Improvements in Exchange 2003 Security

Security has been on the minds of most organizations, and very much so for the employees at Microsoft, which went through several secured computing initiative steps to improve security of all of its products. After designing Exchange 2003, Microsoft tested it repeatedly for security in the application code; Microsoft also integrated several security technologies either already present in Windows 2000 or new to Windows 2003 and Exchange 2003.

Establishing Security Between Front-end and Back-end Servers

All future products from Microsoft will include IP Security (IPSec) as an intra-domain/intra-forest secured communication standard. Rather than leaving the security between Exchange front-end and back-end servers to simple server-to-server communications, Microsoft now provides IPSec encryption between front-end and back-end servers.

By integrating IPSec's 168-bit encryption between servers, the security and integrity of information between servers in an Exchange forest is ensured. Security used to look at just external breaches, such as a hacker taking control of servers connected to the Internet. However with privacy of information ”and legislation requiring security of personal information, healthcare patient information, or financial services data ”organizations are leveraging the industry standard IPSec for server-to-server security even inside the firewall.

Chapter 13 covers IPSec security, along with securing internal and external Exchange servers.

Creating Cross-Forest Kerberos Authentication

Besides replicating directory information between forests, Windows 2003 provides the capability of creating cross-forest trusts and establishing cross-forest Kerberos authentication. Cross-forest Kerberos authentication provides the ability for an organization to share messages and attachments with trust-level security, which enhances secured communications.

You'll find more information on cross-forest Kerberos authentication in Chapter 5, "Designing an Enterprise Exchange Server 2003 Environment."

Restricting Distribution Lists to Authenticated Users

A minor function ”but something that is a major enhancement for improved secured messaging interaction ”is the ability to restrict distribution lists to authenticated users. With previous versions of Exchange, anyone could send an email to a distribution list if he knew the SMTP address name for the list. Although there were ways of blocking the ability for external access to distribution list message distribution, it was an all-or-nothing action.

With Exchange 2003, the Exchange administrator now has the ability to restrict distribution lists to authenticated users. An authenticated user in Exchange 2003 is someone who successfully logs on to an authorized domain or forest. With the implementation of authenticated user access to distribution lists, security is improved. Chapter 18 explores distribution lists.

Using Safe and Blocked Lists

Unwanted emails, or spam, account for over 30% of all emails transmitted over the Internet, and for some organizations, spam has extended beyond being a nuisance for users to delete. With inappropriate or undesired spam messages flashing pictures and displaying obscenities on screens of employees, spam has become a human resource issue. Exchange 2003 includes the ability to create lists for safe and blocked addresses, as shown in Figure 1.9, enabling Exchange administrators to control message flow. Although using safe and blocked lists is just a small step toward creating a spam-free environment, it is an effective method of implementing a more secure messaging environment.

Chapter 12 presents details on safe and blocked list functionality.

Filtering of Inbound Recipients Functionality

Filtering inbound recipients is a new feature built in to Exchange 2003. By being able to filter for inbound recipients, an organization can extend the restriction of desired or undesired message communications. The inbound recipient filter is covered in Chapter 12.

Blocking Attachments in Outlook Web Access (OWA)

Attachments in Outlook Web Access pose a threat for the distribution of viruses and message beaconing, which is a method spammers use to identify qualified email addresses. Outlook Web Access in Exchange 2003 provides the ability for the Exchange administrator to block attachments, thus minimizing the risk of the spread of viruses and awareness by spammers of valid email addresses. Chapter 12 covers attachment blocking in detail.

Supporting S/MIME for OWA Attachments

Included as part of the security functions built in to Exchange 2003 is the ability for organizations to send and receive attachments using S/MIME encryption. With previous versions of Exchange, in order to support certificates that enabled attachment encryption, the organization had to use the full Outlook client. With Exchange 2003, however, the Outlook Web Access client now supports S/MIME attachments, thus providing the capability of securely communicating between email users. Chapter 13 explores S/MIME attachments in OWA.