Security is one of the biggest concerns that network administrators face today. It seems like a day doesn’t go by where there isn’t news of a new hacker exploit or virus out there waiting to attack your network. If you’re thinking about deploying Exchange 2000 on your network, you’re probably wondering what security Microsoft has included in it. In this Daily Drill Down, we’ll take a look.
Defense in depth
When generals form battle lines, they don’t rely on just one line of defense. Instead, they build in several layers in case an attacker breaks through one layer. Likewise, Exchange 2000 has several layers of protection built into it, starting with Windows 2000 itself.
Because Exchange 2000 runs on top of Windows 2000, you get the added security protection of Windows 2000 to build upon that which is included with Exchange 2000. By itself, Windows 2000 provides much more security than did Windows NT 4.0. Some of the most important new security features in Windows 2000 that help protect your Exchange 2000 server include:
- Access Control: As the name suggests, Windows 2000’s Access Control features control what objects can access network resources. Windows 2000 controls access based on Access Control Entries (ACE) applied to Directory Access Control Lists (DACLs). As applied to Exchange 2000, you have much finer granularity when applying access control. In Exchange 5.5, you could only base access control at the container level. With Exchange 2000, you can set access control at the container, item, or property level.
- Active Directory: Active Directory replaces the old NT 4 SAM database. It also replaces the Exchange 5.5 directory for messaging purposes. By combining and centralizing information, Active Directory minimizes the access points that hackers can gain information or access from. Active Directory also allows the use of SIDs to increase overall information security.
- Auditing: Auditing allows you to track events that occur on your server. Naturally, Windows 2000 security auditing allows you to track security events that occur on your server. With respect to Exchange 2000, you can track many aspects of your Exchange server, including configuration changes to the server, changes to an object, and whether an object such as a store has been written to or read. By default, Exchange 2000 doesn’t use security auditing. You must enable it using the Group Policy snap-in for the Microsoft Management Console (MMC).
- Certificate Services: Certificate Services certificates are used by software security systems that use public key technologies. Certificate Services in Windows 2000 Server can create a certification authority (CA) to receive certificate requests, identify the requester, issue and revoke certificates, and publish a certificate revocation list (CRL). Exchange 2000 requires Certificate Services in Windows 2000 Server to make its Key Management Service (KMS) work properly.
- Encrypting File System (EFS): Windows 2000’s EFS allows you to encrypt files and folders on NTFS volumes of a server or on a Windows 2000 Professional-based workstation. In regards to Exchange 2000, EFS prevents messages and attachments that reside on mobile workstations from being read by prying eyes. Just remember that EFS protection only applies to files stored on the EFS-protected volume. If you copy files to a floppy disk or e-mail them to someone, the encryption is lost.
- Internet Protocol Security (IPSec): IPSec is a protocol that allows you to secure communication over an IP network, either internally or over the Internet. IPSec applies cryptography to the TCP/IP packets, specifically at the IP transportation layer (better known as Layer 3). IPSec protects all applications and services that use TCP/IP, including Exchange 2000. You don’t have to do anything special to Exchange 2000 after you enable IPSec on your Windows 2000 servers. It works in the background, automatically encrypting and decrypting messages between two Exchange 2000 servers.
- Kerberos: Kerberos is Windows 2000’s new security protocol. Exchange 2000 runs as a network service and is granted a secure Kerberos ticket. Because of Kerberos’ architecture, this is more secure and more efficient than prior authentication schemes. For more information about Kerberos in a Windows 2000 environment, see the Daily Drill Down titled “The Locksmith: What’s Kerberos?”
- TCP/IP filtering: Chances are, if you have your Windows 2000 connected to the Internet, you have some form of router or firewall between it and the outside wall. Even so, you can use Windows 2000’s TCP/IP filtering feature to control the types of TCP/IP traffic that can hit your server. For example, you could configure your Windows 2000 server to filter out all TCP/IP traffic that arrived on port 25. Doing so would automatically stop any SMTP traffic heading to your Exchange 2000 server.
Exchange 2000 specific security features
Windows 2000 provides basic security for your Exchange 2000 server, but what about the peculiarities of messaging? What does Exchange 2000 Server offer in those areas? Fortunately, Microsoft addressed those areas as well.
The main functions of a security system in a messaging environment should be fourfold:
- Provide secure messaging between users.
- Provide secure messaging between users and the e-mail server.
- Prevent unauthorized usage of the e-mail server.
- Prevent unauthorized administration of the e-mail server.
Exchange 2000 addresses these four functions neatly with four main security features: the Key Management Service, Virtual Server Security, Permissions, and encrypted communication. Let’s take a quick look at each of these areas.
Key Management Service
KMS is an Exchange 2000 service that uses Windows 2000 Certificate Services to provide secure messaging for clients sending messages internally and externally. KMS encrypts messages and verifies message integrity several ways. Exchange 2000 uses many popular encryption algorithms, including:
Exchange 2000 KMS uses Certificate Services to produce X.509v3 user certificates that Exchange 2000 and Outlook 2000 can use for digital signatures and encryption. The good thing about X.509v3 user certificates is that not only are they secure but they’re also recognized by Secure/Multipurpose Internet Mail Extension (S/MIME) clients other than those made by Microsoft.
If you selected a Typical installation when you installed Exchange 2000, then KMS wasn’t installed on your server. You can rectify this situation by rerunning the Exchange 2000 setup program and performing a Custom installation. Then, all you have to do is select Install next to the Microsoft Exchange Key Management Service.
