List of Figures | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

Chapter 2: Security Protocols and Algorithms

Figure 2-1: Encrypting data with a block cipher produces a ciphertext block.
Figure 2-2: Some of the attributes for a digital certificate.
Figure 2-3: Public-key encryption in action.
Figure 2-4: The digital signature process.
Figure 2-5: The AH data follows the IPv4 packet header; the AH signature is calculated on the IPv4 header and the datagrams payload.
Figure 2-6: IPSec transport vs. tunnel mode.
Figure 2-7: In one mode of IPSec, AH is used to sign the entire packet, but only a portion of it is protected by ESP.
Figure 2-8: Outlooks Change Security Settings dialog box lets you specify which algorithms should be used for an S/MIME message.

Chapter 3: Windows and Exchange Security Architecture

Figure 3-1: The Exchange Administration Delegation Wizard is boring but useful.

Chapter 6: Windows Server Security Basics

Figure 6-1: This machine came out looking like a winner after its MBSA scan.
Figure 6-2: If you have good security settings in Internet Explorer, youll be notified whenever a signed ActiveX component or .cab file is downloaded.
Figure 6-3: The MBSA scanning interface is very straightforward.
Figure 6-4: The SUS server pulls data from Windows Update and makes it available on your intranet, subject to the policies you define.
Figure 6-5: Be sure you select the appropriate template, or Exchange will abruptly stop working properly.
Figure 6-6: The Additional Security page. Make sure the Disable Web Distributed Authoring And Versioning (WebDAV) check box is cleared.
Figure 6-7: Apply the correct policies to each OU.

Chapter 7: Installing Exchange with Security in Mind

Figure 7-1: Use the Delegation of Control Wizard to give your account managers the needed permissions.
Figure 7-2: The Permissions page of the Delegation of Control Wizard is where you specify which individual properties or property sets are being delegated.
Figure 7-3: Delegate Exchange permissions by selecting the group you want to delegate to and the role that the group should have.
Figure 7-4: Edit the ACE added by the Delegation of Control Wizard to deny access to sensitive properties
Figure 7-5: Add more restrictive ACEs on your Exchange installation directory.

Chapter 8: SMTP Relaying and Spam Control

Figure 8-1: A simple routed SMTP environment.
Figure 8-2: The Access tab of the SMTP virtual server Properties dialog box.
Figure 8-3: The SMTP virtual server evaluates the connection control settings before accepting messages for delivery. See Figure 8-10 for a description of how connection, sender, and recipient filters are applied.
Figure 8-4: Setting authentication properties on the SMTP virtual server is one way to control who can relay through it.
Figure 8-5: You can also assign permissions to control who can submit and relay mail through your servers.
Figure 8-6: Block or allow SMTP connections by specifying IP addresses in the Connection dialog box.
Figure 8-7: Use the Computer dialog box to specify IP addresses, ranges, or DNS domains that you want to block.
Figure 8-8: The Relay Restrictions dialog box lets you specify who can and who cannot relay through your server.
Figure 8-9: The Delivery Restrictions tab lets you control which users can use an SMTP connector.
Figure 8-10: The filter application process.
Figure 8-11: Recipient filtering allows you to block mail to specified addresses within your domain.
Figure 8-12: Block senders or domains with the Sender Filtering tab of the Message Delivery Properties dialog box.
Figure 8-13: The Connection Filtering tab lets you specify which DNSBLs your Exchange server should use.
Figure 8-14: You must turn on filter evaluation on individual SMTP virtual servers.

Chapter 9: Content Control, Monitoring, and Filtering

Figure 9-1: Turning on journaling allows you to see copies of all messages sent from or to mailboxes in the specified message store.
Figure 9-2: Add Send As and Receive As permissions to the mailbox.
Figure 9-3: You can search for messages by a variety of fields.
Figure 9-4: Use the Source Server page to select which mailbox server you want to scan.
Figure 9-5: The Message Details tab gives you the ability to scan by subject line or attachment name .

Chapter 11: Securing Internet Communications

Figure 11-1: Name your certificate and select a key length of at least 1024 bits.
Figure 11-2: Select an online CA to send your request directly to it.
Figure 11-3: The Welcome page for the Windows Certificate Services CA.
Figure 11-4: To issue a certificate for a virtual server, select the Advanced Request option.
Figure 11-5: Paste your certificate request file into the Saved Request text box and click Submit.
Figure 11-6: Download the new certificate to finish installing it.
Figure 11-7: Turning on outbound TLS only requires selecting one check box.
Figure 11-8: You can turn on regular or extra-strength TLS for inbound connections.
Figure 11-9: A simple filter list: protect all traffic to port 80 on other machines.
Figure 11-10: Policies, rules, and filters nest together.
Figure 11-11: The Authentication Method page lets you choose among the IPSec authenticators that Windows supports.
Figure 11-12: Choose the source and destination ports you want to apply.
Figure 11-13: Select the newly created filter list to make it part of the rule youre creating.
Figure 11-14: Actions can allow or deny non-IPSec traffic that matches the filter rule.
Figure 11-15: You can select a custom set of algorithms and Quick Mode IKE settings for each rule.
Figure 11-16: All of the filter action settings are located in the New Filter Action Properties dialog box.
Figure 11-17: Pick the mail protocols that you want to publish.
Figure 11-18: RPC tunneling versus pure RPC connectivity.

Chapter 12: Secure E-Mail

Figure 12-1: A hierarchy is possible with just two entries. Your hierarchy begins when you bring up the first CA, which becomes the root for your hierarchy.
Figure 12-2: Longer keys are used when additional security is needed. These longer certificates can also have a longer lifetime or validity period because the keys are harder to break.
Figure 12-3: The KMS administrator can edit the properties of this entry to enroll, recover, and revoke the e-mail certificate of the selected user .
Figure 12-4: The information you provide here will be signed into the CA certificate, so dont misspell anything.
Figure 12-5: Users can request certificates themselves by using the Web enrollment application.
Figure 12-6: Using the Certification Authority console, the administrator can select the Pending Requests option from the left pane, and right-click a specific request to issue or deny.
Figure 12-7: The KMS lets you set preferred algorithms for downlevel and S/MIME clients .
Figure 12-8: If your KMS certificate is invalid, you wont be able to use KMS.
Figure 12-9: Use the Passwords tab to specify how many people must concur before revoking or recovering users certificates.
Figure 12-10: You can enroll, recover, or revoke users from their Properties dialog boxes in Active Directory Users and Computers.
Figure 12-11: Specify where to back up the CA data.

Chapter 13: Securing Outlook

Figure 13-1: Blocked attachments are still in the store, but users cant access them through Outlook.
Figure 13-2: The Outlook Security Settings tab gives you control over how Outlook handles attachments.
Figure 13-3: Control programs access to the Outlook object model and address book with the Programmatic Settings tab.
Figure 13-4: The Connection tab has the key check box for enabling RPC over HTTP
Figure 13-5: The Exchange Proxy Settings dialog box.
Figure 13-6: Pick the certificate source you want to use for your request.
Figure 13-7: You can use Outlooks import/export feature to move or copy your certificates between machines, but be careful not to unnecessarily expose them to compromise.
Figure 13-8: Use the Encrypted E-Mail control group on the Options dialog box Security tab to control Outlooks S/MIME behavior.
Figure 13-9: Create groups of security settings for use with different certificates or recipients.
Figure 13-10: To sign or encrypt a message, just select the check boxes that correspond to the desired security features.
Figure 13-11: Outlook complains if it cannot find a recipient certificate.
Figure 13-12: Protected messages are flagged when you create them.
Figure 13-13: Recipients who arent using Outlook 2003 or Outlook Web Access 2003 with Internet Explorer 6.0 and the Rights Management add-in wont be able to read the message.
Figure 13-14: The Junk E-Mail Options dialog box.
Figure 13-15: Outlook 2003 doesnt display inline images by default.
Figure 13-16: Changing picture download settings.

Chapter 14: Securing Outlook Web Access

Figure 14-1: The authentication dialog box appears when youre using basic authentication, when integrated authentication fails and the browser needs your credentials to try again, or when youve set specific access control lists on the requested Web directory.
Figure 14-2: The Delegation tab of the computer Properties dialog box is where you can apply the delegation settings you want to use.
Figure 14-3: The Authentication Methods dialog box lets you specify which authentication methods you want your Outlook Web Access server to accept.
Figure 14-4: Enabling FBA is simple once youve satisfied the prerequisites.
Figure 14-5: The IIS Error Mapping Properties dialog box lets you provide customized messages for specific errors.
Figure 14-6: Using ISA as a reverse proxy.
Figure 14-7: The simplest configuration is to place Outlook Web Access behind a single firewall.
Figure 14-8: A perimeter network offers better security than a single-firewall configuration.
Figure 14-9: Use the Rules tab to create a new rule to protect port 80 FE/BE traffic.
Figure 14-10: The IP Filter List dialog box lists the current filters associated with a filter list; the filter list belongs to a policy.
Figure 14-11: The Destination Sets page of the ISA Management snap-in.
Figure 14-12: Create a destination in the destination set for the /Exchange virtual directory.
Figure 14-13: Include each Outlook Web Access virtual directory in your destination set.

Chapter 15: Securing POP and IMAP

Figure 15-1: You can enable basic or SASL-based authentication separately for each POP or IMAP virtual server.
Figure 15-2: You can specify which SASL mechanisms can be used and how theyre ordered.
Figure 15-3: Turning on SSL is easy, but remember that it might break your wireless clients.
Figure 15-4: Configure Outlook to use SSL for IMAP, SMTP, or both.

Chapter 16: Securing Mobile Exchange Access

Figure 16-1: You can separately enable or disable EAS and OMA in the Mobile Services Properties dialog box.
Figure 16-2: Control individual users mobile access with Active Directory Users and Computers.

Chapter 18: Security Logging

Figure 18-1: You can view local security settings.
Figure 18-2: Change the audit policy using the Local Security Policy Setting dialog box.
Figure 18-3: Edit a domains group policy in the policys Properties dialog box.
Figure 18-4: Change audit options for a domain in the Group Policy dialog box.
Figure 18-5: Change the security policy setting using the Security Policy Setting dialog box.
Figure 18-6: Set access control settings in the Access Control Settings dialog box.
Figure 18-7: Set entries to log in the Auditing Entry dialog box.
Figure 18-8: The EventCombMT application is shown at startup.
Figure 18-9: The EventCombMT application is shown for the preceding example.