You know in the back of your mind that not every message you send or receive is absolutely safe. Isnt it time you figured out how to protect your enterprise e-mail system?
Safe Messaging with Exchange
You know in the back of your mind that not every message you send or receive is absolutely safe. Isn’t it time you figured out how to protect your enterprise e-mail system?
- By Roberta Bragg
- March 01, 1999
We live dangerously. No, Im not talking about that
ride through commuter traffic or your quest for a Furby.
Im talking about the e-mail that we so casually
send to our bosses, co-workers, friends, and sweethearts.
While weve given plenty of attention to e-commerce
and whether or not its safe to purchase products
over the Internet, most people have given little thought
to the messages they so blithely send across cyberspace.
Whos reading your e-mail today? When you open that
holiday attachment from Aunt Sue, are you going to bring
down the corporate network? Are you going to be able to
send that important contract, proposal, or critical information,
or will you get the dreaded message rejected
message from somebodys mail server?
The answer may be maybe. Much depends on the use of a
securable messaging serveryes, like Microsoft Exchange
Server. Like most messaging servers Exchange has multiple
security features built in to ensure safe messaging. But
these features require configuration and understanding
by messaging administrators, installers, and users in
order to protect both the server and message store as
well as the transport of your messages from server to
server and server to client. Lets look at four areas
of concern to better understand how to protect ourselves.
- Ensuring the security and availability of the messaging
- Ensuring that messages on the server can be accessed
only by approved mailbox users.
- Ensuring that the message reaches the intended recipient,
untouched and unintercepted.
- Ensuring received messages and attachments pose no
Securing the Messaging Server
Exchange has many features that can protect the server
and its messaging store. Its security is tightly integrated
with NT Server where its installed. Mailboxes can
be accessed only by authenticated users who have been
given permission. Administration of the mail server is
hierarchical and granular. You can split the administrative
burden while maintaining control. You can secure messages
between users and organizations by using certificates
and certificate trust lists. Unsolicited Commercial E-mail
(UCE) or spam can be controlled by message turfing, or
the deletion of mail from specified domains and the control
of who uses the Internet Mail Service (IMS) for mail relaying.
In order for all security features to work, you must
first lay a groundwork, then plan and implement your installation
with security in mind. Likewise, you have to make sure
that users and administrators are trained and that you
practice continued vigilance.
To ensure the security of the messaging server, follow
these 14 recommendations.
1. Secure NT Server before your installation.
Follow recommended security advice to harden and protect
the server. (I covered this in the October issue.) Weigh
carefully whether you should apply service packs and hot
fixes. Service packs are sometimes necessary for certain
features. Hot fixes may prevent problems, such as those
that protect you against attacks or correct known bugs.
Others should only be applied if youre experiencing
the problem theyre designed to fix. (Microsoft doesnt
guarantee that hot fixes are regression tested.) Consult
Microsofts online advice and make decisions based
on this and your particular system. Continually monitor
security sites such as www.microsoft.com/security
for new information.
2. Plan the Exchange installation.
Most of the actual process is point and click.
However, like many unplanned, serendipitous excursions,
this casual approach can lead to disaster. In addition
to the issues regarding how many servers you need, what
naming conventions to use, what your hardware specification
should be, how much bandwidth youll require, and
other generic brouhaha, you need to plan your security
strategies. Will Internet e-mail be allowed, or are you
limiting it to leased-line access and/or local access?
Will clients need access via browsers to their e-mail
boxes? Who will administer which servers and which parts
of those servers? Will encryption of messages and/or digital
signing be necessary? How will this be accomplishedthrough
Exchange Servers Key Management Server, Internet
Information Server 4.0 Certificate Server, or through
a certificate service such as VeriSign, Inc.s?
3. Create and use a special service
account for the implementation of Exchange. Dont
use the built-in Administrator account or the account
used to install Exchange. This account doesnt have
to be a member of the Domain Admins or local Administrators
groups. (But it does have to be trusted by any other domains
that Exchange servers might be installed in.) This account
will be used by Exchange services to communicate internally
as well as with other Exchange servers and connectors.
By using a special account, youre limiting the vulnerability
of your network and the Exchange server should the service
account be compromised. Hackers dont obtain administrative
privileges on the server or in the domain by hacking the
4. Understand the Exchange Server
hierarchy. At the top level is the Organization.
The Organization is composed of Sites (logical groups
of Exchange servers that can communicate via Remote Procedure
Calls (RPC)). Each Site may have multiple servers.
