Syngress CYA Securing Exchange Server 2003 and Outlook Web Access

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page i

Register for Free Membership to

[email protected]

Over the last few years, Syngress has published many best￾selling and critically acclaimed books, including Tom Shinder’s

Configuring ISA Server 2000, Brian Caswell and Jay Beale’s

Snort 2.0 Intrusion Detection, and Angela Orebaugh and

Gilbert Ramirez’s Ethereal Packet Sniffing. One of the

reasons for the success of these books has been our unique

[email protected] program. Through this site, we’ve

been able to provide readers a real time extension to the

printed book.

As a registered owner of this book, you will qualify for free

access to our members-only [email protected]

program. Once you have registered, you will enjoy several

benefits, including:

■ Four downloadable e-booklets on topics related to the

book. Each booklet is approximately 20-30 pages in Adobe

PDF format. They have been selected by our editors from

other best-selling Syngress books as providing topic cov￾erage that is directly related to the coverage in this book.

■ A comprehensive FAQ page that consolidates all of the key

points of this book into an easy to search web page, pro￾viding you with the concise, easy to access data you need

to perform your job.

■ A “From the Author” Forum that allows the authors of this

book to post timely updates links to related sites, or addi￾tional topic coverage that may have been requested by

readers.

Just visit us at www.syngress.com/solutions and follow the

simple registration process. You will need to have this book

with you when you register.

Thank you for giving us the opportunity to serve your needs.

And be sure to let us know if there is anything else we can

do to make your job easier.

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page ii

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page iii

Securing Exchange Server Securing Exchange Server

2003 and Outlook Web Access 2003 and Outlook Web Access

COVER YOUR A** BY GETTING IT RIGHT THE FIRST TIME

Henrik Walther

Patrick Santry Technical Editor

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc￾tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to

state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The

Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

001 CV764HHHYY

002 PO9873KSS6

003 KLASS34F62

004 IMWQ295T6T

005 CVPLQ6WQ23

006 VBP965T5T5

007 HJJJ863WD3

008 2987GVTWMK

009 LPE987NK34

010 629MP5SDJT

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

CYA: Securing Exchange Server 2003 & Outlook Web Access

Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of

America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro￾duced or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher, with the exception that the program listings may be entered,

stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-24-8

Acquisitions Editor: Christine Kloiber Cover Designer: Michael Kavish

Technical Editor: Patrick Santry Copy Editor: Darlene Bordwell

Page Layout and Art: Patricia Lupien Indexer: Odessa&Cie

Distributed by O’Reilly & Associates in the United States and Canada.

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page v

Acknowledgments

We would like to acknowledge the following people for their kindness and

support in making this book possible.

Syngress books are now distributed in the United States by O’Reilly &

Associates, Inc.The enthusiasm and work ethic at ORA is incredible and we

would like to thank everyone there for their time and efforts to bring

Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering,

Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert,

Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick

Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J.

Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal

Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue

Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett,

John Chodacki, and Rob Bullington.

The incredibly hard working team at Elsevier Science, including Jonathan

Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,

Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss,

Chris Hossack, and Krista Leppiko, for making certain that our vision

remains worldwide in scope.

David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey

Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm

with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley

Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books

throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon

Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution

of Syngress books in the Philippines.

v

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page vi

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page vii

Author

Henrik Walther is a Senior Microsoft Server Consultant

working for an IT outsourcing services company in

Copenhagen, Denmark. Henrik has over 10 years of experience

in the industry. He specializes in migrating, implementing, and

supporting Microsoft Windows Active Directory and

Microsoft Exchange environments.

Henrik is a Microsoft Exchange MVP (Most Valuable

Professional). He runs the www.exchange-faq.dk website and

writes Exchange-related articles for both

www.msexchange.org and www.outlookexchange.com. He

also spends time helping his peers in the Exchange commu￾nity via forums, newsgroups, and mailing lists.

Henrik would like to thank his forever patient and under￾standing girlfriend Michella without whom he would never

have been where he is today.

vii

299_CYA_EXCHG_FM.qxd 4/23/04 3:52 PM Page viii

Technical Editor

Patrick Santry is the Corporate Webmaster for a Cary, NC￾based manufacturing company. He has been designing, devel￾oping, and managing Web-centric applications for eight years.

