Windows Server 2003 System Security


As you know, Exchange Server 2003 is heavily integrated with Windows Server 2003. Since much of the Exchange configuration lies in Active Directory, good Windows Server 2003 security practices are essential for good Exchange security. This section is intended to provide a brief overview of the security features in Windows Server 2003 that Exchange is designed to take advantage of. The integration of Windows Server 2003 and Exchange Server 2003 is covered in detail in Chapter 2, ‚“Microsoft Exchange Architecture, ‚½ and Exchange-specific permissions and groups are covered in Chapter 10, ‚“Administration and Maintenance. ‚½ You can also learn more about Windows Server 2003 security from your system documentation.

User Accounts and Authentication

Before users or services can access Exchange, they must log on to the Active Directory network by supplying a valid username and password. Windows Server 2003 must then authenticate the logon information, which it does using Kerberos version 5 authentication . Once a user is validated , that user is assigned a token that identifies the user whenever the user attempts to access resources during that logon session.

Each resource on an Active Directory network maintains an Access Control List (ACL) , a list of users and groups that are allowed access to the resource and the specific permissions they are assigned. A permission provides specific authorization to perform an action, such as deleting an object.

All objects in Exchange also maintain an ACL that defines the level of access users have to that object. You will grant users permissions on the various Exchange- related objects in Active Directory and in System Manager to create security for your organization. Check out Chapter 10 for details on the permissions available on most Exchange objects and the various administrative roles you can assign.

Administrative Groups

An administrative group is a collection of Active Directory objects that are grouped together for the purpose of permissions management. Administrative groups are logical, which means that you can design them to fit your needs ‚ geographical boundaries, departmental divisions, different groups of Exchange administrators, or various Exchange functions. For example, one group of Exchange administrators might be responsible for managing the messaging and routing backbone of the organization, another might be responsible for managing public folders, and still another might be responsible for managing connectivity with a legacy messaging system. You could create an administrative group for each that contains only the objects the administrators need. You can find details on using administrative groups in Chapter 8, ‚“Building Administrative and Routing Groups. ‚½

Policies

A policy is a collection of configuration settings that you can apply across any number of objects in the Active Directory at once. Making a change in a policy affects every object that is attached to that policy. System policies affect server objects such as servers, mailbox stores, and public stores, while recipient policies affect objects such as users and groups. Since you can use policies to make changes to such large numbers of objects, they are an important part of Exchange security. You can find detailed coverage of both types of policies in Chapter 10.

Auditing

Auditing is a feature in Windows Server 2003 that logs the actions of users and groups based on certain criteria. For example, a Windows Server 2003 server can audit successful and failed logon attempts or access to certain files. Because Exchange Server 2003 essentially works as a collection of Windows Server 2003 services, you can use auditing to track significant Exchange events, such as mailbox or server access. Auditing is a basic Windows administrative function and as such is not discussed any further in this chapter. You can find a wealth of information on auditing in the Windows Server 2003 Security Guide at www.microsoft.com/technet/security/prodtech/win2003/w2003hg/sgch00.mspx .




MCSA[s]MCSE
MCSA[s]MCSE
ISBN: 735621527
EAN: N/A
Year: 2004
Pages: 160

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net