Safe Messaging with Exchange -- Microsoft Certified Professional Magazine Online

You know in the back of your mind that not every message you send or receive is absolutely safe. Isn’t it time you figured out how to protect your enterprise e-mail system?

Safe Messaging with Exchange

You know in the back of your mind that not every message you send or receive is absolutely safe. Isnt it time you figured out how to protect your enterprise e-mail system?

By Roberta Bragg
03/01/1999

We live dangerously. No, I’m not talking about that ride through commuter traffic or your quest for a Furby. I’m talking about the e-mail that we so casually send to our bosses, co-workers, friends, and sweethearts. While we’ve given plenty of attention to e-commerce and whether or not it’s safe to purchase products over the Internet, most people have given little thought to the messages they so blithely send across cyberspace. Who’s reading your e-mail today? When you open that holiday attachment from Aunt Sue, are you going to bring down the corporate network? Are you going to be able to send that important contract, proposal, or critical information, or will you get the dreaded “message rejected” message from somebody’s mail server?

The answer may be maybe. Much depends on the use of a securable messaging server—yes, like Microsoft Exchange Server. Like most messaging servers Exchange has multiple security features built in to ensure safe messaging. But these features require configuration and understanding by messaging administrators, installers, and users in order to protect both the server and message store as well as the transport of your messages from server to server and server to client. Let’s look at four areas of concern to better understand how to protect ourselves.

Ensuring the security and availability of the messaging server.
Ensuring that messages on the server can be accessed only by approved mailbox users.
Ensuring that the message reaches the intended recipient, untouched and unintercepted.
Ensuring received messages and attachments pose no threat.

Securing the Messaging Server

Exchange has many features that can protect the server and its messaging store. Its security is tightly integrated with NT Server where it’s installed. Mailboxes can be accessed only by authenticated users who have been given permission. Administration of the mail server is hierarchical and granular. You can split the administrative burden while maintaining control. You can secure messages between users and organizations by using certificates and certificate trust lists. Unsolicited Commercial E-mail (UCE) or spam can be controlled by message turfing, or the deletion of mail from specified domains and the control of who uses the Internet Mail Service (IMS) for mail relaying.

In order for all security features to work, you must first lay a groundwork, then plan and implement your installation with security in mind. Likewise, you have to make sure that users and administrators are trained and that you practice continued vigilance.

To ensure the security of the messaging server, follow these 14 recommendations.

1. Secure NT Server before your installation. Follow recommended security advice to harden and protect the server. (I covered this in the October issue.) Weigh carefully whether you should apply service packs and hot fixes. Service packs are sometimes necessary for certain features. Hot fixes may prevent problems, such as those that protect you against attacks or correct known bugs. Others should only be applied if you’re experiencing the problem they’re designed to fix. (Microsoft doesn’t guarantee that hot fixes are regression tested.) Consult Microsoft’s online advice and make decisions based on this and your particular system. Continually monitor security sites such as www.microsoft.com/security for new information.

2. Plan the Exchange installation. Most of the actual process is point and click. However, like many unplanned, serendipitous excursions, this casual approach can lead to disaster. In addition to the issues regarding how many servers you need, what naming conventions to use, what your hardware specification should be, how much bandwidth you’ll require, and other generic brouhaha, you need to plan your security strategies. Will Internet e-mail be allowed, or are you limiting it to leased-line access and/or local access? Will clients need access via browsers to their e-mail boxes? Who will administer which servers and which parts of those servers? Will encryption of messages and/or digital signing be necessary? How will this be accomplished—through Exchange Server’s Key Management Server, Internet Information Server 4.0 Certificate Server, or through a certificate service such as VeriSign, Inc.’s?

3. Create and use a special service account for the implementation of Exchange. Don’t use the built-in Administrator account or the account used to install Exchange. This account doesn’t have to be a member of the Domain Admins or local Administrators groups. (But it does have to be trusted by any other domains that Exchange servers might be installed in.) This account will be used by Exchange services to communicate internally as well as with other Exchange servers and connectors. By using a special account, you’re limiting the vulnerability of your network and the Exchange server should the service account be compromised. Hackers don’t obtain administrative privileges on the server or in the domain by hacking the service account.

4. Understand the Exchange Server hierarchy. At the top level is the Organization. The Organization is composed of Sites (logical groups of Exchange servers that can communicate via Remote Procedure Calls (RPC)). Each Site may have multiple servers.

5. Understand and plan the administration of Exchange. Administration of Exchange Server is granular by design. NT administrators don’t have to be Exchange Server administrators. Exchange Server administrators can be given limited permissions on various servers as well as on different layers of the server architecture.