He is co-author of several books, and has authored many

magazine articles. He holds MCSE, MCSA, MCP+SB,

i-Net+, A+, and CIW certifications. He also writes for his

highly popular web site, www.Coder.com, which is frequently

featured on the ASP.Net website for articles on ASP.NET

portal development. He is a frequent presenter at Microsoft

events in the Northwestern Pennsylvania area.

Patrick dedicates his writing to his family: his wife Karyn,

daughters Katie and Karleigh, and his son Patrick Jr. (P.J.).

viii

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page ix

Contents

About this Book . . . . . . . . . . . . . . . . . . . . . . .xvii

Chapter 1 Introducing Exchange 2003

Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Exchange 2003:“Secure Out of the Box” . . . . . . . . . .2

Exchange 2003: Secure by Design . . . . . . . . . . . .4

Exchange 2003: Secure by Default . . . . . . . . . . . .6

Outlook Web Access 2003 Security Enhancements 7

Exchange 2003: Secure by Upgrade? . . . . . . . . . .8

Your A** Is Covered If You… . . . . . . . . . . . . . . . . .8

Chapter 2 Windows and Exchange 2003

Security Practices . . . . . . . . . . . . . . . . . . . . . .9

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . .9

Windows 2000/2003 Security . . . . . . . . . . . . . . . . .10

Patch Management . . . . . . . . . . . . . . . . . . . . . .10

Microsoft Baseline Security Analyzer . . . . . .10

Network Security Hotfix Checker (Hfnetchk) 12

Recommended Windows 2003 Security

Reading . . . . . . . . . . . . . . . . . . . . . . . . .12

Keep Up to Date on New Security Bulletins .13

Exchange 2003 Windows Dependencies . . . . . . . . . .13

Exchange 2003 Components . . . . . . . . . . . . . . .16

Applying Best Security Practices . . . . . . . . . . . . . . .18

Defining Acceptable Use . . . . . . . . . . . . . . . . . .19

Practice Safe Computing . . . . . . . . . . . . . . . . . .20

Good Physical Security . . . . . . . . . . . . . . . . . . .21

Installing Exchange 2003 Best Practices . . . . . . . . . .21

Installation Checklist . . . . . . . . . . . . . . . . . . . . .22

Building the Hardware Platform . . . . . . . . . .22

ix

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page x

x Contents

Installing the Operating System . . . . . . . . . .23

Installing Exchange 2003 . . . . . . . . . . . . . . .23

Your A** Is Covered If You… . . . . . . . . . . . . . . . . .24

Chapter 3 Delegating and Controlling

Permissions in Exchange 2003 . . . . . . . . . . .25

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . .25

Delegating Administrative Control in System Manager 26

Exchange Server 2003 Permissions . . . . . . . . . . .26

Viewing Exchange Server Permissions in

Exchange System Manager . . . . . . . . . . . . . . .29

Using the Exchange Administration Delegation

Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Exchange Full Administrator . . . . . . . . . . . .31

Exchange Administrator . . . . . . . . . . . . . . . .32

Exchange View Administrator . . . . . . . . . . . .32

Controlling Mailbox Permissions . . . . . . . . . . . . . . .36

Delegating Mailbox Access Through Outlook 2003 36

Granting Mailbox Permissions to Folders Without

Using Delegation . . . . . . . . . . . . . . . . . . . . .39

Opening the Additional Mailbox . . . . . . . . . . . .40

Granting Mailbox Permissions Through Active

Directory . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Controlling Public Folder Permissions . . . . . . . . . . .45

