Chapter 19, Implementing Advanced Security
|1| Chapter Overview
Exchange 2000 Server Security
Advanced Security Features
Chapter 19, Lesson 1
|2| Exchange 2000 Server Security
|3| 1. Controlling Access to Exchange 2000 Resources
A. Access control in Microsoft Windows 2000 Server
1. Every Active Directory object has a discretionary access control list (DACL), which is a list of security principals, or access control entries (ACEs), that can access the object.
2. Every security principal receives at logon an access token that is a list containing the user’s personal security identifier (SID), the SIDs for all the groups the user belongs to, and any rights the user has been assigned.
3. When a security principal attempts to access an object, the token is compared to the DACL and, if there is a match, the applicable permissions are applied. If there is no match, access is denied.
4. Searching the DACL
a. When access to an object is explicitly denied, that entry is viewed at the top of the DACL and all other succeeding entries are ignored.
b. When the requested access permission or groups of permissions are recognized, the search of the DACL quits and access is granted.
c. When the end of the DACL is reached and no entry or groups of entries list the required permission, access is denied.
B. Extended permissions for Exchange 2000 Server
1. Exchange-related permissions are added to Active Directory when Exchange 2000 Server is installed.
2. These permissions are called security objects and are located in the Extended Rights container in the Configuration naming context of Active Directory.
3. Enterprise Admins have access to this information using the Active Directory Services Interface editor (ADSI Edit).
|4| C. Applying and denying permission
1. Permissions flow down from parent container to child container.
2. Permissions can be blocked on the Security tab for every Exchange object by deselecting the option to Allow Inheritable Permissions From Parent To Propagate To This Object.
3. To be granted permission to a container, such as an administrative group, the user must have read permission to the organization object in order to view the administrative group object.
4. The Delegation Wizard can’t be used to deny permission, only to grant permission.
5. The Security tab of the object must be used to deny permission.
6. To enable the Security tab on Exchange objects, you must add the ShowSecurityPage value to the Registry.
D. Access to mailbox settings
1. Mailbox security settings are maintained in the Domain naming context of Active Directory.
2. You need permission to the Windows 2000 organizational unit (OU) and to the user’s home mailbox store to mailbox-enable a user account.
3. Using the appropriate Delegation Wizard rather than ADSI Edit to apply permissions is recommended.
E. Access control through NT File System (NTFS) and shared file permissions
1. Place all Exchange 2000–related files on an NTFS partition.
2. Don’t compress or encrypt the Exchange NTFS directories and database files.
3. After installing Exchange 2000 Server, review the share points that are created by default to confirm that they are necessary.
4. If you have enabled message tracking, remove the Everyone group from the shared tracking log folder and allow access permission only to administrators.
|5| 2. Auditing and Protocol Logging
A. System access control list (SACL)
1. Contains the identifiers for the accounts (ACEs) that are included in the audit
2. Similar to a DACL except the entries in a DACL pertain to permissions, whereas the entries in a SACL pertain to auditing
|6| B. Enabling security auditing
1. Access the Group Policy tab for the site, domain, or OU and edit the appropriate auditing policy setting.
2. Audits can be set for successes or failures, such as logon attempts.
C. Auditing degrades system performance.
1. Enable auditing only when necessary.
2. Don’t forget to read the Security log in Event Viewer. If you don’t read the collected information, you degrade system performance needlessly.
D. Internet Protocol logging
1. Depending on the logging level, logs can contain the client IP address, domain name, time stamp, and message content.
2. Useful for troubleshooting, especially denial of service attacks
3. Degrades system performance
|7| 3. Secured Internet Connections
A. Minimum components of a secure topology
1. A firewall can be a computer with multiple network cards placed in a demilitarized zone (DMZ) and with Internet Protocol (IP) forwarding disabled.
2. Connectors can be used to provide security between the DMZ and the intranet.
3. Confirm that only necessary ports are enabled.
B. Front end versus back end communication
1. The front end server must be able to connect to the Global Catalog.
2. The protocol used between the client and the front end server is the same protocol (the non-Secure Sockets Layer, or SSL, version) that will be used between the front end server and the back end servers.
3. Consider using multiple virtual servers to allow for reduced internal security requirements and increased external security requirements.
