SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
Module 10
  Securing Microsoft®
Exchange Server 2010
Module Overview
• Configuring Role-Based Access Control

• Configuring Audit Logging

• Configuring Secure Internet Access
Lesson 1: Configuring Role-Based Access Control
• What Is Role-Based Access Control?

• What Are Management Role Groups?

• Built-In Management Role Groups

• Demonstration: Managing Permissions Using the Built-In
 Role Groups
• Process for Configuring Custom Role Groups

• Demonstration: Configuring Custom Role Groups

• What Are Management Role Assignment Policies?

• What Are Exchange Server Split Permissions?

• Configuring RBAC Split Permissions

• Configuring Active Directory Split Permissions
What Is Role-Based Access Control?

RBAC defines all Exchange Server 2010 permissions, and is
applied by all Exchange Server management tools


RBAC defines which cmdlets the user can run :

 • Who: Can modify objects
 • What: Objects and attributes that can be modified
 • Where: Scope or context of objects that can be modified




RBAC options include:

  • Management role groups
  • Management role assignment policies
  • Direct policy assignment (avoid using)
What Are Management Role Groups?

 Role Holder
                                                Role          Management
                                             Assignment          Role
                           Role                                               Role
                          Group                                               Entries
                                                                “User
                                                               Options”
                     “Help Desk”                Role
   “Maria”                                   Assignment
    “Ian”                                                       Management   Role
                                                                   Role      Entries
    “Pat”                                                                “Get-Mailbox”
                                Configuration
     WHO                      Read/Write Scope                 “View-only
                                                               Recipients”
                     WHERE
                                      Recipient
                                  Read/Write Scope
                                                                           WHAT

        Role Holder           Role Group         Role        Management    Role Entries
                                              Assignment        Role
Mailboxes or universal        Higher-level   Binding layer   Task-based    Individual
security groups or users or   job function                   permissions   permissions
distribution groups or role
groups
Built-In Management Role Groups



Management role groups include:
   •   Organization Management
   •   View-Only Organization Management
   •   Recipient Management
   •   Unified Messaging Management
   •   Discovery Management
   •   Records Management
   •   Server Management
   •   Help Desk
   •   Public Folder Management
   •   Delegated Setup
Demonstration: Managing Permissions Using the
Built-In Role Groups

In this demonstration, you will see how to
• Add role holders to a role group

• Verify the permissions assigned to the built-in role groups
Process for Configuring Custom Role Groups


1 Identify the role groups and the role group members

2 Identify the management roles to assign the group

3 Identify the management scope

   Create the role group using the ECP or the New-
4 RoleGroup cmdlet
Demonstration: Configuring Custom Role Groups

In this demonstration, you will see how to create a custom
role group
What Are Management Role Assignment Policies?

Management role assignment policies assign permissions to
users to manage their mailboxes or distribution groups


 Component                Explanation

 Mailbox                  Each mailbox is assigned one role
                          assignment policy
 Management role          Object for associating management
 assignment policy        roles with mailboxes
 Management role          Container for grouping other RBAC
                          components
 Management role          Associates management roles with
 assignment               management role assignment policies
 Management role entry    Defines what Exchange cmdlets the
                          user can run on their mailboxes or
                          groups
Working with Management Role Assignment Policies


In most organizations, the default management role
assignment policy will meet all requirements


You can modify the default configuration by:
  • Modifying the default management role assignment
    policy to add or remove management roles
  • Defining a new default management role assignment
    policy
  • Creating a new management role assignments and
    explicitly assigning them to mailboxes
What Are Exchange Server Split Permissions?

Split permissions separates creation of security principals in
AD DS—such as users and security groups—from the
subsequent configuration of those objects through Exchange
Server 2010 tools


 With Exchange Server split permissions:

  • You remove the ability for Exchange administrators to
    create security principals using Exchange
    administration tools
  • You can choose between two models:
     • RBAC split permissions
     • Active Directory split permissions



 Available with Exchange Server 2010 SP1 or newer
Configuring RBAC Split Permissions
You must configure RBAC split permissions manually, as
follows:

     Verify that Active Directory split permissions have not
 1
     been enabled

 2• Create a new role group for AD DS administrators

     Create regular and delegating role assignments for the
 3   new role group for appropriate roles

     Remove regular and delegating management role
     assignments between the Mail Recipient Creation role,
 4   and both the Organization Management and Recipient
     Management role groups

     Remove the regular and delegating role assignments
 5   between the Security Group Creation and Membership
     role, and the Organization Management role group
Configuring Active Directory Split Permissions

Active Directory split permissions is configured automatically
during Setup or when you specify the command:
setup.com /PrepareAD /ActiveDirectorySplitPermissions:true


 Active Directory split permissions results:

  • Cannot create security principals with Exchange
    Server management tools
  • Cannot manage distribution group members with
    Exchange Server management tools
  • Exchange Trusted Subsystem and Exchange servers
    cannot create security principals
  • Exchange servers and Exchange management tools
    can only modify Exchange attributes of existing Active
    Directory security principals
Lesson 2: Configuring Audit Logging
• What Is Administrator Audit Logging?

• What Is Mailbox Audit Logging?

• Demonstration: Configuring Audit Logging
What Is Administrator Audit Logging?

 Administrator audit logging enables you to track changes
 made to the Exchange environment by administrators


 Administrator audit logging:

   • Is enabled by default in Exchange Server 2010 SP1
   • Can be configured with Set-AdminAuditLogConfig
   • Logs all cmdlets and parameters by default except for
     Test-, Get-, and Search- cmdlets
   • Supports searches using the Exchange Management
     Shell and the Exchange Control Panel



 Perform detailed log searches with the Search-
 AdminAuditLog and New-AdminAuditLogSearch cmdlets
What Is Mailbox Audit Logging?