Creating and Setting Permissions on Public

Folders in Outlook 2003 . . . . . . . . . . . . . . . .46

Creating and Setting Permissions on Public

Folders in System Manager . . . . . . . . . . . . . . .49

Setting Permissions on Top-Level Public Folders in

Exchange System Manager . . . . . . . . . . . . . . . .53

Your A** Is Covered If You… . . . . . . . . . . . . . . . . .53

Chapter 4 SMTP Security . . . . . . . . . . . . . . . . .55

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . .55

Securing the SMTP Service . . . . . . . . . . . . . . . . . .56

SMTP Authentication Settings . . . . . . . . . . . . . .59

Secure SMTP Communication . . . . . . . . . . . . .60

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page xi

Contents xi

Setting Relay Restrictions . . . . . . . . . . . . . . . . .62

SMTP Connectors and Relaying . . . . . . . . . . . .64

Setting Mailbox Message Limits . . . . . . . . . . . . .67

Setting Mailbox Message Limits Globally . . . . . .68

Configuring Internet Message Formats . . . . . . . .69

Setting Public Folder Limits . . . . . . . . . . . . . . .70

Protecting Mail-Enabled Groups . . . . . . . . . . . .71

Enabling SMTP Protocol Logging . . . . . . . . . . .72

Modifying the SMTP Banner . . . . . . . . . . . . . .75

Configure a Corporate Legal Disclaimer . . . . . .79

SMTP Relaying . . . . . . . . . . . . . . . . . . . . . . . . . .80

Open Relay Test Methods . . . . . . . . . . . . . . . . .83

E-Mail Address Spoofing . . . . . . . . . . . . . . . . . . . .85

Authentication and Resolving E-Mail Addresses .86

Reverse DNS Lookup . . . . . . . . . . . . . . . . . . .87

Internet Mail Headers . . . . . . . . . . . . . . . . . . . . . .89

Your A** Is Covered If You… . . . . . . . . . . . . . . . . .92

Chapter 5 Securing the Outlook Web

Access Server . . . . . . . . . . . . . . . . . . . . . . . .93

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . .93

OWA Authentication . . . . . . . . . . . . . . . . . . . . . . .94

OWA Virtual Directories . . . . . . . . . . . . . . . . . .94

Authentication Methods . . . . . . . . . . . . . . . . . .98

Read, Write, Browse, and Execute Permissions . .100

Connection Limits . . . . . . . . . . . . . . . . . .101

Enabling SSL on OWA . . . . . . . . . . . . . . . . . . . . .103

Installing the Microsoft Certificate Service . . . .104

Creating the Certificate Request . . . . . . . . . . .108

Third-Party Certificates . . . . . . . . . . . . . . . . . .116

Restricting User Access . . . . . . . . . . . . . . . . . . . .116

Disabling OWA Access for a Specific User . . . .117

Disabling OWA Access for a Server . . . . . . . . .119

OWA Segmentation . . . . . . . . . . . . . . . . . . . .119

Allowing Password Changes Through OWA . . . . . .120

Creating the IISADMPWD Virtual Directory . .121

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page xii

xii Contents

Enabling the Change Password Button in OWA 124

Testing the Change Password Feature in OWA .125

Redirecting HTTP Requests to SSL Requests . . . .127

Your A** Is Covered If You… . . . . . . . . . . . . . . . .131

Chapter 6 OWA Front-End/Back-End

Deployment Scenarios . . . . . . . . . . . . . . . .133

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . .133

Deploying a Single-Server Scenario . . . . . . . . . . . .134

Deploying a Front-End/Back-End Scenario . . . . . .136

HTTP Authentication . . . . . . . . . . . . . . . . . . .136

Using Dual Authentication . . . . . . . . . . . . . . .137

Using Pass-Through Authentication . . . . . . . . .138

Securing a Front-End Server . . . . . . . . . . . . . . . . .139

Disabling Unnecessary Front-End Services . . . .140

Dismounting and Deleting the Mailbox Store . .141

Dismounting and Deleting the Public Folder

Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

Front-End Servers in the Perimeter Network . .144

Allowing RPC Traffic Through the Intranet

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Disallowing RPC Traffic Through the Intranet

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Using IPSec . . . . . . . . . . . . . . . . . . . . . . . . . .148