C. MAPI-based clients through firewalls
1. The Messaging Application Programming Interface (MAPI) doesn’t support front end/back end architecture, so to support MAPI clients, you must allow a direct connection to mailbox servers from the Internet.
2. Configure static Transmission Control Protocol (TCP) port numbers for the Information Store service and Active Directory using the Registry Editor, and make sure that port is opened on the firewall. This allows the remote procedure call (RPC) endpoint mapper to return the same port number back to the client every time. Most administrators establish Virtual Private Networks (VPNs) to support Internet-based MAPI clients.
|8| 4. Private/Public Key Security
A. Message signing and sealing
1. Message signing allows the recipient to verify the integrity of the message.
2. Message sealing is another way of saying message encryption.
B. Public key technology
1. Exchange 2000 Server uses dual-pair technology.
a. One private/public key pair is used to sign outbound messages and verify signed incoming messages.
b. One private/public key pair is used to decrypt incoming messages and encrypt outbound messages.
2. Key ownership
a. Private keys belong only to the owner and are accessible only to the owner. For example, a private key might be in the user’s local Registry or on a smart card.
b. Public keys are available to the organization and are retrievable in Active Directory.
3. Microsoft Outlook 2000
a. A sender retrieves the recipient’s public sealing key from Active Directory to encrypt a message, and the recipient uses his or her own private sealing key to decrypt the message.
b. A sender uses his or her own private signing key to sign a message, and the recipient retrieves the sender’s corresponding public key from Active Directory to verify the integrity of the message.
c. Outlook also uses a secret key to encrypt and decrypt private keys and to use with the public key to encrypt messages.
C. X.509 Certificate Services and certificate authorities (CAs)
1. In Windows 2000, Certificate Services is the service that runs the CA.
2. The CA issues users X.509 certificates that contain a public key.
3. Every user in the organization can access a mailbox-enabled user’s public key from Active Directory.
4. Windows 2000 Certificate Services allows the CA to be a root CA or a subordinate CA of another CA.
5. All Certificate Services are members of a default certificate list and are fully trusted throughout the forest.
D. Exchange certificate templates
1. To integrate Windows 2000 Certificate Services with Exchange 2000 Server Key Management Service (KMS), configure Windows 2000 Certificate Services as an Enterprise CA.
2. Install an Exchange User template that will allow users with this certificate to sign and seal messages.
3. Install an Exchange Signature Only template that will allow users with this certificate to sign but not seal messages.
4. Install an Enrollment Agent (Computer) template that enables KMS to request certificates on behalf of the users.
Chapter 19, Lesson 2
|9| Advanced Security Features
|10| 1. KM Server Architecture
A. Microsoft Exchange Key Management Service (KMS)
1. A KM Server is a server running Microsoft Exchange KMS that has a database for storing Exchange 2000 recipients’ advanced security information.
2. Processes all advanced security requests from Exchange users
3. Communicates directly with the Exchange Advanced Security snap-in and the Information Store
B. The KM database
1. Located under \Program Files\Exchsrvr\KMSData
2. There can be a maximum of one KM database per administrative group.
3. Contains the private sealing (encryption) key for all users that belong to this KM Server, and maintains a security key history for all the users
4. Temporarily stores the users’ public and private sealing keys during the setup process
5. Should be protected from unauthorized access
6. Should be backed up regularly
C. The Information Store and System Attendant
1. The Information Store maintains the mailbox for the System Attendant.
2. The System Attendant mailbox receives request messages for keys from users.
3. The System Attendant sends enrollment notifications once advanced security has been set up for them.
4. The System Attendant sends users their private and public sealing keys in encrypted messages.
D. Administration tools
1. Encryption Configuration object
a. Allows you to select the encryption algorithm for your users
b. Your selection determines the length of your encryption keys.
2. Key Manager object
a. Start and stop the Key Management Service
b. Assign, revoke, and restore keys and certificates
c. Configure the number of administrator passwords that are required to perform a particular task
3. Active Directory Users and Computers can be used to manage keys and certificates on a per-user basis.
E. The KM Administrator
1. The default KM Administrator is the Exchange administrator that installed KM Server, but others can be added with the Key Manager.