5. Understand and plan the administration
of Exchange. Administration of Exchange
Server is granular by design. NT administrators dont
have to be Exchange Server administrators. Exchange Server
administrators can be given limited permissions on various
servers as well as on different layers of the server architecture.
6. Understand permissions in Exchange.
Permissions are hierarchical and can be inherited.
Permissions granted at the Organization and Site levels
are inherited elsewhere in the organization. Make sure
permissions for remote administrators affect only their
local servers. Be sure everyone understands the implications
of the permission theyre granting. An improperly
designed and granted permission strategy can undo any
security implementation. See A
Horror Story for proof.
7. Understand how Exchange Server
works. You need two things to accomplish Exchange
Server administration: a knowledge of how it works and
familiarity with its 1,001 property pages (in order to
know where to place the change to make it work). To ensure
security of the server, administrators not only need to
know what to do, but where to do it.
8. Evaluate, plan, and implement the
level of security you believe you need. Exchange
Server has built-in security features. Users are limited
to accessing their own mailbox. Unlike with shared messaging
file systems, you dont need to share the entire
messaging store or give read and write access to all users.
Messages get stored in a database structure; access to
them is limited to mailbox owners and those granted access
by owners or administrators. Exchange Server communicates
via connectors. Exchange servers in the same site are
automatically connected. To connect sites, connectors
have to be installed and/or configured, and some connectors
can be configured to limit access. Specific gateways or
connectors have to be configured to link with disparate
mail systems, such as cc:Mail or Lotus Domino. This configuration
also needs to include the sharing of passwords with connectors
on other mail systems.
9. Decide on and implement the best
location for your enterprise. Place the messaging
server outside of the corporate firewall with other outer-ring
servers. Or keep the Exchange Server inside the firewall
and configure the IMS to route mail to and from the outside.
The approach you use will depend on the size of your enterprise,
your budget, and your risk assessment. A properly configured
Exchange server has many firewall-like features. For example,
communication between the outside world and the internal
network isnt direct but consists of communications
(messages) left on the server and retrieved by outside
agents. Theres no mechanism for direct passthrough
of packets to the internal network. Of course, if you
configure NT Server to route packets, youve bypassed
10. Configure the protocols for Internet
services appropriately. Exchange can use LDAP,
HTTP, and NNTP. If you dont use these protocols,
make sure theyre disabled. You can limit the protocols
to the Internet gateway and even restrict them at the
mailbox level. You may wish to limit Internet mail access
to specific accounts instead of giving broad access across
11. Build in redundancy. Ensure
messaging continuity by having multiple portals. If Internet
mail is a critical part of your messaging strategy, configure
more than one Exchange server with this service. (But
realize that if an IMS machine goes down, any Internet
mail queued on that machine will not be routed to another
machine.) If connections with remote messaging servers
exist, configure multiple portals.
12. Limit the size of messages and
attachments both leaving and receiving. Large messages
can block access and tie up resources. Messages can be
limited for the entire server as well as by user.
13. Purchase, implement, and monitor
modern virus protection with components designed for messaging
servers. Computer Associates InoculateIT
is one solution that claims to have the appropriate features.
Look for centralized management, a virus wall (which prevents
the overwriting of existing uninfected files with infected
versions), virus quarantine (for automatic log-off of
the client workstation attempting to upload an infected
file), free virus signature updates, alert options, messaging
protection (to detect and cure a virus in e-mail and file
attachments), and Internet gateway protection from malicious
Java and ActiveX applets. Before purchasing a virus protection
solution, check out its Checkmark certification. West
Coast Labs Checkmark will give you an independent
review of antiviral products on the market. It indicates
their ability to detect viruses and retests them every
three months. Also check out the International Computer
Security Association, which tests and certifies antiviral
software. A certified antiviral software must detect 100
percent of viruses in the wild (generally distributed)
and 90 percent of over 6,000 test viruses.
14. Block forwarding of mail.
Mail spammers often use unprotected mail servers to reroute
their advertisements, thus tying up your resources and
making their mail look like it came from your server.
My client complained that Exchange
Server wasnt a secure messaging
system. The reason: A secretary had
been able to access her boss e-mail.
This user had logged on as herself at
her Windows 95 computer and double-clicked
on the Exchange client icon. She was
surprised to see that the mailbox she
was accessing belonged to her boss.
Profiles were enabled on the Windows
95 computer. Administrative personnel
could repeat the action and, by logging
on with user-level accounts, access
other individual mailboxes. This action
was repeatable across their Exchange
organization, which consisted of multiple
sites and geographical locations.
| Once mailbox
owner permission rights were granted
from a boss mailbox to an
assistants mailbox, the permission
was inherited throughout the organization.