URLScan . . . . . . . . . . . . . . . . . . . . . . . . . . .150

Front-End Servers on the Internal Network . . .150

Exchange 2003 Behind an ISA Server 2000 . . . . . .152

Publishing the Exchange 2003 Services . . . . . .153

Message Screener . . . . . . . . . . . . . . . . . . . . . .154

OWA 2003 Publishing . . . . . . . . . . . . . . . . . .154

More ISA Server Information . . . . . . . . . . . . .155

Your A** Is Covered If You… . . . . . . . . . . . . . . . .156

Chapter 7 Outlook Web Access Client Security

Features . . . . . . . . . . . . . . . . . . . . . . . . . . .157

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . .157

S/MIME Support . . . . . . . . . . . . . . . . . . . . . . . .158

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page xiii

Contents xiii

Junk E-Mail Filter . . . . . . . . . . . . . . . . . . . . . . . .162

Safe Senders . . . . . . . . . . . . . . . . . . . . . . . . .163

Safe Recipients . . . . . . . . . . . . . . . . . . . . . . .164

Blocked Senders . . . . . . . . . . . . . . . . . . . . . .164

Web Beacon Blocking . . . . . . . . . . . . . . . . . . . . .166

Enhanced Attachment Blocking . . . . . . . . . . . . . . .168

Forms-Based Authentication . . . . . . . . . . . . . . . . .170

Username and Password . . . . . . . . . . . . . . . . .173

Clients: Premium and Basic . . . . . . . . . . . . . .173

Security: Public or Shared Computer and

Private Computer . . . . . . . . . . . . . . . . . . . .174

Your A** Is Covered If You … . . . . . . . . . . . . . . .177

Chapter 8 Exchange Protocol/Client

Encryption . . . . . . . . . . . . . . . . . . . . . . . . .179

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . .179

Encrypting SMTP Traffic . . . . . . . . . . . . . . . . . . .180

Configuring SMTP with TLS/SSL . . . . . . . . . .180

Enabling TLS/SSL for Inbound Mail . . . . . . . .185

Enabling TLS/SSL for Outbound Mail . . . . . . .187

Enabling TLS/SSL for One or More Domains .188

Enabling IPSec Between SMTP Servers . . . . . .188

Encrypting MAPI Information on the Network .189

Encrypting POP3 and IMAP4 Traffic . . . . . . . . . . .190

Securing Clients Using S/MIME . . . . . . . . . . . . . .192

Using S/MIME . . . . . . . . . . . . . . . . . . . . . . .193

Enabling S/MIME and Outlook . . . . . . . . . . .194

Configuring RPC over HTTP(S) . . . . . . . . . . . . .195

Requirements . . . . . . . . . . . . . . . . . . . . . . . .196

Configure RPC Over HTTP on a Front-End

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Specifying the RPC Proxy Ports . . . . . . . . . . .202

Disabling DCOM Support in RPC over HTTP 204

Configuring the Client . . . . . . . . . . . . . . . . . .205

Your A** Is Covered If You… . . . . . . . . . . . . . . . .212

299_CYA_EXCHG_TOC.qxd 4/23/04 3:08 PM Page xiv

xiv Contents

Chapter 9 Combating Spam . . . . . . . . . . . . .213

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . .213

Client-Side Filtering . . . . . . . . . . . . . . . . . . . . . .214

Safe Senders . . . . . . . . . . . . . . . . . . . . . . . . .217

Safe Recipients . . . . . . . . . . . . . . . . . . . . . . .218

Blocked Senders . . . . . . . . . . . . . . . . . . . . . .219

Server-Side Filtering . . . . . . . . . . . . . . . . . . . . . .222

Connection Filtering . . . . . . . . . . . . . . . . . . .224

Display Name . . . . . . . . . . . . . . . . . . . . . .225

DNS Suffix of Provider . . . . . . . . . . . . . . .225

Custom Error Message to Return . . . . . . . .227

Return Status Code . . . . . . . . . . . . . . . . . .227

Disable This Rule . . . . . . . . . . . . . . . . . . .228

Exception Lists . . . . . . . . . . . . . . . . . . . . . . . .229

Global Accept and Deny List . . . . . . . . . . . . . .230

Recipient Filtering . . . . . . . . . . . . . . . . . . . . .234

Filtering Recipients Not in the Directory .235

Sender Filtering . . . . . . . . . . . . . . . . . . . . . . .235

The Intelligent Message Filter . . . . . . . . . . . . . . . .237

Things Worth Noting About the IMF . . . . . . . .238

Your A** Is Covered If You… . . . . . . . . . . . . . . . .240

Chapter 10 Protecting Against Viruses . . . . .241

In this Chapter . . . . . . . . . . . . . . . . . . . . . . . . . .241

E-Mail Viruses . . . . . . . . . . . . . . . . . . . . . . . .242

Server-Side Protection . . . . . . . . . . . . . . . . . . . . .244

Exchange Server . . . . . . . . . . . . . . . . . . . . . . .245

SMTP Gateway . . . . . . . . . . . . . . . . . . . . . . .248

Client-Side Protection . . . . . . . . . . . . . . . . . . . . .249

Educate Your Users . . . . . . . . . . . . . . . . . . . . . . .250

Default Outlook 2003 Attachment Blocking . . .251

Cleaning Up After a Virus Outbreak . . . . . . . . . . .254

Your A** Is Covered If You… . . . . . . . . . . . . . . . .260