6. Understand permissions in Exchange. Permissions are hierarchical and can be inherited. Permissions granted at the Organization and Site levels are inherited elsewhere in the organization. Make sure permissions for remote administrators affect only their local servers. Be sure everyone understands the implications of the permission they’re granting. An improperly designed and granted permission strategy can undo any security implementation. See “A Horror Story” for proof.

7. Understand how Exchange Server works. You need two things to accomplish Exchange Server administration: a knowledge of how it works and familiarity with its 1,001 property pages (in order to know where to place the change to make it work). To ensure security of the server, administrators not only need to know what to do, but where to do it.

8. Evaluate, plan, and implement the level of security you believe you need. Exchange Server has built-in security features. Users are limited to accessing their own mailbox. Unlike with shared messaging file systems, you don’t need to share the entire messaging store or give read and write access to all users. Messages get stored in a database structure; access to them is limited to mailbox owners and those granted access by owners or administrators. Exchange Server communicates via connectors. Exchange servers in the same site are automatically connected. To connect sites, connectors have to be installed and/or configured, and some connectors can be configured to limit access. Specific gateways or connectors have to be configured to link with disparate mail systems, such as cc:Mail or Lotus Domino. This configuration also needs to include the sharing of passwords with connectors on other mail systems.

9. Decide on and implement the best location for your enterprise. Place the messaging server outside of the corporate firewall with other “outer-ring” servers. Or keep the Exchange Server inside the firewall and configure the IMS to route mail to and from the outside. The approach you use will depend on the size of your enterprise, your budget, and your risk assessment. A properly configured Exchange server has many firewall-like features. For example, communication between the outside world and the internal network isn’t direct but consists of communications (messages) left on the server and retrieved by outside agents. There’s no mechanism for direct passthrough of packets to the internal network. Of course, if you configure NT Server to route packets, you’ve bypassed this feature.

10. Configure the protocols for Internet services appropriately. Exchange can use LDAP, HTTP, and NNTP. If you don’t use these protocols, make sure they’re disabled. You can limit the protocols to the Internet gateway and even restrict them at the mailbox level. You may wish to limit Internet mail access to specific accounts instead of giving broad access across the organization.

11. Build in redundancy. Ensure messaging continuity by having multiple portals. If Internet mail is a critical part of your messaging strategy, configure more than one Exchange server with this service. (But realize that if an IMS machine goes down, any Internet mail queued on that machine will not be routed to another machine.) If connections with remote messaging servers exist, configure multiple portals.

12. Limit the size of messages and attachments both leaving and receiving. Large messages can block access and tie up resources. Messages can be limited for the entire server as well as by user.

13. Purchase, implement, and monitor modern virus protection with components designed for messaging servers. Computer Associates’ InoculateIT is one solution that claims to have the appropriate features. Look for centralized management, a virus wall (which prevents the overwriting of existing uninfected files with infected versions), virus quarantine (for automatic log-off of the client workstation attempting to upload an infected file), free virus signature updates, alert options, messaging protection (to detect and cure a virus in e-mail and file attachments), and Internet gateway protection from malicious Java and ActiveX applets. Before purchasing a virus protection solution, check out its Checkmark certification. West Coast Lab’s Checkmark will give you an independent review of antiviral products on the market. It indicates their ability to detect viruses and retests them every three months. Also check out the International Computer Security Association, which tests and certifies antiviral software. A certified antiviral software must detect 100 percent of viruses in the wild (generally distributed) and 90 percent of over 6,000 test viruses.

14. Block forwarding of mail. Mail spammers often use unprotected mail servers to reroute their advertisements, thus tying up your resources and making their mail look like it came from your server.

A Horror Story

My client complained that Exchange Server wasn’t a secure messaging system. The reason: A secretary had been able to access her boss’ e-mail. This user had logged on as herself at her Windows 95 computer and double-clicked on the Exchange client icon. She was surprised to see that the mailbox she was accessing belonged to her boss. Profiles were enabled on the Windows 95 computer. Administrative personnel could repeat the action and, by logging on with user-level accounts, access other individual mailboxes. This action was repeatable across their Exchange organization, which consisted of multiple sites and geographical locations.

Once mailbox owner permission rights were granted from a boss’ mailbox to an assistant’s mailbox, the permission was inherited throughout the organization.

The system had been installed by knowledgeable but untrained personnel and was being administered at different locations by a variety of personnel.

In a lab implementation consisting of a server running Exchange and Windows 95 computers we couldn’t duplicate the incident—that is, until we gave mailbox owner permission to all users. Indeed, this was the case. Apparently, one of the client’s remote administrators who had organization, site, and server administrative privileges had been trying to make a boss’ mailbox accessible to his secretary (with permission from the manager, of course). Experienced Exchange administrators will recognize that this is possible by granting permissions from the boss’ mailbox. The boss could have done it himself.

