Implementing Exchange Server 2003 Security to Secure Mailboxes

Understanding Outlook 2003 Security Enhancements

Outlook 2003 includes enhanced secured messaging through:

• S/MIME version 3 support

• Smart card support

• Digital signatures

• Email encryption.

With Outlook 2003, support for S/MIME version 3 provides a number of security features:

• The public key of the sender can be used to encrypt email messages.

• The private key of the recipient is needed to open and decrypt the email message.

• The Active Directory Group Policy feature can be used to implement S/MIME within an organization.

• The X.509v3 standard, which requires third-party encryption keys, is also supported by Outlook 2003.

• Digital signing is also supported in S/MIME version 3. This is turn provides security labels and signed secure message receipts.

The Outlook 2003 security labels feature enables users to add security messages to email message headers. You can configure security labels at the following levels:

• Message level

• Mailbox level

Exchange Server 2003 and Outlook 2003 include enhanced antispam features. A user can configure and control the antispam filtering level.

The features of the Junk Email filter are listed here:

• Determine whether a message is legitimate email or junk email.

• Junk email is moved to the Junk Email folder. The user has to then manually check these items and delete the items.

• The Junk Email filter can also be configured to delete junk email messages at the time when they are received.

The default setting of the Junk Email filter is Low.

Understanding Outlook Web Access 2003 Security Enhancements

A few security specific enhancements included in Outlook Web Access (OWA) 2003 are:

• Support for S/MIME attachments: To use the S/MIME functionality supported by Outlook Web Access 2003, you have to download an ActiveX control on each client. You can do this from the OWA Options page. When enabled, users can send and receive digitally signed messages through encryption.

• Attachment blocking: With Outlook Web Access 2003, you can block Internet attachments such as specific links to Web sites.

• Spam beacon blocking: The antispam features of OWA 2003 are enhanced because the spammer's ability to hide beacons in spam messages is disabled. OWA blocks links to external content on the Internet from being accessed through OWA.

• Clearing of user credentials during the logoff process: User credentials are automaticallycleared during the logoff process when a user accesses OWA 2003 through Internet Explorer 6.0 SP1 or above and Forms Based Authentication.

• Cookie authentication: In OWA 2003, a cookie automatically expires when a user logs out of OWA and when a certain predefined time period of inactivity in OWA passes. This prevents hackers from using cookies to obtain authentication. To configure the amount of time to wait before automatic logoff is implemented, use the Registry Editor to edit the Registry on the front-end Exchange Server 2003 server.

Understanding Message Filtering

You can use message filtering to reduce the number of junk e-mail being received by users.

Junk e-mail has the following associated disadvantages:

• Uses network bandwidth.

• Takes up your users' time.

• Uses memory resources.

Message filtering works by checking email headers and message bodies. It then matches these to predefined junk e-mail rules. Outlook 2003 and Outlook Web Access (OWA) 2003 provide a number of built-in message filters, called the Junk E-Mail feature.

When configuring the Junk E-ail feature, users can define the following components:

• Trusted Senders

• Trusted Recipients

• Junk Senders lists

A block list is made up of a set of domain names and Internet Protocol (IP) addresses that are regarded as being sources of known junk e-mail. The purpose of block lists is to assist in preventing junk e-mail from being received.

To maintain the validness of your block list, you can subscribe to a Realtime Blackhole List or Relay Blocking List (RBL) which is maintained by a third-party company, such as Mail Abuse Prevention System (MAPS).

Through Exchange Server 2003 connection filtering, you can check an SMTP server's IP address to the Relay Blocking List (RBL). When a match occurs, Exchange Server 2003 will prevent all message recipients other than those specified as an exception.

A few features of connection filtering are listed here:

• You can create multiple connection filter rules and then define the order in which the connection filters should be applied.

• You can configure exceptions to allow e-mail messages to be delivered to specific recipients.

• You can configure exceptions to allow e-mail messages to be delivered from a specific sender.

How to configure email security for a message

1. Open Outlook.

2. Open a new message.

3. Click Security Settings.

4. The Security Properties dialog box opens.

5. Specify whether the message contents and attachments should be encrypted.

6. Specify whether a digital signature should be added to the message.

7. Add all additional security settings.

8. Click OK.

How to configure email security for the entire user mailbox

1. Open Outlook.

2. Click Tools and then Options.

3. Click the Security tab.

4. You can enable the following security settings for the entire user mailbox:

   • Encrypt Contents and Attachments for Outgoing Message

   • Add Digital Signature to Outgoing Messages

   • Send Clear Text Signed Messages When Sending Signed Messages

   • Request S/MIME Receipt for All S/MIME Signed Messages

5. For all security settings, other than Send Clear Text Signed Messages When Sending Signed Messages setting, the user must have a digital certificate.