When you install KMS, you must install it into an administrative group. During setup, you can select the administrative group you want, but don’t forget that you can have only one KMS per administrative group.
After you install KMS, you must add the KMS server computer account to every Certificate Services server on your network and assign permissions for it on the Certificate Services server. We’ll cover the KMS in detail in an upcoming Daily Drill Down.
Virtual Server Security
As you probably know, Exchange 2000 gives you the ability to define multiple virtual servers on a single physical Exchange server that represent different configurations based on specialized messaging needs you may have. This can happen if you have more than one default domain name if you’re hosting multiple domains. As you can probably guess, securing all of these different configurations can be confusing.
Fortunately, Exchange 2000 gives you the ability to secure each virtual server. You can tailor security for each virtual server. Exchange 2000 allows you to grant or deny access to individual computers, subnets, and entire domains.
To create a virtual server, start the Exchange System Manager and find the Protocols container. Expand it until you see the SMTP container. Right-click the SMTP container and select New SMTP Virtual Server from the New menu. You can then walk through the SMTP Virtual Server Wizard making the necessary selections.
After you’ve created the virtual server, you can administer it by right-clicking its object and selecting Properties. From the Properties page, you can perform such tasks as limiting the number of connections that can use the server, enabling logging of the virtual server activity, enabling message filtering, and configuring access properties. We’ll cover virtual servers in detail in upcoming Daily Drill Downs.
As much as you try, unless you’re in a small organization, you can’t do all of the administration tasks yourself. Fortunately, through permissions, Microsoft gives you the ability to delegate control over some Exchange 2000 tasks to other users.
Exchange 2000 includes five predefined user groups with permissions already granted in the Exchange organization. These user groups are:
- Authenticated Users
- Domain Admins
- Enterprise Admins
- Exchange Domain Servers
In addition to these default groups, you can use the Exchange Administration Delegation Wizard to delegate special administration duties to individual users or groups. To use the Delegation wizard, start the Exchange System Manager. When it starts, right-click your Exchange organization object and select Delegate Control.
When you do, you’ll see the Exchange Administration Delegation Wizard Welcome screen appear. Click Next to start the wizard. You’ll then see the Users Or Groups screen appear. On this screen, you’ll select or add users who you want to delegate control to. You should at least see your Administrator account listed on this screen with a role of Exchange Full Administrator.
If you want to delegate control to another user or group, click the Add button. When the Delegate Control window appears, click the Browse button. Select the user or group from the Select Users, Computers, Or Groups window and click OK. When you return to the Delegate Control window, you can specify the role the user or group is supposed to fill by selecting one of the following choices from the Role drop-down list:
- Exchange Full Administrator: This option gives the user or group complete control to administer Exchange system information and modify permissions.
- Exchange Administrator: If you select this option, the user or group has the power to administer Exchange system information but not modify permissions.
- Exchange View Only Administrator: This option grants the user or group to view Exchange system information but not to change it.
Click Next after you’ve set the user’s or group’s role and then click Finish. You’re done!
Microsoft suggests that you create three different types of administrators and grant rights to these groups accordingly to delegate authority in your organization. Administration groups that you should create or use include:
- Enterprise Administrators: You can give users control over all aspects of Active Directory and Exchange 2000 by adding them to the Enterprise Administrators group.
- Administrative Group Administrators: Administrative Group Administrators are similar to Enterprise Administrators except that they only have power over a selected administrative group. All you have to do is create a global security group in Active Directory and grant this group one of the roles in the Exchange Administration Delegation Wizard. For more information about administrative groups, see the Daily Drill Down titled “Using Exchange 2000 administrative groups.”
- Recipient Administrators: Microsoft suggests that you use the built-in Windows 2000 Server Account Operators security group as a single location for Recipient Administrators. All you have to do is grant the Account Operators group Exchange View Only permissions role using the Exchange Administration Delegation Wizard.
Encryption goes beyond just encrypting the files that reside on servers and workstations. It doesn’t do much good to encrypt files on the servers and workstations if someone can just put a sniffer on your network and read the messages as they go by. Therefore, you need to provide a secure, encrypted message link between the servers and workstations and between servers.
There are several ways you can enforce encryption on your network. First, you can configure virtual servers to require inbound encryption when a client is communicating with the server. Additionally, you can configure servers to require SSL with basic authentication.
Exchange 2000 normally uses SMTP to communicate between servers, but occasionally it uses RPC as well. RPC is also used by MAPI clients such as Outlook 2000 when you configure clients to use encryption. Fortunately, you can encrypt RPC messages to increase security on your network.
Encrypted RPC isn’t heavily encrypted. It only uses a 40-bit RSA algorithm called RC4 to encrypt data. 40-bit RSA is easily crackable given enough time, but chances are, anyone sniffing your network isn’t going to go to the trouble of cracking the packets.
To configure encrypted RPC for your Outlook client, start Outlook on the client machine and select Services from the Tools menu. Select Microsoft Exchange Server and then click Properties. When the Properties window appears, click the Advanced tab. Finally, under Encrypt Information, select both check boxes to encrypt all communication between the client and the servers.
Securing your network may seem like a never-ending battle, but Microsoft has worked hard to make sure that Exchange 2000 is more secure than any previous version of Exchange. Building upon the improved security inherent in Windows 2000, Microsoft added features to Exchange 2000 that make it even more secure. In this Daily Drill Down, I showed you some of Exchange 2000’s new security features.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.