The system had been installed by knowledgeable
but untrained personnel and was being
administered at different locations
by a variety of personnel.
In a lab implementation consisting
of a server running Exchange and Windows
95 computers we couldnt duplicate
the incidentthat is, until we
gave mailbox owner permission to all
users. Indeed, this was the case. Apparently,
one of the clients remote administrators
who had organization, site, and server
administrative privileges had been trying
to make a boss mailbox accessible
to his secretary (with permission from
the manager, of course). Experienced
Exchange administrators will recognize
that this is possible by granting permissions
from the boss mailbox. The boss
could have done it himself.
The administrator, a member of the
never-mind-the- proper- way-or-figuring-out-the-implications-lets-just-make-it-work
school, had made it work by granting
mailbox ownership to all. Worse, the
permission had then been inherited throughout
the organization. The company was lucky
to discover the problem before too many
secretaries did. Removing this permission
secured the mailboxes.
Who To Let Through
A properly installed and configured Exchange server protects
messages in the database. A mailbox can only be configured
for NT Server accounts, and only authenticated users can
access their mail. If the NT server has authenticated
a user, access to his or her mailbox is transparent. A
user can also impose other levels of permission to limit
Exchange Server 5.5 Service Pack 1 allows an audit copy
of all mail messages to be stored and made accessible
to administrative personnel. However, this feature isnt
turned on automatically.
Users need to be trained to not allow access to their
mail by any other means than granting permission. Likewise,
they need to be counseled to not leave systems logged
As with any system, if you dont have or follow
a proper security policyif theres no security
awareness in a corporationthe security of
e-mail will be compromised.
You can implement an additional layer of security for
mail messages on the server and during transport by installing
Exchanges Key Management Server or by implementing
the use of X.509 certificates to encrypt and/or digitally
sign e-mail. Employ Microsoft Certificate Server or an
Internet certificate authority such as VeriSign for this
Extreme security measures such as FORTEZZA cards (in
which users computers have special hardware and
software that require smartcards for access)
can be employed. See And,
Now, for the Very Paranoid...
Getting the Message Out Untouched
Microsoft Outlook and Outlook Express mail clients have
features that can ensure message integrity. These features
include the capability of obtaining a secure connection
to the Exchange server. To access an Exchange Server mailbox
the client must authenticate with the server. On a LAN
this is invisible to the client; authentication occurs
on the LAN before the mail server gets accessed. Outlook
Express provides LAN- or dial-up-access to the Internet
and authentication via a pop-up window.
Depending on the level of security required, the message
itself may require encryption and/or digital signing.
Encryption uses various algorithms to scramble the message
so it cant be interpreted by normal means. Digital
signing applies a signature and only implies that the
digitally-signed message is from the person it claims
to be from. The message isnt encrypted, but message
encryption and digital signing can be used together. In
reality both processes are only as good as the algorithms
used to produce them.
For internal use Exchange comes with advanced security
supplied by its own Key Management Server. Multiple-organization
systems or those that require inter-organization secure
messaging can use Microsofts Certificate Server
or a commercial certificate authority like VeriSign and
Certificate Trust Lists. The latter are lists of certificate
authorities that trust each other.
Keeping It Clean
High on your list of communication to all users about
e-mail security should be advice about the threat of viruses
that can travel to their computer via messages and attachments.
Caution users about opening unsolicited attachments. While
you can install antiviral agents at the server and client
level, this doesnt guarantee protection.
for updates and patches to Internet Explorer and Outlook,
Outlook Express, and the Exchange client. Apply these
updates and patches to all client machines.
Now, for the Very Paranoid
For increased security on your messaging system you could
require the use of the Defense Message System (DMS) version
of Exchange Server, developed by Microsoft for the U.S.
Department of Defense. DMS is a global messaging system
composed of a set of technologies from different vendors
and designed for the transfer of classified and non-classified
defense data. The system supports the use of FORTEZZA
hardware encryption for the encryption of messages and
the electronic signing of messages using a FORTEZZA driver
and the Message Security Protocol (MSP or P42). Using
the DMS version of Exchange Server provides users with
end-to-end security, including non-repudiation, privacy,
and content integrity, as well as signed receipts. FORTEZZA
is a registered trademark (held by the National Security
Agency) that describes a number of security products (such
as PCM/CIA cards, serial port devices, communication cards,
and server boards). I bring this up, of course, because
non-defense customers can purchase DMS-approved messaging
technologies. Learn more at http://cms1.ssg.gunter.af.mil.
Until next month, make sure you lock up!