 Mailbox Audit logging is used to track mailbox access by
 mailbox owners, delegates and administrators


 Mailbox audit logging:

   • Must be enabled on a per-mailbox basis using the Set-
     Mailbox cmdlet
   • Does not automatically log owner access unless
     specified to do so
   • Supports non-owner access reports through the
     Exchange Control Panel



 Perform detailed log searches with the Search-
 MailboxAuditLog and New-MailboxAuditLogSearch cmdlets
Demonstration: Configuring Audit Logging

In this demonstration, you will see how to enable audit
logging and to search audit logs
Lesson 3: Configuring Secure Internet Access
• Exchange Server Security Guidelines

• Secure Internet Access Components

• Deploying Exchange Server 2010 for Internet Access

• Securing Client Access Traffic from the Internet

• Securing SMTP Connections from the Internet

• Benefits of Using Reverse Proxy

• Demonstration: Configuring Threat Management Gateway
 for Outlook Web App
Exchange Server Security Guidelines



Implement the following best practices security
measures:
  • Install all security updates and software updates
  • Run Exchange Best Practices Analyzer regularly
  • Avoid running additional software on Exchange
    servers
  • Install and maintain anti-virus software
  • Enforce complex password policies
Secure Internet Access Components

Providing Internet access for Exchange Server may include:

  • Enabling messaging clients to connect to the Client
    Access server
  • Enabling IMAP4/POP3 clients to send SMTP email



Enabling secure access to the Exchange servers may require:

  •   VPN
  •   Firewall configuration
  •   Reverse proxy configuration
Deploying Exchange Server 2010 for Internet Access


                                                                Client Access
                                                                Server
           Firewall
Client                 Edge Transport        Firewall or
                       Server                 Reverse
                                                Proxy

Protocol         Unsecure               TLS/SSL            Hub
                 Port                   Port               Transport
HTTP             80                     443                Server

POP3             110                    995

IMAP4            143                    993

SMTP             25                     25                                        Domain
                                                                 Mailbox Server
                                                                                  Controller
SMTP client      587                    587
submission
Securing Client Access Traffic from the Internet



To provide secure client access from the Internet:

  •   Create and configure a server certificate
  •   Require SSL for all virtual directories
  •   Enable only required client access methods
  •   Require secure authentication
  •   Enforce remote client security
  •   Require TLS/SSL for IMAP4 and POP3 access
  •   Implement an application layer firewall or
      reverse proxy
Securing SMTP Connections from the Internet


Secure SMTP connections from the Internet may be
required for IMAP4 or POP3 clients


To secure the SMTP connections:

  •   Enable TLS/SSL for SMTP client connections
  •   Use the Client Receive Connector (Port 587)
  •   Ensure that anonymous relay is disabled
  •   Enable IMAP4 and POP3 selectively
Benefits of Using Reverse Proxy



A reverse proxy provides:

  • Security: Internet client connections are terminated
    on the reverse proxy
  • Application layer filtering: Inspect the contents of
    network traffic
  • SSL bridging: All connections to the reverse proxy
    and to the Client Access server are encrypted
  • Load balancing: Arrays of reverse proxy servers can
    distribute network traffic for a single URL
  • SSL offloading: SSL requests can be terminated on
    the reverse proxy
Demonstration: Configuring Threat Management
Gateway for Outlook Web App

In this demonstration, you will see how to configure an
Outlook Web App publishing role
Lab: Securing Exchange Server 2010
• Exercise 1: Configuring Exchange Server Permissions

• Exercise 2: Configuring Audit Logging

• Exercise 2: Configuring a Reverse Proxy for Exchange
  Server Access




Logon information




Estimated time: 60 minutes
Lab Scenario
A. Datum Corporation has deployed Exchange Server 2010. The
company security officer has provided you with a set of
requirements to ensure that the Exchange Server deployment is
as secure as possible. The specific concerns included in the
requirements include:
• Exchange Server administrators should have minimal
 permissions, which means that whenever possible, you should
 delegate Exchange Server management permissions.
• Ensure that client connections to the Client Access servers are
 as secure as possible by deploying a TMG server.
Lab Review
• In the lab, you configured Exchange Server permissions
  by using a custom role group. How did you limit the
  types of tasks the delegated administrators could
  perform and on what objects they could perform the
  tasks?
• How would the TMG configuration in the lab change if
  you were enabling access for an IMAP4 client?
Module Review and Takeaways
• Review Questions

• Common Issues and Troubleshooting Tips

• Real-World Issues and Scenarios

• Best Practices

Contenu connexe

Tendances

01.egovFrame Training Book II
01.egovFrame Training Book II01.egovFrame Training Book II
01.egovFrame Training Book IIChuong Nguyen
 
JUDCon London 2011 - Elastic SOA on the Cloud, Steve Millidge
JUDCon London 2011 - Elastic SOA on the Cloud, Steve MillidgeJUDCon London 2011 - Elastic SOA on the Cloud, Steve Millidge
JUDCon London 2011 - Elastic SOA on the Cloud, Steve MillidgeC2B2 Consulting
 
Lap around windows azure
Lap around windows azureLap around windows azure
Lap around windows azureManish Corriea
 
Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applicationsManish Corriea
 
Kerberos: The Four Letter Word
Kerberos: The Four Letter WordKerberos: The Four Letter Word
Kerberos: The Four Letter WordKenneth Maglio
 
Integrating sps 2010 and windows azure
Integrating sps 2010 and windows azureIntegrating sps 2010 and windows azure
Integrating sps 2010 and windows azureManish Corriea
 
Dekho security overview
Dekho security overviewDekho security overview
Dekho security overviewjpradeep1982
 
iPlanet request-processing
iPlanet request-processingiPlanet request-processing
iPlanet request-processingvsjava
 
BUG - BEA Users\' Group, Jan16 2003
BUG - BEA Users\' Group, Jan16 2003BUG - BEA Users\' Group, Jan16 2003
BUG - BEA Users\' Group, Jan16 2003Sanjeev Kumar
 
Contextual Dependency Injection for Apachecon 2010
Contextual Dependency Injection for Apachecon 2010Contextual Dependency Injection for Apachecon 2010
Contextual Dependency Injection for Apachecon 2010Rohit Kelapure
 
Ejb3.1 for the starter
Ejb3.1 for the starterEjb3.1 for the starter
Ejb3.1 for the startershohancse
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbWen Zhu
 
Understanding
Understanding Understanding
Understanding Arun Gupta
 
Weblogic 12c Graphical Mode installation steps in Windows
Weblogic 12c Graphical Mode installation steps in Windows Weblogic 12c Graphical Mode installation steps in Windows
Weblogic 12c Graphical Mode installation steps in Windows webservicesm
 

Tendances (20)

Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Oracle OSB Tutorial 2
Oracle OSB Tutorial 2
 
01.egovFrame Training Book II
01.egovFrame Training Book II01.egovFrame Training Book II
01.egovFrame Training Book II
 
JUDCon London 2011 - Elastic SOA on the Cloud, Steve Millidge
JUDCon London 2011 - Elastic SOA on the Cloud, Steve MillidgeJUDCon London 2011 - Elastic SOA on the Cloud, Steve Millidge
JUDCon London 2011 - Elastic SOA on the Cloud, Steve Millidge
 
Lap around windows azure
Lap around windows azureLap around windows azure
Lap around windows azure
 
Developing and deploying windows azure applications
Developing and deploying windows azure applicationsDeveloping and deploying windows azure applications
Developing and deploying windows azure applications
 
Kerberos: The Four Letter Word
Kerberos: The Four Letter WordKerberos: The Four Letter Word
Kerberos: The Four Letter Word
 
Integrating sps 2010 and windows azure
Integrating sps 2010 and windows azureIntegrating sps 2010 and windows azure
Integrating sps 2010 and windows azure
 
Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Dekho security overview
Dekho security overviewDekho security overview
Dekho security overview
 
Java EE and Glassfish
Java EE and GlassfishJava EE and Glassfish
Java EE and Glassfish
 
iPlanet request-processing
iPlanet request-processingiPlanet request-processing
iPlanet request-processing
 
BUG - BEA Users\' Group, Jan16 2003
BUG - BEA Users\' Group, Jan16 2003BUG - BEA Users\' Group, Jan16 2003
BUG - BEA Users\' Group, Jan16 2003
 
Server 2008 R2 Yeniliklər
Server 2008 R2 YeniliklərServer 2008 R2 Yeniliklər
Server 2008 R2 Yeniliklər
 
iPlanet Request Processing
iPlanet Request ProcessingiPlanet Request Processing
iPlanet Request Processing
 
Contextual Dependency Injection for Apachecon 2010
Contextual Dependency Injection for Apachecon 2010Contextual Dependency Injection for Apachecon 2010
Contextual Dependency Injection for Apachecon 2010
 
Ejb3.1 for the starter
Ejb3.1 for the starterEjb3.1 for the starter
Ejb3.1 for the starter
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an Esb
 
Javabeans .pdf
Javabeans .pdfJavabeans .pdf
Javabeans .pdf
 
Understanding
Understanding Understanding
Understanding
 
Weblogic 12c Graphical Mode installation steps in Windows
Weblogic 12c Graphical Mode installation steps in Windows Weblogic 12c Graphical Mode installation steps in Windows
Weblogic 12c Graphical Mode installation steps in Windows
 

En vedette

En vedette (7)

10135 a 00
10135 a 0010135 a 00
10135 a 00
 
50357 a enu-labmanual01
50357 a enu-labmanual0150357 a enu-labmanual01
50357 a enu-labmanual01
 
10135 b 03
10135 b 0310135 b 03
10135 b 03
 
10135 a xa
10135 a xa10135 a xa
10135 a xa
 
war and peace perpektif etis kristen
war and peace perpektif etis kristenwar and peace perpektif etis kristen
war and peace perpektif etis kristen
 
10135 b 13
10135 b 1310135 b 13
10135 b 13
 
10135 a 09
10135 a 0910135 a 09
10135 a 09
 

Similaire à 10135 b 10

10135 a 10
10135 a 1010135 a 10
10135 a 10Bố Su
 
01 power center 8.6 basics
01 power center 8.6 basics01 power center 8.6 basics
01 power center 8.6 basicsuthayan87
 
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...BIOVIA
 
Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1WSO2
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentInterSystems Corporation
 
Necto 16 training 17 - administration
Necto 16 training 17 -  administrationNecto 16 training 17 -  administration
Necto 16 training 17 - administrationPanorama Software
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...garrett honeycutt
 
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideOracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideCourtney Llamas
 
SSIS : Ftp and script task
SSIS : Ftp and script taskSSIS : Ftp and script task
SSIS : Ftp and script taskKiki Noviandi
 
Chef - Evolving with Infrastructure Automation
Chef - Evolving with Infrastructure AutomationChef - Evolving with Infrastructure Automation
Chef - Evolving with Infrastructure AutomationNathaniel Brown
 
Windows Small Business Server 2011 Nasıl Kullanılır
Windows Small Business Server 2011 Nasıl KullanılırWindows Small Business Server 2011 Nasıl Kullanılır
Windows Small Business Server 2011 Nasıl KullanılırMustafa
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideCourtney Llamas
 
24 Hours Of Exchange Server 2007 (Part 1 Of 24)
24 Hours Of Exchange Server 2007 (Part 1 Of 24)24 Hours Of Exchange Server 2007 (Part 1 Of 24)
24 Hours Of Exchange Server 2007 (Part 1 Of 24)Harold Wong
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 

Similaire à 10135 b 10 (20)

10135 a 10
10135 a 1010135 a 10
10135 a 10
 
01 power center 8.6 basics
01 power center 8.6 basics01 power center 8.6 basics
01 power center 8.6 basics
 
Exchange Server 2010
Exchange Server 2010Exchange Server 2010
Exchange Server 2010
 
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...
(ATS3-APP08) Top 10 things every Symyx Notebook by Accelrys Administrator sho...
 
Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1
 
10135 b 02
10135 b 0210135 b 02
10135 b 02
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 
Informatica9.0
Informatica9.0Informatica9.0
Informatica9.0
 
Necto 16 training 17 - administration
Necto 16 training 17 -  administrationNecto 16 training 17 -  administration
Necto 16 training 17 - administration
 
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_managem...
 
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideOracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners Guide
 
SSIS : Ftp and script task
SSIS : Ftp and script taskSSIS : Ftp and script task
SSIS : Ftp and script task
 
Chef - Evolving with Infrastructure Automation
Chef - Evolving with Infrastructure AutomationChef - Evolving with Infrastructure Automation
Chef - Evolving with Infrastructure Automation
 
Windows Small Business Server 2011 Nasıl Kullanılır
Windows Small Business Server 2011 Nasıl KullanılırWindows Small Business Server 2011 Nasıl Kullanılır
Windows Small Business Server 2011 Nasıl Kullanılır
 
SBS 2011 Kullanimi
SBS 2011 KullanimiSBS 2011 Kullanimi
SBS 2011 Kullanimi
 
EXCHANGE SERVER 2010
EXCHANGE SERVER 2010EXCHANGE SERVER 2010
EXCHANGE SERVER 2010
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners Guide
 
10135 b 04
10135 b 0410135 b 04
10135 b 04
 
24 Hours Of Exchange Server 2007 (Part 1 Of 24)
24 Hours Of Exchange Server 2007 (Part 1 Of 24)24 Hours Of Exchange Server 2007 (Part 1 Of 24)
24 Hours Of Exchange Server 2007 (Part 1 Of 24)
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_ppt
 

Plus de Wichien Saisorn (10)

