CHAPTER 19
IMPLEMENTING ADVANCED
SECURITY
How to Set up Security:
Lesson 1:
Exchange 2000 Server Security
No computer system is ever completely secure. However, a mail host connected to the Internet
has to cope with different threats than a workstation isolated in a private network. Windows
2000 and Exchange 2000 Server cover the basic security needs and advanced requirements.
Access Control in Windows 2000
DACL holds a list of access control entries (ACEs), which grant or deny a set of permissions
to security principals, such as reading and writing object properties, or creating and deleting
child objects. Security principals, in turn, are referenced by security identifiers (SIDs) and
typically correspond to user accounts and security groups.
When you successfully log on to Windows 2000 Server, the operating system authenticates
your user account and password and creates an access token that contains your SID, the SIDs
of any groups to which you belong, and information about your user rights.
Access to the Configuration
The organization’s configuration information is stored in this location. You can use ADSI edit
to view the entire contents of the Configuration naming context. ADSI stands for Active
Directory Services interface. Good idea not to touch it, it is similar to the Schema. Once
you mess it up you are installing.
NOTE: All permissions are inherited by default, if NTFS.
========================================================================
winexc19.html PAGE
2 2002/07/07
The following roles apply to organizational administrators at the administrative group level:
NOTE: During the installation of Exchange 2000 Server, two groups called Exchange Domain
Servers and Exchange Enterprise Servers will be created. All Exchange 2000 server accounts from
your domain must be members of the Exchange Domain Servers group, which in turn a member of
Exchange
tasks, such as mail transfer and directory synchronization.
Access to Mailbox Settings
The Information Store handles the corresponding mailbox resources and checks the security settings
in Active Directory before allowing a particular user access to a mailbox.
Access Control Through NTFS
Permissions
Access control to file objects on an NT file system (NTFS) partition relies on the same concepts
as access control to Active Directory of information store objects. All Exchange 2000 related
files should be placed on NTFS partitions, and NTFS permissions should be specified to make
sure only authorized administrators and system accounts have access to sensitive data, such as
database and transaction log files.
TIP To avoid performance losses, do not compress or encrypt the NTFS directories and database
files of Exchange 2000 Server. Lots of compressing can defragment the drive and really slow it down.
Log file is in \Program Files\Exchsrvr\Manchester.log
Denying Permissions
.
You may want to explicitly deny accounts specific permissions, but you should be very careful,
especially if you intend to deny access to special accounts such as the Everyone Group.
========================================================================
winexc19.html PAGE
3 2002/07/07
Access to a resource is evaluated until the following occur:
An ACE in the DACL denies the requested permissions. ACEs that deny permissions are listed first
in the DACL and therefore override all other permissions.
One or many ACEs together grant the requested permissions.
The end of the DACL is reached with only a subset or no permissions granted.
Exchange Administration Delegation Wizard and Permission
Denials
The Exchange Administration Wizard grants Read and View Information Store permissions to
Exchange View-Only Administrators, but this wizard does not deny any rights. To deny individual
permissions, you need to use the Security tab provided with most configuration objects.
You must hack the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin. Set this value to 1.
Auditing and Protocol Logging
Object security descriptors contain a DACL, and they may also hold a security access control list
(SACL). Similar to the DACL, the SACL contains ACEs, which specify auditing directives,
not user permissions.
Enabling Security Auditing
Before any security-related events are written to the security event log, auditing must be turned on
using Windows 2000 Security Tools, such as Group Policy or Domain Controller Security Policy.
========================================================================
winexc19.html PAGE
4 2002/07/07
Firewalls, Connectors, and Encryption
The firewall server is equipped with three network cards, general IP forwarding is disabled,
and network communication from either side of the firewall host is only allowed to systems
in the DMZ, which is also called the perimeter network.
Typically, you do not maintain internal data, such as user mailboxes, on systems in the DMZ
Another option is to use X.400 Connectors instead of SMTP Connectors.
Front End Versus BackEnd Communications
To allow access to the Global Catalog, you need to open TCP port 3268 on the second firewall.
Port Numbers:
Private/Public Key Security (Front End)
Use SSL/Transport (TLS), IP Security (IPSec), or VPNs to encrypt the communication between
your systems, the messages are still kept in unencrypted form, which makes it possible to intercept
them on an unprotected server, redirect them to an unauthorized recipient, or alter them.
