MBSA tool
Securing Exchange Servers: Best
Practices
 Decide on Exchange Server design and harden servers
according to their roles
 Limit Exchange Server functionality to clients that are strictly
required
 Remain current with the latest updates for both Exchange
Server 2003 and the operating system
 Use ISA Server 2004 to regulate access for HTTP, RPC over
HTTPS, POP3, and IMAP4 traffic
 Use SSL/TLS and forms-based authentication for Outlook
Web Access
demonstration
Exchange Tools
Exchange Best Practice Analyzer
Session Summary
Deploy Exchange Server 2003 and Microsoft Office Outlook
 2003 to take advantage of the latest security enhancements
Implement the appropriate base and incremental security
 templates to fully secure Exchange Server
Keep up to date with the latest best practices and techniques
 for securing Exchange Server 2003
Install Exchange-aware antivirus applications and maintain
 security using the MBSA and ExBPA tools
Protect against unwanted e-mail by implementing a layered
 approach using features such as filtering and the Intelligent
Message Filter utility
For More Information…
• Main TechNet Web site at
– www.microsoft.ca/technet
• Anti Spam Capabilities in Exchange 2003
– www.microsoft.com/exchange/techinfo/security/antispam.asp
• Microsoft Anti Spam Technology
– www.microsoft.com/mscorp/twc/privacy/spam.mspx
• IMF download from
– www.microsoft.com/exchange/imf