10135 b 12
10135 b 1210135 b 12
10135 b 12
 
10135 b 11
10135 b 1110135 b 11
10135 b 11
 
10135 b 09
10135 b 0910135 b 09
10135 b 09
 
10135 b 08
10135 b 0810135 b 08
10135 b 08
 
10135 b 07
10135 b 0710135 b 07
10135 b 07
 
10135 b 06
10135 b 0610135 b 06
10135 b 06
 
10135 b 05
10135 b 0510135 b 05
10135 b 05
 
10135 b 01
10135 b 0110135 b 01
10135 b 01
 
10135 b 00
10135 b 0010135 b 00
10135 b 00
 
10135 b xa
10135 b xa10135 b xa
10135 b xa
 

10135 b 10

  • 1. Module 10 Securing Microsoft® Exchange Server 2010
  • 2. Module Overview • Configuring Role-Based Access Control • Configuring Audit Logging • Configuring Secure Internet Access
  • 3. Lesson 1: Configuring Role-Based Access Control • What Is Role-Based Access Control? • What Are Management Role Groups? • Built-In Management Role Groups • Demonstration: Managing Permissions Using the Built-In Role Groups • Process for Configuring Custom Role Groups • Demonstration: Configuring Custom Role Groups • What Are Management Role Assignment Policies? • What Are Exchange Server Split Permissions? • Configuring RBAC Split Permissions • Configuring Active Directory Split Permissions
  • 4. What Is Role-Based Access Control? RBAC defines all Exchange Server 2010 permissions, and is applied by all Exchange Server management tools RBAC defines which cmdlets the user can run : • Who: Can modify objects • What: Objects and attributes that can be modified • Where: Scope or context of objects that can be modified RBAC options include: • Management role groups • Management role assignment policies • Direct policy assignment (avoid using)
  • 5. What Are Management Role Groups? Role Holder Role Management Assignment Role Role Role Group Entries “User Options” “Help Desk” Role “Maria” Assignment “Ian” Management Role Role Entries “Pat” “Get-Mailbox” Configuration WHO Read/Write Scope “View-only Recipients” WHERE Recipient Read/Write Scope WHAT Role Holder Role Group Role Management Role Entries Assignment Role Mailboxes or universal Higher-level Binding layer Task-based Individual security groups or users or job function permissions permissions distribution groups or role groups
  • 6. Built-In Management Role Groups Management role groups include: • Organization Management • View-Only Organization Management • Recipient Management • Unified Messaging Management • Discovery Management • Records Management • Server Management • Help Desk • Public Folder Management • Delegated Setup
  • 7. Demonstration: Managing Permissions Using the Built-In Role Groups In this demonstration, you will see how to • Add role holders to a role group • Verify the permissions assigned to the built-in role groups
  • 8. Process for Configuring Custom Role Groups 1 Identify the role groups and the role group members 2 Identify the management roles to assign the group 3 Identify the management scope Create the role group using the ECP or the New- 4 RoleGroup cmdlet
  • 9. Demonstration: Configuring Custom Role Groups In this demonstration, you will see how to create a custom role group
  • 10. What Are Management Role Assignment Policies? Management role assignment policies assign permissions to users to manage their mailboxes or distribution groups Component Explanation Mailbox Each mailbox is assigned one role assignment policy Management role Object for associating management assignment policy roles with mailboxes Management role Container for grouping other RBAC components Management role Associates management roles with assignment management role assignment policies Management role entry Defines what Exchange cmdlets the user can run on their mailboxes or groups
  • 11. Working with Management Role Assignment Policies In most organizations, the default management role assignment policy will meet all requirements You can modify the default configuration by: • Modifying the default management role assignment policy to add or remove management roles • Defining a new default management role assignment policy • Creating a new management role assignments and explicitly assigning them to mailboxes
  • 12. What Are Exchange Server Split Permissions? Split permissions separates creation of security principals in AD DS—such as users and security groups—from the subsequent configuration of those objects through Exchange Server 2010 tools With Exchange Server split permissions: • You remove the ability for Exchange administrators to create security principals using Exchange administration tools • You can choose between two models: • RBAC split permissions • Active Directory split permissions Available with Exchange Server 2010 SP1 or newer
  • 13. Configuring RBAC Split Permissions You must configure RBAC split permissions manually, as follows: Verify that Active Directory split permissions have not 1 been enabled 2• Create a new role group for AD DS administrators Create regular and delegating role assignments for the 3 new role group for appropriate roles Remove regular and delegating management role assignments between the Mail Recipient Creation role, 4 and both the Organization Management and Recipient Management role groups Remove the regular and delegating role assignments 5 between the Security Group Creation and Membership role, and the Organization Management role group
  • 14. Configuring Active Directory Split Permissions Active Directory split permissions is configured automatically during Setup or when you specify the command: setup.com /PrepareAD /ActiveDirectorySplitPermissions:true Active Directory split permissions results: • Cannot create security principals with Exchange Server management tools • Cannot manage distribution group members with Exchange Server management tools • Exchange Trusted Subsystem and Exchange servers cannot create security principals • Exchange servers and Exchange management tools can only modify Exchange attributes of existing Active Directory security principals
  • 15. Lesson 2: Configuring Audit Logging • What Is Administrator Audit Logging? • What Is Mailbox Audit Logging? • Demonstration: Configuring Audit Logging
  • 16. What Is Administrator Audit Logging? Administrator audit logging enables you to track changes made to the Exchange environment by administrators Administrator audit logging: • Is enabled by default in Exchange Server 2010 SP1 • Can be configured with Set-AdminAuditLogConfig • Logs all cmdlets and parameters by default except for Test-, Get-, and Search- cmdlets • Supports searches using the Exchange Management Shell and the Exchange Control Panel Perform detailed log searches with the Search- AdminAuditLog and New-AdminAuditLogSearch cmdlets
  • 17. What Is Mailbox Audit Logging? Mailbox Audit logging is used to track mailbox access by mailbox owners, delegates and administrators Mailbox audit logging: • Must be enabled on a per-mailbox basis using the Set- Mailbox cmdlet • Does not automatically log owner access unless specified to do so • Supports non-owner access reports through the Exchange Control Panel Perform detailed log searches with the Search- MailboxAuditLog and New-MailboxAuditLogSearch cmdlets
  • 18. Demonstration: Configuring Audit Logging In this demonstration, you will see how to enable audit logging and to search audit logs
  • 19. Lesson 3: Configuring Secure Internet Access • Exchange Server Security Guidelines • Secure Internet Access Components • Deploying Exchange Server 2010 for Internet Access • Securing Client Access Traffic from the Internet • Securing SMTP Connections from the Internet • Benefits of Using Reverse Proxy • Demonstration: Configuring Threat Management Gateway for Outlook Web App
  • 20. Exchange Server Security Guidelines Implement the following best practices security measures: • Install all security updates and software updates • Run Exchange Best Practices Analyzer regularly • Avoid running additional software on Exchange servers • Install and maintain anti-virus software • Enforce complex password policies
  • 21. Secure Internet Access Components Providing Internet access for Exchange Server may include: • Enabling messaging clients to connect to the Client Access server • Enabling IMAP4/POP3 clients to send SMTP email Enabling secure access to the Exchange servers may require: • VPN • Firewall configuration • Reverse proxy configuration
  • 22. Deploying Exchange Server 2010 for Internet Access Client Access Server Firewall Client Edge Transport Firewall or Server Reverse Proxy Protocol Unsecure TLS/SSL Hub Port Port Transport HTTP 80 443 Server POP3 110 995 IMAP4 143 993 SMTP 25 25 Domain Mailbox Server Controller SMTP client 587 587 submission
  • 23. Securing Client Access Traffic from the Internet To provide secure client access from the Internet: • Create and configure a server certificate • Require SSL for all virtual directories • Enable only required client access methods • Require secure authentication • Enforce remote client security • Require TLS/SSL for IMAP4 and POP3 access • Implement an application layer firewall or reverse proxy
  • 24. Securing SMTP Connections from the Internet Secure SMTP connections from the Internet may be required for IMAP4 or POP3 clients To secure the SMTP connections: • Enable TLS/SSL for SMTP client connections • Use the Client Receive Connector (Port 587) • Ensure that anonymous relay is disabled • Enable IMAP4 and POP3 selectively
  • 25. Benefits of Using Reverse Proxy A reverse proxy provides: • Security: Internet client connections are terminated on the reverse proxy • Application layer filtering: Inspect the contents of network traffic • SSL bridging: All connections to the reverse proxy and to the Client Access server are encrypted • Load balancing: Arrays of reverse proxy servers can distribute network traffic for a single URL • SSL offloading: SSL requests can be terminated on the reverse proxy
  • 26. Demonstration: Configuring Threat Management Gateway for Outlook Web App In this demonstration, you will see how to configure an Outlook Web App publishing role
  • 27. Lab: Securing Exchange Server 2010 • Exercise 1: Configuring Exchange Server Permissions • Exercise 2: Configuring Audit Logging • Exercise 2: Configuring a Reverse Proxy for Exchange Server Access Logon information Estimated time: 60 minutes
  • 28. Lab Scenario A. Datum Corporation has deployed Exchange Server 2010. The company security officer has provided you with a set of requirements to ensure that the Exchange Server deployment is as secure as possible. The specific concerns included in the requirements include: • Exchange Server administrators should have minimal permissions, which means that whenever possible, you should delegate Exchange Server management permissions. • Ensure that client connections to the Client Access servers are as secure as possible by deploying a TMG server.
  • 29. Lab Review • In the lab, you configured Exchange Server permissions by using a custom role group. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? • How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client?
  • 30. Module Review and Takeaways • Review Questions • Common Issues and Troubleshooting Tips • Real-World Issues and Scenarios • Best Practices