6. Click OK.

How to configure security labels for a message

1. Open Outlook.

2. Open a message.

3. Click Options, and then click Security settings.

4. Enable the Add Digital Signature to This Message checkbox.

5. Select the security label and classification for the message.

6. Specify the privacy mark.

7. Click OK.

How to configure security labels for the entire mailbox

1. Open Outlook.

2. Click the Tools menu and then Options.

3. Click the Security tab.

4. Click the Settings button.

5. Click Security Labels.

6. Specify the policy module.

7. Specify the classification.

8. Set the privacy mark.

9. Click OK to apply these settings for all messages.

How to configure junk email filtering

1. Open Outlook.

2. Click the Tools menu and then Options.

3. Click the Preferences tab.

4. In the Email area, click Junk Email.

5. The Junk Email Options dialog box opens.

6. On the Options tab, choose the level of junk email protection.

7. Click OK.

How to add users to the Safe Senders list

1. Open Outlook.

2. Click the Tools menu and then Options.

3. Click the Preferences tab.

4. In the Email area, click Junk Email.

5. The Junk Email Options dialog box opens.

6. Click the afe Senders tab.

7. Click Add.

8. Enter the name of the user, group or domain.

9. Click OK.

How to add users to the Safe Recipients list

1. Open Outlook.

2. Click the Tools menu and then Options.

3. Click the Preferences tab.

4. In the Email area, click Junk Email.

5. The Junk Email Options dialog box opens.

6. Click the Safe Recipients tab.

7. Click Add.

8. Enter the name of the user, group or domain.

9. Click OK.

How to add users to the Blocked Senders list

1. Open Outlook.

2. Navigate to Tools and then Options.

3. Click the Preferences tab.

4. In the Email area, click Junk Email.

5. The Junk Email Options dialog box opens.

6. Click the Blocked Senders tab.

7. Click Add.

8. Enter the name of the user, group or domain.

9. Click OK.

How to enable forms-based authentication

1. Open Exchange System Manager.

2. Expand the Protocols folder and then expand the HTTP folder.

3. Right-click the HTTP virtual server and select Pause from the shortcut menu.

4. Right-click the HTTP virtual server and now select Properties from the shortcut menu.

5. The HTTP virtual server's Properties dialog box opens.

6. Click the Settings tab.

7. In the Outlook Web Access area of the Settings tab, select the Enable Forms Based Authentication checkbox.

8. In the Compression drop-down list, click the desired compression level.

9. Click OK.

10. To restart the HTTP virtual server, right-click the HTTP virtual server and select Pause from the shortcut menu.

How to disable open relaying on the SMTP virtual server

1. Open Exchange System Manager.

2. Expand the Protocols folder and then expand the SMTP folder.

3. Right-click the SMTP virtual server and select Properties from the shortcut menu.

4. The SMTP virtual server Properties dialog box opens

5. Click the Access tab.

6. Click Relay.

7. The Relay Restrictions dialog box opens. This is where you can configure all Access Control options.

8. Ensure that the computers that are allowed to relay e-mail messages is set to Only The List Below. The list should be blank.

9. The Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above checkbox should be disabled/clear.

10. Click OK in the Relay Restrictions dialog box.

11. Click OK in the SMTP virtual server Properties dialog box.

How to prevent users from sending Internet e-mail

1. Open Exchange System Manager.

2. Navigate to and expand the Connectors folder.

3. Right-click the SMTP Connector in the details pane and then select Properties from the shortcut menu.

4. The SMTP Connector Properties dialog box opens.

5. Click Delivery Restrictions on the General tab.

6. In the Reject Messages From area of the Delivery Restrictions tab, click the Add button.

7. The Select Recipient box opens.

8. Enter the username of those users that you want to prevent from sending Internet e-mail.

9. Click OK.

10. Click OK in the SMTP Connector Properties dialog box.

How to configure authentication for incoming messages for the SMTP virtual server

