Understanding How Exchange Server 2003 Integrates with Windows Server 2003 Security


This section focuses on how Exchange Server 2003 uses the Windows Server 2003 security features. The Windows Server 2003 security features can be divided into two broad areas: core operating system features and additional features.

The core operating system features form the basis of a secure implementation of Windows Server 2003. Those features include the following:

  • Active Directory services Unifies Exchange Server 2003 and Windows Server 2003 objects into one directory

  • Kerberos authentication Performs authentication for access to domain and local services

  • Access control model Gives granular control over Active Directory entries and Exchange objects

  • Microsoft Certificate Services Can be used by other applications to provide security across different layers

Additional applications that enhance the features of the core operating system include the following:

  • IP Security Used for network, remote access, and virtual private networks

  • Encrypting File System Provides additional security for mobile users

  • Security Configuration Analyzer Ensures adherence to security policies

Active Directory

Active Directory in Windows Server 2003 replaces the Security Accounts Manager (SAM) in Windows NT Server 4 as the security database. However, like an object in the SAM, each Active Directory object is given a 96-digit, pseudorandom security identifier (SID) that is globally unique.

Not all objects in Active Directory are assigned a security identifier (SID). For instance, a security group has an SID, but a distribution group does not. Likewise, mail-enabled users have SIDs, but mail-enabled contacts do not. Only those objects that have SIDs can be added to the access control list (ACL) of a resource. If an object does not have an SID, it cannot be placed in the ACL. Therefore, non-SID objects cannot access resources guarded by an ACL.

Kerberos Authentication

Kerberos treats Exchange Server 2003 like a service. When a client needs to contact an Exchange server, the client first requests an Exchange service ticket from the key distribution center (KDC). The ticket is then used for authentication to the Exchange server.

The Exchange services also use Kerberos to make a service account log on to a domain controller through the local system account. This account uses computer credentials that change every seven days. The user name of the Exchange Server 2003 is added to the Exchange Servers group, which is added to the ACL for the core objects.

More Info

It is beyond the scope of this book to cover Kerberos authentication in detail. To learn more about Kerberos authentication, what a ticket is, and how this protocol works, consult the “Microsoft Windows 2000 Server Distributed Systems Guide” in the Microsoft Windows 2000 Server Resource Kit (Microsoft Press).

Access Control Model

The access control model in Exchange Server 2003 follows that of Windows Server 2003, giving us greater granularity of control for Exchange Server 2003 objects than for Exchange Server 5.5 objects. For instance, you can grant or deny access by container, by item, and at the property level. In addition, Exchange Server 2003 objects are based on the Windows Server 2003 NTFS file system and Active Directory objects. By way of illustration, if a user has access to only five out of the 10 items in a public folder, the user will see only those five items. Moreover, when a user who does not have access rights to certain attributes performs a search, the user has only the results that he or she can see.

Note

As you migrate public folders from Exchange 5.5 Server, the distribution lists become distribution groups, which do not have SIDs. As a result, you might need to implement new security settings. In addition, public folders created in Exchange Server 2003 have a Windows Server 2003 ACL. If the folder is to be replicated to the Exchange Server 5.5 system, be sure to test the folder for access control functions, since the ACLs in Windows NT Server 4 and Windows Server 2003 are different.

IP Security

Although KMS provides security on the application layer, IP Security provides security on the IP transport layer; hence, IPSec provides a higher level of security than KMS. In a highly secure environment, IPSec can be used to encrypt information from client to server and from server to server. IPSec works in tandem with Layer 2 Tunneling Protocol (L2TP).

With all these different security features available, you’ll need to consider which type of security you would like to implement. Table 25-5 summarizes some of the encryption and authentication methods commonly used today.

Table 25-5: Common encryption and authentication methods

Services

Method Used

Keys

IPSec

Encryption

DES 128-bit

Authentication

MD5 128-bit

Integrity

SHA 160-bit

Kerberos

KMS

Encryption

DES, 3DES 128-bit

Digital signature

RSA 512-bit

EFS

Encryption

DESX 128-bit




Microsoft Exchange Server 2003 Administrator's Companion
Microsoft Exchange Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735619794
EAN: 2147483647
Year: 2005
Pages: 254

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net