NOTE: Encrypting e-mail messages prevents virus scanners form checking attachments.
Message Signing and Sealing
Security features based on private/public key pairs give you the ability to sign message digitally,
which allows recipients to countercheck if an originator was truly the sender and that the message
content has not been changed on its way into recipients’ mailboxes.
A sealed message does not necessarily carry a digital signature, and a signed message is not
automatically sealed. Outlook Express is not a MAPI-client, it is a POP3 client.
========================================================================
winexc19.html PAGE
5 2002/07/07
Public Key Technology
The X.509 standard describes the handling of private/public key pairs within computer systems.
Exchange 2000 Server’s advanced security, as a dual key-pair system, relies on two public/private key pairs.
X.509 Certificate Services
Encryption keys are kept in X.509 certificates, which contain information about the supported
encryption methods and ensure the legality of the keys. DES is the default encryption for X.509.
To conform to X.509, advanced security certificates must contain the following:
certificate.
and so on (only for X.509 version 3)
Certificate Authorities
Certificate Services can operate as a root CA or a subordinate to another CA. You have the
option to deploy one or more Enterprise CAs for certificate issuance and revocation.
NOTE: To gain access to the features of X.509 version 3, the Key Management Service
(KMS) of Exchange 2000 Server integrates with Certificate Services. Exchange 2000 Server
can also issue X.509 version 1 certificates for backward compatibility with Microsoft Office
97 and earlier clients.
NOTE: Exchange certificates can be used in Outlook 2000 as well as in Internet mail clients,
such as Outlook Express. You should not request additional S/MIME certificates, for
instance through the Web interface of Certificate Services.
Lesson 2:
Advanced Security Features
KMS creates and manages the PKI of your Exchange 2000 organization. It integrates with
Windows 2000 Certificate Services, which in turn may be part of a larger PKI that extends
beyond the Active Directory forest of your organization.
========================================================================
winexc19.html PAGE
6 2002/07/07
KM Server Architecture
Two main components form a functioning KM Server: Microsoft Exchange KMS and a storage
database. Several other components, including the Exchange Advanced Security snap-in
(KMSSNAPIN.DLL) and a cryptographic service provider (CSP) for the Microsoft Cryptographic
Application Programming Interface (CryptoAPI), are also required.
KM Database
The KMS maintains a database, which stores advanced security information for Exchange 2000 users.
This database can be found on the KM Server under \Program Files\Exchsrvr\KMSData.
Should be Backed up and locked away.
Information Store
The information store maintains the System Attendant mailbox through which the KM Server
receives request messages from users. This mailbox is also used to send users an enrollment
notification and their private and public sealing keys in encrypted messages.
KM Administrator
The KM Administrator is a privileged Exchange 2000 administrator who can enable, revoke,
and recover advanced security features. By default, only the person who installed the KM
Server is a KM administrator.
Multiple KM Administrator Passwords
By default, every KM administrator is able to perform administrative tasks right away.
You can use the Passwords tab of the Key Manager object to enforce a policy that requires
two or more administrators to specify their passwords before advanced security administration
is allowed.
Exercise Summary:
added to all Certificate Services CAs used to issue certificates for Exchange 2000 Server.
ideal not to store this password electronically, but you have the option to do so if this is
appropriate.
========================================================================
winexc19.html PAGE
7 2002/07/07
Server Keys and Passwords
Cryptographic keys, stored in the KM database, must be protected from unauthorized access;
otherwise, advanced security would be useless.
KM Server Password
Go into the registry again at HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\KMServer
If MasterPasswordPath points to a floppy you need to insert the disk that contains KMSERVER.
PWD into the server’s floppy drive during the service start
Generated Security Information
The sealing key pair is also created. The security token is written to a file called ENROLL.LOG in
the \Program Files\Exchsrvr\KMSData directory when working with Exchange System Manager or
displayed on the screen in a message box when using Active Directory Users and Computers.
Distributing Security Tokens in Enrollment messages
You may distribute the security token to your users in e-mail messages, which is particularly
interesting if you plan to enroll multiple users at once. Most important in this message is the
placeholder %TOKEN%, which will be replaced with the actual security token. Independent
of the enrollment message, the security token is displayed in a message box or written to the
ENROLL.LOG file.
NOTE: KMS can forward certificate requests to any
running Certificate Services are unavailable, user requests are queued for up to 24 hours, after
which time the user will have to reissue the request.