Notes de l'éditeur

  1. Module 10: Securing Microsoft Exchange Server 2010 Course 10135B Presentation: 70 minutes Lab: 60 minutes After completing this module, students will be able to: Configure role-based access control (RBAC) Configure security for server roles in Microsoft® Exchange Server 2010 Configure secure Internet access Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135B_10.pptx. Important: We recommend that you use PowerPoint 2002 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135B-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Microsoft Outlook® Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time.
  2. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  3. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  4. If you have students with Exchange Server experience, highlight how RBAC differs from how permissions were assigned in previous versions. Exchange Server 2003 enables you to use Active Directory® directory service groups to assign permissions at the organization or administrative group level. In Exchange Server 2007, you could assign permissions at the organization or individual server level. In both cases, Exchange Server did not provide options for configuring granular permissions, and offered limited options for configuring permissions. In Exchange Server 2010, you can configure very precise permissions, right down to enabling access to specific cmdlets and attributes. Another difference between how you could assign permissions in Exchange Server 2003 and Exchange Sever 2007, and how you assign them in Exchange Server 2010, is that in the previous Exchange Server versions, you assigned permissions by modifying the Access Control Lists (ACLs) on Active Directory objects. In Exchange Server 2010, however, you configure which cmdlets users can run. Question: What requirements does your organization have for assigning Exchange Server permissions? Does your organization use a centralized or decentralized administration model? What special permissions will you need to configure? Answer: Answers will vary. In most organizations, a central team of Exchange Server administrators likely will maintain full control of the Exchange Server environment, while another team may need permissions to create mailboxes. Other organizations may have complicated administrative scenarios in which different groups need many different permission levels. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  5. As you teach this content, explain that a management role is just a container that groups together the other RBAC components. The RBAC components define: What tasks an administrator can perform. Who is granted permission to perform the tasks. Where the user can perform the task. Stress that you can define each of these components at a high level or at a specific level. A management role entry can allow or deny access to all Exchange Server cmdlets, to a specific Exchange Server cmdlet, or even to a particular parameter on a cmdlet. Management role groups provide an easy way to assign permissions in Exchange Server. By using the default groups, or creating custom groups with specific permissions, you can manage all permissions by just assigning mailboxes to role groups. As you click to display the graphic on the slide, explain how you connect role holders with roles. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  6. Similar to previous Exchange Server versions, Exchange Server 2010 contains a default set of groups that you can use to assign permissions in the Exchange Server organization. Mention that for most organizations, the default set of role groups provide all required flexibility. Only organizations with very specific permission-delegation requirements need to use custom management role groups and management roles. Avoid describing all of the built-in role groups in detail. Instead, highlight a few, and point out the table in the student notes that provides details about all the roles. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  7. Stress that for most small- and medium-sized organizations that do not have complicated permission assignment scenarios, the easiest way to manage Exchange Server permissions is to add users or security groups to the built-in Exchange Server security groups in Active Directory Domain Services (AD DS) or Active Directory. These groups are automatically assigned the management role. Ask students which of the built-in role groups they will use in their organization. Answers will vary. Small- or medium-sized organizations, where one set of administrators is the only group that performs any recipient management or Exchange Server management tasks, may use only the Organization Management role group. Organizations with decentralized administrative processes are much more likely to use other management roles to delegate permissions. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and 10135B-VAN-EX2 virtual machines are running. Log on to 10135B-VAN-DC1 and 10135B-VAN-EX1 as Administrator with the password Pa$$w0rd . Log on to 10135B-VAN-EX2 as Conor using the password Pa$$w0rd . Demonstration Steps Note:  If you get an error that no MRS servers are available, verify that the Microsoft Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2.   On VAN-EX1, open Active Directory Users and Computers . Expand Adatum.com , click Microsoft Exchange Security Groups , and then double-click Recipient Management . On the Members tab, click Add . In the Enter the object names to select field, type Conor , and then press OK twice. On VAN-EX2, ensure that you are logged on as Conor. Open the Exchange Management Console . In the User Account Control dialog box, click Yes . Open the Exchange Management Shell . In the Exchange Management Cons ole, expand Microsoft Exchange On-Premises , expand Organization Configurati on. Point out that Conor has Read access to the Exchange Server organization configuration because the Recipient Management group has been granted implicit Read permission to the organization. Click Mailbox , and in the Results pane, verify that you do not have sufficient permissions to view the data. Expand Recipient Configuration , click Mailbox , and then double-click Axel Delgado . Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  8. In the Axel Delgado Properties dialog box, click the Organization tab, verify that you can modify the user properties, and then click OK . Right-click Axel Delgado , and then click New Local Move Request . On the Introduction page, click Browse . In the Select Mailbox Database dialog box, click Mailbox Database 1 , click OK , click Next two times, click New , and then click Finish . Note  If you get an error that no MRS servers are available, verify that the Microsoft Exchange Mailbox Replication service is running on both VAN-EX1 and VAN-EX2. In the Exchange Management Shell , type get-exchangeserver | FL , and then press Enter. The user account has Read permission to the Exchange server information. At the PS prompt, type Set-User Axel -Title Manager , and then press Enter. Verify that Conor has permission to modify the Active Directory account. Log off VAN-EX2 . Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  9. Mention that this topic provides a process overview about creating new custom management roles. The following demonstration will provide more details about how to perform the steps. As you describe this process, consider using an example scenario in which users might want to use a custom role. For example: 1. They may be configuring a role group that enables human resources (HR) administrators to configure the organization and personal settings for each user. You will need to create the appropriate group, and identify which users will be group members. 2. Because this group will work with recipients, you will need to identify the management roles that relate to recipient management. 3. In this scenario, you might not need to limit the scope for the role group. If they need to be able to manage recipients in the entire organization, do not limit the scope. If you want to limit which recipients you want the HR administrators to manage, you could limit the scope to specific recipients. 4. Run the cmdlet to create the role group. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  10. Discuss scenarios in which organizations might choose to create a new custom role group. The slide and notes below describe one possible scenario for choosing to create a custom role group. Encourage students to provide other suggestions, and then describe the components required to implement the custom role group. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and 10135B-VAN-EX2 virtual machines are running. Log on to 10135B-VAN-DC1 and 10135B-VAN-EX1 as Administrator with the password Pa$$w0rd . Do not log on to 10135B-VAN-EX2 at this point. Demonstration Steps On VAN-EX1, connect to https://van-ex1.adatum.com/ecp . Log in as Adatum\\Administrator using the password Pa$$w0rd . Beside Options , click Manage My Organization . Click Roles & Auditing . Under Role Groups , click New . In the New Role Group dialog box, fill in the following information, and then click Save : Name: MarketingAdmins Write scope: Click Organizational Unit , and type adatum.com/Marketing Roles: Add Mail Recipients and Mail Recipient Creation . Members: Add Andreas Herbinger On VAN-EX1, open Active Directory Users and Computers . Click Microsoft Exchange Security Groups and verify that the MarketingAdmins group was created and that Andreas is a member of the group. On VAN-EX2, log on as Adatum\\Andreas using the password Pa$$w0rd . Open the Exchange Management Console . Click Yes . In the Exchange Management Console , expand Microsoft Exchange On-Premises , and then expand Recipient Configuration . Click Mailbox , and then double-click Axel Delgado .   Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  11. In the Axel Delgado Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is not saved. Double-click Manoj Syamala . In the Manoj Syamala Properties dialog box, click the Organization tab, modify one of the properties, and then click OK . Verify that the change is saved. Click New Mailbox . Create a new mailbox in the default Users container. Verify that the user cannot create mailboxes in the Users container. Click New Mailbox . Create a new mailbox in the Marketing OU . Verify that the user can create mailboxes in the Marketing OU.   Question : Will you implement custom management roles in your organization? If so, how will you configure the management roles? Answers: will vary. Most organizations probably do not need custom management roles. Large organizations that have complicated administrative processes may require several custom management roles. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  12. Highlight the similarities between management role assignment policies and role groups. In both cases, group management roles assign all the permissions, and each role contains a set of management role entries. The primary difference between management role assignment policies and role groups is that you can use role assignment policies to configure permissions for the objects that users own. Because of this, you cannot configure a scope for management role assignment policies. Question : How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  13. It can be difficult for students to understand which permissions Exchange Server assigns by default for the organization. To do this, run the Get-ManagementRoleAssignment –RoleAssignee “Default Role Assignment Policy” cmdlet. This cmdlet lists all the management roles that Exchange Server assigns to the default role assignment policy. To view the details of each management role, use the get-managementrole rolename | FL cmdlet. For example, run the get-managementrole Mybaseoptions | FL cmdlet, and describe the role entries assigned to this management role. Question : How will you configure role assignment policies in your organization? Answer: Answers will vary, but for most organizations, the default configuration should suffice. Organizations normally change the default configuration only when there is a specific requirement to change how users interact with their mailboxes. Module 10: Securing Microsoft Exchange Server 2010 Course 10135A
  14. Explain what split permissions are. Emphasize that this feature is not appropriate for all organizations , but only those who actually split administration of the Exchange Server infrastructure and A ctive Directory Domain Services (AD DS) infrastructure, and have different IT teams for these services. Explain differences between RBAC split permissions and A ctive Directory split permissions, and note that Microsoft recommends us ing RBAC split permissions. Also, identify scenarios in which RBAC and A ctive Directory split permissions are appropriate. Be sure to tell the students that Exchange Server 2010, by default, does not use any of these permission s models . Like Exchange Server 2003 and Exchange Server 2007, it uses the shared permission s model by default . Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  15. Explain that the RBAC split permission model is not configured automatically. If you want to use it , you must configure it manually with the Exchange Management Shell . E xplain th e configuration process on a high level, and tell the students that they will perform the procedure in the lab. Emphasize that beside s creating a new role group, you must also remove permissions to create AD DS security principals from existing built-in groups. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  16. Tell students that they can configure A ctive Directory split permissions during Exchange Server 2010 s etup, or later, by executing setup.com with the / PrepareAD parameter . Be sure that students fully understand the consequences of deploying A ctive Directory split permissions. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  17. Explain the importance of logging , and tell students that Exchange Server 2010 provide s new tools and technologies for logging administrative tasks a nd user mailboxes activity . Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  18. Define administrator audit logging. Explain why it is important to have it available. Mention that administrator audit logging in not enabled by default in Exchange Server 2010, but is enabled by default in Exchange Server 2010 SP1. Explain why the Test - , Get - , and Search - cmdlets are not logged automatically . Also, explain that you can use the Exchange Control Panel for simple log searc hes, and you can use the Exchange Management Shell for detailed log searc hes. R efer to student hand book to explain that parameters that are available for configur ing a dmininistrator audit logging. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  19. Start this topic by asking students about scenarios in which they might need to or have the right to access other mailbox es . Also, discuss potential misuse of this process, and then define mailbox audit logging. Be sure to explain the difference s between admin istrator audit logging , and mailbox audit logging . Also, discuss owner - access logging. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  20. P reparation Ensure that the 101 6 5A- VAN-DC1-B , 101 6 5A- VAN-EX1-B , and 101 6 5A- VAN-EX2-B virtual machines are running. Log on to all virtual machines as Contoso\\Administrator using the password Pa$$w0rd . Demonstration Steps Log on to VAN-EX1 and VAN-EX2 as Adatum\\Administrator using the password Pa$$w0rd . On VAN-EX1, open the Exchange Management Shell from the Start menu. In the Exchange Management Shell window, type Get-AdminAuditLogConfig , and then press Enter In the results list, ensure that AdminAuditLogEnabled has the value True . Note that Test-* cmdlet logging is disabled, and that all cmdlets are being logged with all parameters. Note the parameters values for TestCmdletLoggingEnabled, AdminAuditLogCmdlets , and A dminAuditLogParameters . Open the Exchange Management Console. In the Exchange Management Console, expand Recipient Configuration , click Mailbox , right-click Anna Lidman , and then click Properties . In the Anna Lidman Properties window, click Mailbox Settings , and then double-click Storage Quotas . Under the Deleted item retention section, clear the check box next to Use mailbox database defaults . In the Keep deleted items for (days) field, type 20 , and then click OK twice. In the Exchange Management Shell, type the following command, and then press Enter: Search-AdminAuditLog -Cmdlets Set-Mailbox -StartDate <yesterday’s date as mm/dd/yyyy> -EndDate <tomorrow’s date as mm/dd/yyyy> Review the results, and ensure that the change made to Anna’s mailbox is logged. Note: If no results are returned when you search the administrator audit log, wait a few minutes and repeat this task. It can take up to five minutes for the change to appear in the audit log. In the Exchange Management Shell, type the following command, and then press Enter: Set-Mailbox -Identity "Jan Dryml" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true In the Exchange Management Console, in Recipient Configuration , click Mailbox , right-click Jan Dryml , and then click Manage Send As Permission . In the Manage Send As Permission window, click Add , select Ebru Ersan , click OK , click Manage , and then click Finish . On VAN-EX2, open Windows Internet Explorer®, type https://VAN-EX1.adatum.com/owa , and then press Enter.   Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  21. Log on to Outlook Web App as Adatum\\Ebru using the password Pa$$w0rd . Click OK . Click New to create a new message, and then in the Untitled Message window, click Options . In the Message Options window, select the Show From option, and then click OK . In the Untitled Message window, in the From field, type Jan Dryml , and in the To field, type Administrator . Click the Check Names button on the toolbar to verify the names. In the Subject field, type Testing Send As logging . In message body, type some text, and then click Send . Verify that message is sent. On VAN-EX1, open Internet Explorer , and then type https://VAN-EX1.adatum.com/ecp. Log on as Adatum\\Administrator using the password Pa$$w0rd . Click Roles & Auditing , and then click Auditing . Click Run a non-owner mailbox access report . In the Search for Mailboxes Accessed by Non-Owners window, leave the start date as is, and set the end date to tomorrow’s date. In the Search for access by drop-down box, select All non-owners , and then click Search . In the search results, click Jan Dryml , and view the report that shows that Ebru Ersan accessed Terri’s mailbox. Click Close , and then exit the Exchange Control Panel. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  22. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  23. This topic describes the general security practices that students should implement on their Exchange servers and in their Exchange environments. Stress that these are best practices for all types of servers, not just Exchange servers. Ask students if they have other guidelines to add to the list. What processes do they use in their organizations to secure servers, including Exchange servers? Mention that Exchange Server 2010 setup now applies the Windows Firewall rules that each Exchange server role requires. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  24. Discuss the option of using a virtual private network (VPN) to provide access to Exchange servers for external clients. Many organizations use this as an option, rather than providing direct access to the Client Access servers. A VPN can have several advantages, such as enabling multifactor authentication and access to internal network resources other than Exchange servers. However, in most cases, a VPN is more complicated to configure than other access methods, and it requires additional configuration in each client computer. Question: What type of access are you enabling from the Internet to your organization’s Exchange servers? Answer: Answers will vary. Many organizations require access to the Client Access servers using a variety of messaging clients such as Microsoft Office Outlook Anywhere, Outlook Web App, or Microsoft Exchange ActiveSync®. Fewer organizations are enabling Internet Message Access Protocol 4 (IMAP4) or Post Office Protocol 3 (POP3) access to the Exchange servers, so fewer organizations need to provide SMTP relay services for these clients. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  25. Spend time describing the firewall and server deployment as shown in the diagram. Students should understand that you must deploy all Exchange server roles, except for the Edge Transport server role, on the internal network, not the perimeter network. Students should be familiar with the port numbers, so you can probably review the default ports quickly. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  26. Stress that the most critical component in configuring secure client access from the Internet is to configure server certificates on the Client Access server, and to require TLS/SSL authentication protocols for all connections to the server. If you do not implement the certification and Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol, the user credentials may be sent across the Internet in clear text. One of the key goals of Internet security is to reduce the server attack surface by enabling only required services. If your organization only requires Outlook Web App from the Internet, then disable all other options. Module 3 detailed the authentication options for client access connections. When you discuss these options, the most important point is that Exchange administrators should choose the most secure option available for each client access protocol. Enforcing remote client security may restrict which types of clients you can use to connect to the Client Access server. For example, you cannot enforce security settings on public kiosks, so you may want to block users from using Outlook Web App, and instead force them to use Outlook Anywhere, which you can install on a domain-managed computer. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  27. Stress the importance of using TLS/SSL for all client connections. Students may not be familiar with the client receive connector that is enabled on each Hub Transport server. This connector uses TCP port 587 rather than TCP port 25, and it enables POP3 and IMAP4 clients to send email through an email server. RFC 2476 describes using this port to enable message submission from email clients. Consider showing the configuration of the client receive connector. Also, consider demonstrating how to check whether a SMTP server is configured to allow open relay. To do this, open the command prompt on a server with the Telnet client installed, and then type the following commands: Ehlo IS Mail from: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) Rcpt to: Test@domain.com (where the domain name is not the internal SMTP domain name on the SMTP server) If you receive an OK response, the server is enabled for open relay. If you receive a relay-denied response, the server is configured correctly. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  28. If students are not familiar with a reverse proxy, consider drawing a diagram on the white board that shows the location of a reverse proxy. Then show how the reverse proxy acts as the termination point for all client connections– both unsecure and secure. Show how you can decrypt SSL connections on the reverse proxy, and how you can re-encrypt it before forwarding it to the Client Access server. Mention that reverse proxies only work with Web-based protocols, such as HTTP. You can configure a reverse proxy to forward SMTP, POP3, or IMAP4 connections, but the reverse proxy does not intercept or scan the client connections for these protocols. Module 10: Securing Microsoft Exchange Server 2010 Course 10135B