1. Open Exchange System Manager.

2. Expand the Protocols folder and then expand the SMTP folder.

3. Right-click the SMTP virtual server and select Properties from the shortcut menu.

4. Click the Access tab.

5. In the Access Control area of the tab, click Authentication.

6. The authentication options are:

1. • Anonymous Access

   • Basic Authentication – Requires TLS Encryption

   • Integrated Windows Authntication

7. Click OK in the Authentication dialog box.

8. Click OK in the SMTP virtual server Properties dialog box.

How to configure TLS encryption

1. Open Exchange System Manager.

2. Expand the Protocols folder and then expand the SMTP folder.

3. Right-click the SMTP virtual server and select Properties from the shortcut menu.

4. Click the Access tab.

5. In the Secure Communication area of the tab, click Certificate.

6. Initiate the Web Server Certificate Wizard to obtain a new certificate.

7. After completing the Web Server Certificate Wizard, click Apply to save all changes.

8. On the Access tab, in the Access Control area of the tab, click Authentication.

9. If you have selected Basic Authentication, select the Requires TLS Encryption checkbox.

10. Click OK.

11. In the Secure Communication area of the Access tab, click Communication.

12. Select the Require Secure Channel checkbox.

13. Select the Require 128-bit Encryption checkbox.

14. Click OK.

15. Click OK in the SMTP virtual server Properties dialog box.

How to enable and configure connection filtering

1. Open Exchange System Manager.

2. Click Global Settings.

3. Right-click Message Delivery and then select Properties from the shortcut menu.

4. The Message Delivery Properties dialog box opens.

5. Click the Connection Filtering tab.

6. Click the Add button.

7. The Connection Filtering Rule dialog box opens.

8. In the Display Name box enter a name for the connection filtering rule.

9. In DNS Suffix Of Provider box, enter the information for the provider.

10. Click OK in the Connection Filtering Rule dialog box.

11. Click OK in the Message Delivery Properties dialog box.

12. Click OK.

13. In the Exchange System Manager, navigate to the Protocols folder and then expand the SMTP folder.

14. Right-click Default SMTP Virtual Server and then select Properties from the shortcut menu.

15. The Default SMTP Virtual Server Properties dialog box opens.

16. On the General tab, click Advanced.

17. When the Advanced dialog box opens, click Edit.

18. In the Identification dialog box, enable the Apply Connection Filter checkbox.

19. Click OK in the Identification dialog box.

20. On the Advanced dialog box, set the Filter Enabled option to Yes.

21. Click OK in the Advanced dialog box.

22. Click OK in the Default SMTP Virtual Server Properties dialog box.

How to block an email-address

1. Open Exchange System Manager.

2. Click Global Settings.

3. Right-click Message Delivery and then select Properties from the shortcut menu.

4. The Message Delivery Properties dialog box opens.

5. Click the Sender Filtering tab.

6. Click the Add button.

7. The Add Sender dialog box opens.

8. In the Sender box, enter the e-mail address of the sender.

9. Click OK in the Add Sender dialog box.

10. In the Message Delivery Properties dialog box, enable the Drop Connection If Address Matches Filter checkbox.

11. Click OK in the Message Delivery Properties dialog box.

12. Click OK to confirm that the filter should be enabled.

How to block a domain

1. Open Exchange System Manager.

2. Expand the Protocols folder and then expand the SMTP folder.

3. Right-click Default SMTP Virtual Server and select Properties from the shortcut menu.

4. The Default SMTP Virtual Server Properties dialog box opens

5. Click the Access tab.

6. Click the Connection button.

7. The Connection dialog box opens.

8. Select the All Except The List Below option and click Add.

9. In the Computer dialog box select the Domain option.

10. Enter the name of te domain in the Domain box.

11. Click OK.

12. Click the General tab on the Default SMTP Virtual Server Properties dialog box.

13. On the General tab, click Advanced.

14. When the Advanced dialog box opens, click Edit.

15. In the Identification dialog box, enable the Apply Sender Filter checkbox.

16. Click OK in the Identification dialog box.

17. Click OK in the Advanced dialog box.

18. Click OK in the Default SMTP Virtual Server Properties dialog box.

Recommendations for Securing Exchange Server 2003 Mailboxes

A few recommendations for securing Exchange Server 2003 mailboxes are listed here:

• You should prevent users from receiving e-mail messages from unidentified domains or from a predefined number of domains. To do this, you would need to configure your virtual servers to prevent messages from these domains.

• You should prevent users that are outside your Exchange organization from receiving out-of-office e-mail messages. You can do this through configuring the default SMTP policy or the SMTP policies on a domain to not forward out-of-office e-mail messages to the Internet and reply to these messages.

• You can prevent unauthorized users from using distribution lists by configuring your distribution lists to only accept e-mail from users that are regarded as authenticated users.

• To assist in preventing users from obtaining unsolicited email, create message filters and then apply these filters to each virtual server. A message can be filtered, based on:

  • Sender.

  • Recipient.

  • Domain.

• To assist in preventing users from obtaining junk email, you should filter incoming e-mail and outgoing e-mail for specific senders, and words and phrases.

• To control access to e-mail content and ensure that only the intended recipient receives and views an email message, you can digitally sign and encrypt e-mail messages.

• You can configure recipient and sender filtering to block email messages based on the following information:

  • IP addresses

  • Recipient e-mail address

  • Sender e-mail address

  • E-mail domain.

You would need to configure Accept lists and Deny lists in the global Message Delivery object and then apply these to each virtual server.