Securing Your Exchange Messaging Environment


Topic Last Modified: 2005-05-25

Follow these steps to secure your Exchange messaging environment:

  1. Update your server software.

  2. Secure the messaging environment.

  3. Secure communications.

To secure your messaging system, complete these steps in the order given.

After you install Exchange Server 2003, you should update the server software on your Exchange servers and any other server that Exchange communicates with, such as global catalog servers and domain controllers. For more information about updating your software with the latest security updates, see the Microsoft® Exchange Server Security Center Web site. For more information about Microsoft security, see the Microsoft Security Web site.

An alternative best practice to placing your front-end Exchange 2003 servers in the perimeter network is to deploy Microsoft Internet Security and Acceleration (ISA) Server 2000. ISA Server acts as advanced firewalls that control Internet traffic entering your network. When you use this configuration, you put all your Exchange 2003 servers in your corporate network and use ISA Server as the advanced firewall server exposed to Internet traffic in your perimeter network.

Securing the messaging environment also involves configuring the front-end servers in a manner that disables the features and settings for the front-end server that are not necessary in a front-end and back-end server architecture. For more information about how to configure a front-end server for the front-end and back-end server architecture, see Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topologies.

All inbound Internet traffic bound to your Exchange servers (such as Outlook Web Access, RPC over HTTP communication from Microsoft® Office Outlook® 2003 clients, Outlook Mobile Access, Post Office Protocol version 3 (POP3), Internet Message Access Protocol version 4rev1 (IMAP4), and so on) is processed by the ISA Server. When ISA Server receives a request for an Exchange server, ISA Server proxies the requests to the appropriate Exchange servers on your internal network. The internal Exchange servers return the requested data to the ISA Server, and then ISA Server sends the information to the client through the Internet. The following figure shows an example of a recommended ISA Server deployment.

Deploying Exchange 2003 behind ISA Server

ISA Server on Perimeter Network

To secure communications for your Exchange messaging environment, you need to do the following tasks:

  • Secure the communications between the client messaging applications and the Exchange front-end server.

  • Secure the communications between the Exchange front-end server and the internal network.

The following sections include information about securing communications for these two situations.

To secure data transmitted between the client and the front-end server, it is highly recommended that you enable the front-end server to use Secure Sockets Layer (SSL). Additionally, to ensure that user data is always secure, you should configure the front-end server to require SSL (you can set this option in the SSL configuration). When using basic authentication, it is critical to protect the network traffic by using SSL to protect user passwords from network packet sniffing.

If you do not use SSL between clients and the front-end server, HTTP data transmission to your front-end server will not be secure. It is highly recommended that you configure the front-end server to require SSL.

It is recommended that you obtain an SSL certificate by purchasing a certificate from a third-party certification authority (CA). Purchasing a certificate from a certification authority is the preferred method because most browsers trust many of these certification authorities.

As an alternative, you can use Certificate Services to install your own certification authorities. Although installing your own certification authority may be less expensive, browsers will not trust your certificate, and users will receive a warning message indicating that the certificate is not trusted. For more information about SSL, see Microsoft Knowledge Base article 320291, "XCCC: Turning On SSL for Exchange 2000 Server Outlook Web Access."

To protect outbound and inbound mail, deploy SSL to encrypt messaging traffic. You can configure SSL security features on an Exchange server to verify the integrity of your content, verify the identity of users, and encrypt network transmissions. Exchange, like any Web server, requires a valid server certificate to establish SSL communications. You can use the Web Server Certificate Wizard to either generate a certificate request file (NewKeyRq.txt, by default) that you can send to a certification authority, or to generate a request for an online certification authority, such as Microsoft Certificate Services.

If you are not using Certificate Services to issue your own server certificates, a third-party certification authority must approve your request and issue your server certificate. For more information about server certificates, see "Obtaining and Installing Server Certificates" later in this section. Depending on the level of identification assurance offered by your server certificate, you can expect to wait several days to several months for the certification authority to approve your request and send you a certificate file. You can have only one server certificate for each Web site.