Receiving the KM Server Response
The KM Server will retrieve the request message from the System Attendant mailbox, will
request the approval of the
certificates from an
certificates together with the public and private sealing keys in another encrypted message to
the client.
NOTE: If you have installed Certificate Services to form your own root CA, the self-issued
root certificate will be added to the Trusted Root Certification Authorities store on the local
computer during the process of enabling advanced security.
========================================================================
winexc19.html PAGE
8 2002/07/07
Exchanging Signed Messages
The receiving user builds a checksum and compares it to the decrypted original.
Sending a Sealed Message
If you want to send a sealed message, you will compose the message as usual, but in the
Message Options dialog box, you need to select the Encrypt Message Contents And Attachments
check box.
The maximum common encryption method for all recipients is determined and is used to encrypt the
message. Using the strongest common encryption method, the client generates a bulk encryption key
for sealing (and later unsealing) the message.
Each lockbox is added to the encrypted message to provide the bulk encryption key (in its encrypted
form) to all recipients. The client may also add the sender’s sealing certificate to the message so the
originator can read the sealed message, as it is stored in the Sent Items folder.
Unsealing a Sealed Message
When you receive a sealed message and open it, the message must be unsealed. Consequently, you
will be prompted for your security password to retrieve your private sealing key from the security store.
Exercise Summary:
can enroll mailboxes individually or multiple mailboxes in bulk for entire administrative groups,
servers, or individual mailbox stores.
the users, but it is more secure to provide these temporary security keys manually.
KMS for Multiple Administrative Groups
In environments with multiple administrative groups, you may install a separate KMS in each and
grant these servers Manage permissions on the
========================================================================
winexc19.html PAGE
9 2002/07/07
Country-to-Country Encryption Algorithms
When you examine the properties of the Encryption Configuration object, you will notice the
Algorithms tab, which allows you to specify the desired encryption algorithms for your clients.
If your users are running Microsoft Outlook 98, Outlook 2000, or Internet mail clients, you
should accept the default S/MIME setting under Security Message Format.
Different Versions in One Organization
3DES is the encryption method used. The X.509 sealing certificate, obtained from Active
Directory, provides information about the supported encryption methods. Outlook 2000 will
contact Active Directory to retrieve the sealing certificates of all recipients.
Key and Certificate Management:
KM database.
it restores the original key pair from the KM database. Again, a 12-character security token is
returned; you must supply this to the user, as usual.
Moving the KM Server
You can move the KM Server from one server to another server in the administrative group, which
may be desirable if you plan to remove the first server completely or dedicate the hardware to other
tasks.
Exporting the KM Server Computer Certificates
Before deleting the old mailbox, you need to export the user’s key history. After creating the new
mailbox, import the history into the new KM Server. Keep in mind that you are working with very
sensitive data, the user’s private sealing key.
Don’t forget to write down the first eight characters that are displayed in the Thumbprint box (it is
possible to copy this information into the clipboard). Then, specify a path where the certificate will
be saved with a .crt extension.
NOTE: To avoid problems with advanced security, do not revoke certificates or recover keys of
affected users during the export and import cycle. Microsoft recommends completing the key
recovery within 24 hours of the key history move.
========================================================================
winexc19.html PAGE
10 2002/07/07
Advanced Security with Other Organizations
S/MIME is an industry standard widely accepted across the Internet.
S/MIME Interoperability Issues
Both Outlook 2000 and Outlook Express can use the same certificates. You need to use Outlook
2000 to complete the process of enabling advanced security, but as soon as you have received your
certificates, you can use them in Outlook Express as well.
Click, on the Security Tab, and then, under Signing Certificate and Encryption Preferences, select to
specify the Exchange signing and sealing certificates.
Outlook Express supports S/MIME version 2 while Outlook 2000 service release 1 support S/MIME
version 3. You may experience problems in Outlook Express when working with sealed messages
that were composed in Outlook.
NOTE: OWA does not support S/MIME and cannot display digital signatures or sealed messages.
Person-to-Person Key Exchange
By default, the Send box in the Security tab, the Setup Secure E-Mail button is selected, which cause
Outlook to include a copy of your sealing certificate into signed messages. Hence, you should have
the person to whom you want to send encrypted messages send you a signed message first.
Chapter Summary:
configurations allow you to achieve secure connections to the Internet, and encryption technologies
give you the ability to encrypt the communication between your mail servers and between your users.