  29. Mention that the Microsoft Forefront® Threat Management Gateway (TMG) is Microsoft’s replacement for Internet Security and Acceleration Server. This server is one example of a reverse proxy, and it functions the same way as all reverse proxies. Note : In this demonstration, you are configuring an Outlook Web App publishing rule that does not require SSL connections from the client computers. This is not a recommended security practice. If you have the time, consider requesting and importing a certificate on the TMG server and showing students how to configure the rule to use SSL. You can use the steps from Exercise 3 in the lab to do this. Preparation Ensure that the 10135B-VAN-DC1, and the 10135B-VAN-EX1, and 10135B-VAN-TMG virtual machines are running. Log on to all virtual machines as Administrator with the password Pa$$w0rd . Demonstration Steps On VAN-TMG, click Start , point to All Programs , click Microsoft Forefront TMG , and then click Forefront TMG Management . Expand Forefront TMG , and then click Firewall Policy . On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access . On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Access Rule , and then click Next . On the Select Services page, in the Exchange version list, click Exchange Server 2010 , select the Outlook Web Access check box, and then click Next . On the Publishing Type page, click Next . On the Server Connection Security page, ensure that Use SSL to connect the published Web server or server farm is configured, and then click Next . When you configure this option, the TMG server re-encrypts all network traffic sent to the Client Access server. On the Internal Publishing Details page, in the Internal site name text box, type VAN-EX1.Adatum.com , and then click Next . On the Public Name Details page, ensure that This domain name (type below) is configured in the Accept requests for drop-down list. In the Public name box, type mail.Adatum.com , and then click Next . On the Select Web Listener page, in the Web Listener drop-down list, click New . Web listeners are configuration objects on the TMG server that define how the server accepts client connections. On the Welcome to the New Web Listener Wizard page, type HTTP Listener , and then click Next . On the Client Connection Security page, click Do not require SSL secure connections from clients , and then click Next . Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  30. Important: In a production environment, you always should use the option to Require SSL secured connections with clients . In this demonstration, the server is not configured with a server certificate, so HTTPS connections are not possible. On the Web Listener IP Addresses page, select the External check box, and then click Next . On the Authentication Settings page, accept the default of HTML Form Authentication , and then click Next . On the Single Sign On Settings page, type Adatum.com as the SSO domain name, click Next , and then click Finish . Click OK . Click Edit , and then on the Authentication tab, click Advanced . Select the Allow client authentication over HTTP check box, and then click OK three times. On the Select Web Listener page, click Next . On the Authentication Delegation page, accept the default of Basic authentication , and then click Next . On the User Sets page, accept the default, and then click Next . On the Completing the New Exchange Publishing Rule Wizard page, click Finish . Click Apply twice to apply the changes, and then click OK once the changes are applied.   Question : Has your company deployed a reverse proxy? If so, what kind? How does your reverse proxy compare to the TMG? Answer: Answers will vary. Many companies have deployed Internet Security and Acceleration (ISA) Server 2006 and are using it to secure messaging client connections. Other companies have deployed hardware-based reverse proxies. Most of the reverse proxies provide the same functionality, but the process for configuring the settings may be very different. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  31. In this lab, students will configure Exchange Server permissions, and then configure a reverse proxy for Exchange Server access. Exercise 1 Inputs: Students will be provided with instructions for configuring Exchange Server permission. The instructions will require that students use both the Exchange security groups and RBAC. Outputs: Students will configure Exchange Server organization security using both built-in management roles and custom management roles. Exercise 2 Inputs: Students will be provided with a set of instructions for configuring a proxy server to provide secure access to the Client Access server and Hub Transport server. Outputs: Students will configure security for the Client Access server and Hub Transport server roles by configuring a reverse proxy. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting, and will help to facilitate the lab discussion at the module’s end. Remind the students to complete the discussion questions after the last lab exercise. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  32. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  33. Use the questions on the slide to guide the debriefing after students complete the lab exercises. Question: In the lab, you configured Exchange Server permissions by using a custom role. How did you limit the types of tasks the delegated administrators could perform and on what objects they could perform the tasks? Answer: You limited the types of tasks the delegated administrators could perform by removing some of the management role entries assigned to the OrganizationAdministrators management role. You limited what objects the delegated administrators could manage by limiting the management role scope to only specific Exchange Server cmdlets. Question: How would the TMG configuration in the lab change if you were enabling access for an IMAP4 client? Answer: You would need to configure a server publishing rule to publish the IMAP4 protocol on the Client Access server. You also need to configure a server-publishing rule to publish a SMTP server on a Hub Transport server. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  34. Review Questions Question: You need to enable members of the Human Resources department to configure user mailboxes for the entire organization. What should you do? Answer: In most cases, you can accomplish this by just adding the members of the Human Resources department to the Recipient Management role group in AD DS or Active Directory. If the Recipient Management role group has more permissions than necessary, you may need to create a custom role group. Question: Users in your organization are using POP3 clients from the Internet. These users report that they can receive email, but not send, email. What should you do? Answer: You will need to provide the users with a SMTP server that they can use to send email. You should configure a Hub Transport server Receive Connector. Question: Your organization has deployed Forefront TMG. You need to ensure that remote users can access the Client Access server inside the organization by using cellular mobile clients. What should you do? Answer: You will need to configure an Exchange ActiveSync publishing rule in TMG that enables access to the required virtual directories on the Client Access server. Common Issues and Troubleshooting Tips Point the students to possible troubleshooting tips for the issues that this section presents. Real-World Issues and Scenarios Question: Your organization has configured an SMTP Receive connector on an Edge Transport server to enable IMAP4 users to relay messages. However, you discover that your Edge Transport server is being used to relay spam to other organizations. What should you do? Answer: When you configured the Edge Transport server to relay messages for IMAP4 users, you enabled anonymous relaying for all users. You will need to disable message relaying on the Edge Transport server, and enable authenticated relaying on a Hub Transport server. Question: You have added the ServerAdmins group in your organization to the Exchange Server 2010 Server Management group in AD DS or Active Directory. All the members of the ServerAdmins group report that they receive errors when they start the Exchange Management Console. What should you do? Answer: You need to enable all of the members of the ServerAdmins group to run remote Windows PowerShell® cmdlets. Course 10135B Module 10: Securing Microsoft Exchange Server 2010
  35. Course 10135B Question: Your organization is planning to deploy Forefront TMG to enable access to a Client Access server from the Internet. The organization is concerned about the cost of acquiring multiple certificates to enable access, but also wants to ensure that users do not receive certificate related errors. What should you do? Answer: To ensure that users do not receive certificate errors, you will need to purchase a certificate from a public CA. You can request a certificate with multiple SANs or use a wildcard certificate to ensure that the one certificate can be used for all client connections. You then can use the same certificate on the Client Access server, or use a certificate from a private CA on the Client Access server. Best Practices Help the students understand the best practices that this section presents. Ask students to consider these best practices in the context of their own business situations. Module 10: Securing Microsoft Exchange Server 2010