The administrator, a member of the “never-mind-the- proper- way-or-figuring-out-the-implications-let’s-just-make-it-work” school, had made it work by granting mailbox ownership to all. Worse, the permission had then been inherited throughout the organization. The company was lucky to discover the problem before too many secretaries did. Removing this permission secured the mailboxes.

—Roberta Bragg

Who To Let Through

A properly installed and configured Exchange server protects messages in the database. A mailbox can only be configured for NT Server accounts, and only authenticated users can access their mail. If the NT server has authenticated a user, access to his or her mailbox is transparent. A user can also impose other levels of permission to limit mailbox access.

Exchange Server 5.5 Service Pack 1 allows an audit copy of all mail messages to be stored and made accessible to administrative personnel. However, this feature isn’t turned on automatically.

Users need to be trained to not allow access to their mail by any other means than granting permission. Likewise, they need to be counseled to not leave systems logged on unattended.

As with any system, if you don’t have or follow a proper security policy—if there’s no “security awareness” in a corporation—the security of e-mail will be compromised.

You can implement an additional layer of security for mail messages on the server and during transport by installing Exchange’s Key Management Server or by implementing the use of X.509 certificates to encrypt and/or digitally sign e-mail. Employ Microsoft Certificate Server or an Internet certificate authority such as VeriSign for this purpose.

Extreme security measures such as FORTEZZA cards (in which users’ computers have special hardware and software that require “smartcards” for access) can be employed. See “And, Now, for the Very Paranoid...”

Getting the Message Out Untouched

Microsoft Outlook and Outlook Express mail clients have features that can ensure message integrity. These features include the capability of obtaining a secure connection to the Exchange server. To access an Exchange Server mailbox the client must authenticate with the server. On a LAN this is invisible to the client; authentication occurs on the LAN before the mail server gets accessed. Outlook Express provides LAN- or dial-up-access to the Internet and authentication via a pop-up window.

Depending on the level of security required, the message itself may require encryption and/or digital signing. Encryption uses various algorithms to scramble the message so it can’t be interpreted by normal means. Digital signing applies a signature and only implies that the digitally-signed message is from the person it claims to be from. The message isn’t encrypted, but message encryption and digital signing can be used together. In reality both processes are only as good as the algorithms used to produce them.

For internal use Exchange comes with advanced security supplied by its own Key Management Server. Multiple-organization systems or those that require inter-organization secure messaging can use Microsoft’s Certificate Server or a commercial certificate authority like VeriSign and Certificate Trust Lists. The latter are lists of certificate authorities that trust each other.

Keeping It Clean

High on your list of communication to all users about e-mail security should be advice about the threat of viruses that can travel to their computer via messages and attachments. Caution users about opening unsolicited attachments. While you can install antiviral agents at the server and client level, this doesn’t guarantee protection.

Visit www.microsoft.com for updates and patches to Internet Explorer and Outlook, Outlook Express, and the Exchange client. Apply these updates and patches to all client machines.

Additional Information

To learn more about the proper approach to planning an Exchange installation, read “Best Practices of Exchange Planning” by Kevin Kohut in the February 1999 issue.
Learn more about Computer Associates’ InoculateIT at www.cai.com/products/inoculateit.htm.
Read about West Coast Lab’s Checkmark testing and certification at www.check-mark.com.
The International Computer Security Association discusses its certification process for anti-viral software at www.icsalabs.com/
html/communities/antivirus/certification.shtml.
You’ll find VeriSign at www.verisign.com.

And, Now, for the Very Paranoid…

For increased security on your messaging system you could require the use of the Defense Message System (DMS) version of Exchange Server, developed by Microsoft for the U.S. Department of Defense. DMS is a global messaging system composed of a set of technologies from different vendors and designed for the transfer of classified and non-classified defense data. The system supports the use of FORTEZZA hardware encryption for the encryption of messages and the electronic signing of messages using a FORTEZZA driver and the Message Security Protocol (MSP or P42). Using the DMS version of Exchange Server provides users with end-to-end security, including non-repudiation, privacy, and content integrity, as well as signed receipts. FORTEZZA is a registered trademark (held by the National Security Agency) that describes a number of security products (such as PCM/CIA cards, serial port devices, communication cards, and server boards). I bring this up, of course, because non-defense customers can purchase DMS-approved messaging technologies. Learn more at http://cms1.ssg.gunter.af.mil.

Until next month, make sure you lock up!

Register! Top 5 Hybrid AD Management Mistakes and How to Avoid Them