This section focuses on how Exchange Server 2003 uses the Windows Server 2003 security features. The Windows Server 2003 security features can be divided into two broad areas: core operating system features and additional features.
The core operating system features form the basis of a secure implementation of Windows Server 2003. Those features include the following:
Active Directory services Unifies Exchange Server 2003 and Windows Server 2003 objects into one directory
Kerberos authentication Performs authentication for access to domain and local services
Access control model Gives granular control over Active Directory entries and Exchange objects
Microsoft Certificate Services Can be used by other applications to provide security across different layers
Additional applications that enhance the features of the core operating system include the following:
IP Security Used for network, remote access, and virtual private networks
Encrypting File System Provides additional security for mobile users
Security Configuration Analyzer Ensures adherence to security policies
Active Directory in Windows Server 2003 replaces the Security Accounts Manager (SAM) in Windows NT Server 4 as the security database. However, like an object in the SAM, each Active Directory object is given a 96-digit, pseudorandom security identifier (SID) that is globally unique.
Not all objects in Active Directory are assigned a security identifier (SID). For instance, a security group has an SID, but a distribution group does not. Likewise, mail-enabled users have SIDs, but mail-enabled contacts do not. Only those objects that have SIDs can be added to the access control list (ACL) of a resource. If an object does not have an SID, it cannot be placed in the ACL. Therefore, non-SID objects cannot access resources guarded by an ACL.
Kerberos treats Exchange Server 2003 like a service. When a client needs to contact an Exchange server, the client first requests an Exchange service ticket from the key distribution center (KDC). The ticket is then used for authentication to the Exchange server.
The Exchange services also use Kerberos to make a service account log on to a domain controller through the local system account. This account uses computer credentials that change every seven days. The user name of the Exchange Server 2003 is added to the Exchange Servers group, which is added to the ACL for the core objects.
More Info | It is beyond the scope of this book to cover Kerberos authentication in detail. To learn more about Kerberos authentication, what a ticket is, and how this protocol works, consult the “Microsoft Windows 2000 Server Distributed Systems Guide” in the Microsoft Windows 2000 Server Resource Kit (Microsoft Press). |
The access control model in Exchange Server 2003 follows that of Windows Server 2003, giving us greater granularity of control for Exchange Server 2003 objects than for Exchange Server 5.5 objects. For instance, you can grant or deny access by container, by item, and at the property level. In addition, Exchange Server 2003 objects are based on the Windows Server 2003 NTFS file system and Active Directory objects. By way of illustration, if a user has access to only five out of the 10 items in a public folder, the user will see only those five items. Moreover, when a user who does not have access rights to certain attributes performs a search, the user has only the results that he or she can see.
Note | As you migrate public folders from Exchange 5.5 Server, the distribution lists become distribution groups, which do not have SIDs. As a result, you might need to implement new security settings. In addition, public folders created in Exchange Server 2003 have a Windows Server 2003 ACL. If the folder is to be replicated to the Exchange Server 5.5 system, be sure to test the folder for access control functions, since the ACLs in Windows NT Server 4 and Windows Server 2003 are different. |
Although KMS provides security on the application layer, IP Security provides security on the IP transport layer; hence, IPSec provides a higher level of security than KMS. In a highly secure environment, IPSec can be used to encrypt information from client to server and from server to server. IPSec works in tandem with Layer 2 Tunneling Protocol (L2TP).
With all these different security features available, you’ll need to consider which type of security you would like to implement. Table 25-5 summarizes some of the encryption and authentication methods commonly used today.
Services | Method Used | Keys |
IPSec | Encryption | DES 128-bit |
Authentication | MD5 128-bit | |
Integrity | SHA 160-bit | |
Kerberos | ||
KMS | Encryption | DES, 3DES 128-bit |
Digital signature | RSA 512-bit | |
EFS | Encryption | DESX 128-bit |