A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright 2003 by Paul Robichaux
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
Library of Congress Cataloging-in-Publication Data
Robichaux, Paul E.
Secure Messaging with Microsoft Exchange 2000 / Paul Robichaux.
1. Microsoft Exchange server. 2. Client/server computing. 3. Electronic mail
messages—Security measures. I. Title.
QA76.9.C55 R628 2003
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWE 8 7 6 5 4 3
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to email@example.com.
Hotmail, Microsoft, Microsoft Press, MS-DOS, MSN, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Body Part No. X09-35330
To my maternal grandparents, with much love.
I’ve written more than a dozen books, and I can easily say that I received the most help on this one. Ordinarily, books like this have one or two technical editors, assigned by the publisher. I was fortunate to have Tony Northrup as the TE for this book; he did a terrific job of catching my mistakes before they made it to your hands, and I claim responsibility for any remaining errors. However, messaging security is such an important subject that I wanted to get feedback from a broader community, so I solicited a group of almost 30 reviewers from Microsoft, industry, and academia.
First, the Microsoft folks: a terrific group of Microsoft product managers, developers, and support personnel volunteered their time to review the book as I was writing it—right smack in the middle of their preparations for the release of Windows .NET Server 2003 and Exchange Titanium! Their feedback was invaluable, and I very much appreciate their assistance. Thanks to David Cross, program manager for Windows Security; Eric Fitzgerald; Michael Howard, Senior Program Manager for the Secure Windows Initiative and author of the excellent Writing Secure Code; KC Lemson, Program Manager, Microsoft Exchange Server; Scott Landry, Will Martin, and Al Mulnick from Microsoft Consulting Services; Ryan J. Phillips; Lara Sosnosky; Amy Styers; and Jeff Williams, Security Operations Consultant for MCS.
It would be remiss of me not to thank the many other Microsoft employees—way too many to name here—who answered my questions and shared research with me on Microsoft’s internal discussion groups. Special thanks go to Joe Murray of Microsoft Consulting Services, who provided the sample form-based authentication code presented in Chapter 14, and Chris Aschauer, who shared a draft of the IPsec chapter of the Windows .NET Server 2003 deployment guide with me.
Computer-security expert and serial book reviewer Robert Slade provided invaluable assistance on security practices, policies, and principles, making sure that my terminology conforms to the standards used by information-security professionals. Noted Outlook expert Sue Mosher reviewed Chapter 13 for me; Exchange veterans Andy Webb, Missy Koslosky, Stephen Bell, Tom Meunier, Alberto Boczar, Daniel Chenault, Andy David, Bernd Kruczek, John Matteson, and Don Ely all provided feedback on various chapters; my special thanks go to them for their efforts in making sure that what I wrote was clear as well as accurate. Tom Shinder, author of ISA Server and Beyond, reviewed the ISA-related material in Chapter 11 and Chapter 14 and made a number of helpful suggestions.
I got some help in the writing department, too. Paxton Sanders contributed the chapter on security auditing; Steve Bryant of ProExchange weighed in with the excellent Chapter 12, covering Exchange and Windows public-key infrastructure support.
At Microsoft Press, a talented staff of editors turned my initial manuscript into the completed product you see here. They were a great group to work with, and their efforts improved my writing a great deal! Thanks to Valerie Woolley, my lead editor; Teresa Horton, an extremely able copy editor; and Julie Nahil, my project editor. Jeff Koch was the acquisitions editor who enthusiastically answered my initial proposal and helped me refine it to its present form. Thanks to you all.
Finally, it would be grossly unfair not to thank my wife Arlene and our sons for their love and support. During the production of this book, they were patient with my frequent absences, and working as a team we successfully picked up stakes and moved 500 miles smack in the middle of the book’s schedule. They handled it with aplomb, and my eternal love and thanks go to them.
About the Author
Paul Robichaux is a system administrator and messaging architect who has written about and taught Microsoft Exchange Server messaging. He has also helped validate Exchange Server enterprise deployments for security, storage management, and scalability, and has developed Exchange-related products for a number of major software vendors. He frequently speaks at Microsoft conferences, including TechEd and MEC (Microsoft Exchange Conference), and he writes monthly columns about Exchange for Windows & .NET Magazine and Exchange & Outlook Administrator.
Paxton Sanders is a software engineer with CG , Inc. developing scene generation and visualization software for the U.S. Army Missile Command. He has a BS in mathematics and is currently enrolled in his last course for an MS in computer science. His one true joy is his young son, Coye.
Steve has spent the last several years designing and securing Exchange and Active Directory environments. He leads the Active Directory and Exchange infrastructure teams for Pro Exchange and has designed, reviewed and secured networks for many of the large Exchange and Active Directory deployments in the United States.
Over the last few years Microsoft Consulting Services has regularly contracted Steve for various high-end consulting engagements in the US including hosted Exchange 2000 environments and 26,000+ seat accounts that span many countries. In addition, Steve is regularly called on to assist with the planning and technologies in respect to migrating Lotus Notes environments to Microsoft Exchange. Steve recently finished writing a Secure Connected Infrastructure courseware for Microsoft that will be distributed to Microsoft Partners.
Steve spoke on Exchange deployments at Teched 99 and helped create and deliver the Exchange 2000 labs at Teched 2000 in Orlando and Amsterdam, the 2001 MEC in Orlando and the security labs at Fusion in 2002. He is the editor and a regular contributor to http://www.outlookexchange.com, an online resource for Exchange administrators and system designers, as well an author for Exchange & Outlook Magazine and .NET Magazine.
Antique Keys A key is a small, shaped cut of metal that is used to move or release a bolt or catch in a lock—a mechanical device used for securing doors, chests, lids, and the like. The earliest lock in existence is an Egyptian lock made of wood, found with its key in the ruins of Nineveh, in ancient Assyria. In construction it is the prototype of the modern cylinder lock. Locks and keys are also mentioned in the Old Testament, and the Greeks and Romans used locks of simple design. Medieval artisans designed locks of exquisite detail, the perforations and carvings often having no relation to the working of the lock.*
At Microsoft Press, we use tools to illustrate our books for software developers and IT professionals. Tools very simply and powerfully symbolize human inventiveness. They’re a metaphor for people extending their capabilities, precision, and reach. From simple calipers and pliers to digital micrometers and lasers, these stylized illustrations give each book a visual identity, and a personality to the series. With tools and knowledge, there’s no limit to creativity and innovation. Our tagline says it all: the tools you need to put technology to work.
The manuscript for this book was prepared and submitted to Microsoft Press in electronic form. Pages were composed by Microsoft Press using Adobe FrameMaker+SGML for Windows, with text in Sabon and display type in ITC Franklin Gothic. Composed pages were delivered to the printer as electronic pre-press files.
Interior Graphic Designer
Interior Graphic Artist