2. Immediately change the KM Administrator password after installing KMS. The default is always “password.”
3. For added security, configure the Key Manager object to require more than one administrator to provide their password before advanced security administration is allowed.
|11| 2. Server Keys and Passwords
A. KM Database Master Encryption key
1. Used to encrypt the private keys that are stored in the KM database
2. Used to decrypt information when administrators need to manage the database
3. Encrypted once and then once again for the number of administrator passwords that are required to perform a task
B. KM Server password
1. A 15-character string that is autogenerated when KMS is installed
2. During installation of KMS, the administrator is asked for a location and a backup location for the password file called KMSERVER.PWD. It can be stored locally or on a floppy.
3. Required every time you want to start the KMS
4. If the file path is in the Registry, the service will read the password locally or from a floppy.
5. If you selected not to have the password written to disk, you must enter it manually in the startup parameters for the service.
6. The location can be changed using the Key Manager administration tool.
|12| 3. Enabling and Implementing Advanced Security
A. Stage 1: The administrator’s side
1. Steps in the KM administrator’s process
a. Use the Key Manager tool to enroll multiple users.
b. Use Active Directory Users and Computers to manage individual users.
2. Generated security information
a. A 12-character string that must be given to the client either personally or in an e-mail message that will be used as a security token on the client when requesting a certificate
b. The enrollment message from within Key Manager
c. The public and private sealing pair, temporarily stored in the KM database
B. Stage 2: The client’s side
1. Generated security information
a. The public and private signing pair
b. Signing and sealing X.509 certificate requests creating a unique ID
c. The user’s password used to encrypt the private keys
2. Initial steps on the client side
a. Open the Tools menu, click Options to display the Options dialog box, and then click the Security tab.
b. Select Get A Digital ID and provide the 12-character security token.
c. The private keys will now be encrypted and stored in the Registry.
d. The public signing key will be sent to the KM Server in an X.509 certificate request.
3. Receiving the KM Server response
a. The KM Server gets the request and requests approval of the certificates from the Enterprise CA.
b. The approved certificates and the public and private sealing keys are sent back to the client.
c. The client will open the message and provide a password, and Outlook will publish the public sealing certificate, containing the public sealing key, in Active Directory.
d. The response message contains the certificate of the approving CA, the private sealing key, and the signing and sealing certificates.
4. Exchanging Signed and Sealed Messages
|13| A. Exchanging signed messages
1. Signing a message
a. A 128-bit value called a digest is derived from the message.
b. The digest is encrypted with the private signing key.
c. The encrypted combination of the digest and the private signing key is the digital signature and it is attached to the message.
d. The sender’s signing certificate containing the sender’s public signing key is also attached to the message.
2. Verifying a signed message
a. The sender’s public signing key is extracted from the signing certificate.
b. The digital signature is decrypted and the digest (128-bit value) is retrieved.
c. The sender’s and recipient’s digests are compared. If they match, the message wasn’t modified.
|14| B. Exchanging sealed (encrypted) messages
1. Sending a sealed message
a. In the Message Options dialog box, select the Encrypt Message Contents And Attachments check box.
b. You will be asked for your password when you send the message, so that Outlook can encrypt the message.
c. Outlook contacts Active Directory to get a copy of the sealing certificate that contains the public sealing key for the recipient.
d. The client generates a bulk encryption key for the message that is first encrypted with the recipient’s public sealing key.
2. Unsealing a sealed message
a. The recipient is asked for their password to retrieve the private sealing key from the Registry.
b. The private sealing key is used to decrypt the bulk encryption/public sealing key.
c. The bulk encryption key is used to decrypt the message.
|15| 5. Considerations
A. KMS for multiple administrative groups
1. Install KMS in multiple administrative groups and grant Manage permissions on the Enterprise CA.
2. Install KMS on one server for centralized management.
B. Country-to-country encryption algorithms
1. Select the highest level of supported encryption on the Algorithms tab of the Encryption Configuration container.
2. Select version 1 certificates if you need to support older versions of MAPI clients.
C. Different versions in one organization
1. Exchange Server will encrypt a message using only one level of encryption even though the message is sent to multiple recipients using different levels of encryption.