After you receive a server certificate file, use the Web Server Certificate Wizard to install it. The installation process attaches (or binds) your certificate to a Web site.

If you require 128-bit key encryption, your users must use Web browsers that support 128-bit encryption. For more information about upgrading to 128-bit encryption capability, see the Microsoft Product Support Services Web site.

For a detailed overview of the steps required to configure Secure Sockets Layer, see How to Use SSL to Secure the Communications Between the Client Messaging Applications and the Exchange Front-End Server.

The first step in configuring SSL is to configure the Web site or file that you want to protect to require SSL. You do this using IIS Manager. For detailed steps for configuring this initial setting, see How to Set Up SSL on a Server.

You can obtain server certificates from an outside CA, or you can issue your own server certificates by using Microsoft Certificate Services. After you obtain a server certificate, you can install it. When you use the Web Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate.

This section explains the issues to consider when deciding whether to obtain your server certificates from an outside CA or to issue your own server certificates. This section includes the following information:

  • Obtaining server certificates from a CA

  • Issuing your own server certificates

  • Installing server certificates

  • Backing up server certificates

If you are replacing your current server certificate, IIS continues to use that certificate until the new request has been completed. When you are selecting a CA, consider the following questions:

  • Will the CA be able to issue a certificate that is compatible with all the browsers used to access my server?

  • Is the CA a recognized and trusted organization?

  • How will the CA provide verification of my identity?

  • Does the CA have a system for receiving online certificate requests, such as requests generated by the Web Server Certificate Wizard?

  • How much will the certificate cost initially, and how much will renewal or other services cost?

  • Is the CA familiar with my organization or my company's business interests?

Some certification authorities require you that you prove your identity before they will process your request or issue a certificate.

For detailed steps for obtaining a server certificate from a certification authority, see How to Obtain a Server Certificate from a Certification Authority.

When deciding whether to issue your own server certificates, consider the following:

  • Understand that Microsoft Certificate Services accommodates different certificate formats and provides for auditing and logging of certificate-related activity.

  • Compare the cost of issuing your own certificates against the cost of buying a certificate from a certification authority.

  • Remember that your organization will require an initial adjustment period to learn, implement, and integrate Certificate Services with existing security systems and policies.

  • Assess the willingness of your connecting clients to trust your organization as a certificate supplier.

Use Certificate Services to create a customizable service for issuing and managing certificates. You can create server certificates for the Internet or for corporate intranets, which gives your organization complete control over certificate management policies. For more information about using Certificate Services, see "Certificate Services" in Microsoft® Windows Server™ 2003 Help.

Online requests for server certificates can be made only to local and remote Enterprise Certificate Services and remote stand-alone Certificate Services. The Web Server Certificate Wizard does not recognize a stand-alone installation of Certificate Services on the same computer when requesting a certificate. If you need to use Web Server Certificate Wizard on the same computer as a stand-alone Certificate Services installation, use the offline certificate request to save the request to a file and then process it as an offline request. For more information about using Certificate Services, see "Certificate Services" in Microsoft Windows Server 2003 Help.

If you open a Server Gated Cryptography (SGC) certificate, you may receive the following notice on the General tab: The certificate has failed to verify for all its intended purposes. This notice is issued because of how SGC certificates interact with Windows and does not necessarily indicate that the certificate does not work correctly.

After you obtain a server certificate from a CA, or after you issue your own server certificate by using Certificate Services, use the Web Server Certificate Wizard to install it.

You can use the Web Server Certificate Wizard to back up server certificates. Because IIS works closely with Windows, you can use Certificate Manager, which is called Certificates in Microsoft Management Console (MMC), to export and back up your server certificates. After you install Certificate Manager, you can back up your certificate.

After you configure your network to issue server certificates, you need to secure your Exchange front-end server and the services for your Exchange server by requiring SSL communication to the Exchange front-end server. You do this by enabling SSL for your default Web site.


Community Additions