Flylib.com

Books Software

 
 
 

Category list


Similar pages

Exchange Server 2003 Client-Level Security Enhancements


Buy on amazon.com >>
Morimoto R. Coca J. Gardinier K.
    << Previous page
    Table of contents
    Next page >>
     <  Day Day Up  >  

    Exchange Server 2003 Client-Level Security Enhancements

    As mentioned earlier, Exchange Server 2003 has many new and improved security features at the client level. At a glance, these features include ”but are not limited to ”the following:

    • Support for MAPI (RPC) over HTTP or HTTPS and can be configured to use either Secure Sockets Layer (SSL) or NTLM-based authentication

    • Support for authentication methods , such as Kerberos and NTLM

    • Antispam features, such as safe and block lists, as well as advanced filtering mechanisms to control the amount of unwanted emails

    • Protection against Web beaconing, which is used by advertisers and spammers to verify email addresses and determine whether emails have been read

    • Attachment-blocking by Exchange Server 2003 before it reaches the intended recipient

    • Rights management support, which prevents unauthorized users from intercepting emails

     <  Day Day Up  >  
     < Day Day Up > 

    Securing Outlook 2003

    Exchange Server 2003 and Microsoft Office 2003 are very well integrated, and the teaming provides a formidable security front. Both new and improved features help provide a safe and reliable messaging environment and are described in the following sections.

    Securely Accessing Exchange over the Internet

    In previous versions of Exchange (and Outlook), Outlook users that needed to connect to Exchange over the Internet needed to establish a VPN connection prior to using Outlook. The only alternative solution was to open all sorts of RPC ports to the Internet or make a few Registry modifications to statically map RPC ports. Either way presents more of a security risk for the Exchange messaging environments than most are willing to afford.

    Now, with Exchange Server 2003 and Outlook 2003, Outlook 2003 users can connect securely over the Internet via an HTTPS proxy connection. This feature reduces the need for VPN solutions and keeps the messaging environment as secure as possible. VPN solutions are still viable and can be used to provide a host of other services for mobile users.

    To enable this type of secure connectivity, do the following:

    1. Within Outlook 2003, select E-mail Accounts from the Tools menu.

    2. Select View or change existing email accounts and then click Next to continue.

    3. Click Change and, on the next screen, click the More Settings button.

    4. Under the Connection tab, check Connect to my Exchange mailbox using HTTP and then click the Exchange Proxy Settings button.

    5. Type the URL. This can be the same URL as the OWA or Outlook Mobile Access (OMA) URL, as shown in Figure 11.4.

      Figure 11.4. Configuring a secure Outlook 2003 connection to Exchange Server 2003 over the Internet.

      graphics/11fig04.gif

    6. Verify that Connect using SSL only is checked. If SSL is not used, the connection will use HTTP and will not be secure.

    7. Optionally, select whether this SSL connection requires mutual authentication. Mutual authentication ensures that both parties (the server and the client) are who they say they are.

    8. Choose whether to use NTLM or Basic proxy authentication (NTLM is the strongest of the two and is used by default). The best practice is to use only NTLM to keep security at its highest.

    9. Click OK when done.

    NOTE

    This feature requires several components before functioning. It requires that the client is running Windows XP Professional with Service Pack 1 or higher and that the server infrastructure is running Windows Server 2003 and Exchange Server 2003 (that is, mailbox, front-end, Global Catalog, and public folder servers).


    TIP

    Outlook 2003 users who will be using RPC over HTTPS as described in this section should be using Cached Exchange mode. Cached Exchange mode optimizes the communications between Exchange Server 2003 and Outlook 2003.


    Encrypting Outlook 2003 and Exchange Server 2003 Communications

    As a MAPI client, Outlook 2003 uses Remote Procedure Calls (RPCs) to communicate with Exchange Server 2003. RPCs are interprocess communications (IPC) mechanisms that, during the transfer of information, can either use or not use encryption. By default, Outlook 2003 does not use encrypted RPC communication. It is important to note that using this form of encryption is different from using RPC over HTTPS as described earlier in the section "Securely Accessing Exchange over the Internet Using Outlook." RPC over HTTPS is still required if the Outlook 2003 client needs to securely communicate over a public network such as the Internet.

    In Figure 11.5, a user or administrator can enable encrypted RPC communication between Outlook 2003 and Exchange Server 2003 by simply checking the box within the Encryption section. To modify this setting, do the following:

    1. In Outlook 2003, click on E-mail Accounts from the Tools menu.

    2. Select View or change existing email accounts and then click Next.

    3. Click the Change button and, on the next window, click the More Settings button.

    4. Select the Security tab and then check Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server.

    5. Click OK to close the window.

    6. Click Next and then Finish when done.

    Figure 11.5. Enabling encrypted RPC communications in a LAN environment.

    graphics/11fig05.gif

    Because encryption requires additional processing overhead, it is important to thoroughly test this feature prior to deploying it in a production environment.

    Authenticating Users

    By default, Outlook 2003 uses the credentials of the user who is logged onto the local computer to access the Outlook 2003 profile and mailbox. It first tries to use Kerberos for the authentication process and then NT LAN Manager (NTLM). Administrators can also set Outlook 2003 to use Kerberos Password Authentication or NTLM solely, as illustrated in Figure 11.6.

    Figure 11.6. Configuring authentication options for Outlook 2003.

    graphics/11fig06.gif

    TIP

    For stronger security, use Kerberos-only authentication. Use the Kerberos/NTLM or the NTLM options only for backward compatibility with older systems. Kerberos provides encryption of a user's credentials when communicating with Active Directory for authentication.


    Although the default setting is a secure method of authenticating users, some users might still be prone to leave their computers unattended and therefore leave open the opportunity for someone to gain unauthorized access to the user's email. For instance, a user leaves to run an errand and forgets to lock the computer or log off. Someone in the office can then simply open Outlook 2003 and have full access to the user's mailbox.

    Many organizations do not necessarily think that this is either a high security risk or the organization's responsibility but Outlook 2003 can be configured nonetheless to mitigate the chances of this occurring. Outlook 2003 can be configured to always prompt for the user's username and password before accessing the mailbox on Exchange Server 2003. To increase this level of security, do the following:

    1. Within Outlook 2003, select E-mail Accounts from the Tools menu and then select View or change existing email accounts. Click Next to continue.

    2. Click the Change button and, in the next window, click More Settings.

    3. Go to the Security tab and then in the User identification section, check Always prompt for username and password.

    Blocking Attachments

    A common and often effective way for viruses and malicious scripts to spread is through email. When a user receives a message with an attachment, all the user needs to do is to try opening the virus for the virus to infect the computer.

    As a result of this threat, Microsoft has incorporated attachment blocking in Outlook, and Outlook Web Access (OWA), to help prevent such infections. By default, Outlook does not block attachments with common Microsoft Office file formatssuch as .doc, .xls, and .pptbut it does block executablessuch as .exe, .bat, and .vbs files. It is important to note that the common Microsoft Office file attachments that are not blocked by default can contain viruses. However, using an antivirus on the client computer can significantly reduce the chances of these types of attachments causing any harm.

    Outlook does not provide any way for the end-user to unblock these attachments. If files with these file formats need to be shared, users must rename the file, zip the files in question, or place the files on a network share.

    NOTE

    If an Outlook 2003 user tries sending an attachment that is blocked by default, a warning message is displayed informing the user that the attachment may be unsafe and recipients using Outlook 2003 may not be able to open the attachment. It then asks the user if the attachment should be sent anyway.


     < Day Day Up > 

    Buy on amazon.com >>
    Morimoto R. Coca J. Gardinier K.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy