Recipe 10.6. Setting Up S/MIME in Outlook Problem You want to enroll a user so she can use S/MIME with Exchange Server 2003. Solution Using a graphical user interface to set up S/MIME in Outlook Install or gain access to a certificate authority (CA) that can issue certificates to your users. Chapter 6 of the Exchange Server 2003 Message Security Guide covers this process in detail, as does the Windows Certificate Services documentation included with both Windows 2000 and Windows Server 2003. Log on to the computer on which you want to enroll in advanced security. Launch Outlook using the profile that you want to request a certificate. Request a certificate from your CA. For Windows Certificate Services installations: Open a browser window and go to /certsrv">http://<CAServerName>/certsrv. Click Request a certificate. Click User certificate. Click Submit. If Internet Explorer prompts you to confirm your request, click Yes. Depending on how the CA is configured, your request may be automatically approved, or an administrator may have to approve it. If the request is automatically approved, you'll see a link labeled Install this certificate. Click it. If Internet Explorer prompts you to confirm that you want to add this certificate to the local computer, click Yes.
Switch to Outlook. From the menu, select Tools Options. The Options dialog will appear. Click the Security tab and click the Settings button. The Change Security Settings dialog will appear as shown in Figure 10-2. Use the Choose buttons in the Certificates and Algorithms section to choose the certificates you want to use for signing and encryption and click OK. Click OK. Figure 10-2. The Change Security Settings dialog from Outlook 2003 Using a graphical user interface to set up S/MIME in Outlook Web Access 2003 Log on to the machine where you want to set up OWA 2003. To use the S/MIME ActiveX control, you'll need to be on a Windows 2000 or later computer with ActiveX enabled for the domain in which the Exchange server is located. Use Internet Explorer to log in to OWA 2003. Click the Options link on the left navigation bar. | Windows XP Service Pack 2 makes some significant changes to how OWA works. First, you'll need to tell Internet Explorer to allow pop-ups from your OWA server or you won't see any calendar reminders, and a number of other features (including many of the shortcut menu commands and the Attachments dialog box) will fail. SP2 also makes some changes to how ActiveX controls are hosted, displayed, and executed; these changes may require you to add a hotfix to your Exchange servers if you wish to use OWA with the S/MIME control on Windows XP SP2 clients. MS KB 883543 for more details. |
|
Scroll down to the E-mail Security options group. If you see the Download button, click it to download the S/MIME control to the computer you're using. Doing so will cause IE to display a pair of security warning dialogs; accept the warnings and allow the download to continue. Once the control has been downloaded, run the resulting executable to install the S/MIME control. Once the control has been installed, the E-mail Security options group will contain checkboxes that let you specify whether new messages should be signed or encrypted by default. When you create a new message, notice that there are two additional tool icons on the toolbar: one for encrypting and one for signing. These icons won't work unless and until you install a certificate for the logged-in user, using whatever tools are appropriate for your CA. Discussion S/MIME complements other methods of protecting Exchange email, because it alone provides end-to-end protection for the message from the time it's sent until the recipient decrypts it. This protection includes protection against tampering and eavesdropping in transit and while the message is stored. In contrast, IPsec only provides protection for the message while it's in transit between servers. However, the implementation footprint of S/MIME is pretty large: you have to have a CA that can issue certificates to your users, and you have to configure individual clients accordingly. This recipe deals only with the latter problem, and then only for the two most prevalent Exchange 2000 and Exchange Server 2003 clients. Table 10-1 shows some common clients and the degree to which they support S/MIME. Table 10-1. Supported S/MIME clients for Exchange 2000 and Exchange Server 2003 Client name | Access method | Signed? | Encrypted? | Notes |
---|
Outlook | MAPI | Yes | Yes | Outlook 2000 SR-1 and later support S/MIME Version 3. | Outlook Web Access 2000 | WebDAV | No | No | Can view clear-signed messages; can't create encrypted or signed messages. | Outlook Web Access 2003 | WebDAV | Yes | Yes | Requires that S/MIME ActiveX control be present; requires the user certificate be present on the OWA client machine, making this impractical without use of smartcards or other tokens. Not supported in "basic" OWA mode. | Outlook Express | POP, IMAP | Yes | Yes | | Outlook Mobile Access | WebDAV | Clear only | No | OMA can read clear-signed messages only. | Exchange ActiveSync | WebDAV | Clear only | No | EAS can read clear-signed messages only. | Entourage 2004 | IMAP, POP, WebDAV | Yes | Yes | | Entourage X | IMAP, POP | No | No | | Generic POP clients | POP | ? | ? | Eudora, Thunderbird, and others support S/MIME, but not all clients do. | Generic IMAP clients | IMAP | ? | ? | Eudora, Thunderbird, and others support S/MIME, but not all clients do. |
See Also Chapters 3 through 7 of the Exchange Server 2003 Message Security Guide, "The Windows Server 2003 PKI" chapter of the Designing and Deploying Directory and Security Services Guide (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide), Microsoft Windows Server 2003 PKI and Certificate Security (Microsoft Press), Chapter 9 of Securing Windows Server 2003 (O'Reilly), Chapters 11 and 13 of Secure Messaging with Exchange Server 2003 (Microsoft Press); MS KB 883575 (Description of the known issues with using Outlook Web Access on a Windows XP SP2-based computer) and MS KB 883543 (The S/MIME control does not load in OWA when you are running the Exchange Server 2003 OWA client on a Windows XP Service Pack 2-based computer) |