Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite /16/2017 2:28 PM

Published byShavonne Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite /16/2017 2:28 PM"— Presentation transcript:

1 Microsoft Ignite 2015 4/16/2017 2:28 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Meeting Complex Security Requirements for Publishing Exchange
BRK3174 Meeting Complex Security Requirements for Publishing Exchange Greg Taylor Principal Program Manager Microsoft

3 How Many Times Have You Heard This?
“We can’t allow you to access Exchange from the Internet because….” We can’t let data get onto unmanaged machines! You have to use the VPN! Opening up ports on the firewall inbound! Are you insane? Sure, but only certain people can access mail from outside the organization We have to use two factor auth if you want to do that!

4 What We Will Cover Today
We’ll look into some common requirements and break them down a bit We’ll look at the choices you have available We’ll cover some of the more complex requirements and tell you how you could meet them

5 Common Requirements and Objections
4/16/2017 2:28 PM Common Requirements and Objections © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Pre-Authentication #1 default solution to publishing Exchange for years Windows and Exchange were not hardened to prevent DoS and other attacks But now they are. Hybrid and cloud change things - per-user pre-auth is out as it’s not the user asking for the data...

7 Nothing Can Reach the Internal Network
Do you have a very large network and security team? Most HTTP traffic can be proxied but what does terminating SSL and re-encrypting really accomplish from a security standpoint? Does the proxy really understand the traffic? It’s good for DoS and IP spoofing detection but is that really the most direct route to the data today?

8 Two Factor Auth (2FA/MFA)
2FA is the requirement, but often you hear ‘we have to use product x’ which is a solution Not all clients work well with some solutions, so is the requirement 2FA, or the chosen solution? If 2FA is defined as something you have and something you know (or something you are) then; Is a cert used for auth and a password or PIN securing the device 2FA? Is providing a cert and username and password 2FA? Yes!

9 Only ‘Known’ Machines and the VPN mandate
BYOD is making this less common Typically MDM solutions are used for mobile devices not domain joined/managed clients with full blown Outlook “You must use the VPN” = “We bought a really expensive VPN technology and we have to use it” The VPN connection typically provides access to the entire network when all you need is mail

10 Network Segmentation Segmenting the network – surefire way to break stuff We don’t expect nor test with security devices restricting traffic We reserve the right to add/change the ports we use at will So if you put devices between Exchange and Exchange or Exchange and AD, or now Exchange and OOS, have a back-out plan

11 The Policy Argument Many Exchange deployments are going great until the Security team do their review it all up Sometimes the policy is only written after you explain what you want to do…. So don’t tell them – ask what the policy is first.  Ask for a written copy of the policy before you begin the design Ask how they provide remote access now They are only doing their jobs remember…

12 Authentication vs. Authorization
Think of it like boarding an airplane Your passport provides Authentication Your ticket provides Authorization In computer and network terms Your credentials or certificates provide Authentication (proving who you are) In return you might get an access token or ticket of some sort Access control lists (ACL) control whether you can access a resource or not ACL’s might be user or group or role based

13 4/16/2017 2:28 PM What’s The Risk? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 How To Size Up The ‘Risk’
Risk is a combination of different things It’s the potential result of what happens when a threat takes advantage of a vulnerability The threat is something or someone that can damage your organization The vulnerability is the weakness by which they wreak havoc The risk is the possibility of that happening Which pieces can you influence?

15 Another Way To Look At It
Different factors contribute to risk Take the example of opening some ports for O365 onboarding of mailboxes Time Window Code Security Network Security Device Monitoring

16 What Publishing Choices Are There?
4/16/2017 2:28 PM What Publishing Choices Are There? © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 No Security Devices At All!
We actually believe Exchange and AD are secure enough to not require pre-auth at all We run Office 365 like this We’ve run Exchange on-premises like this for years It requires good design, good patching and management and good monitoring Customers want to move this way, and let the apps secure the data but it’s a journey

18 Ok, What Else…From a Device/Appliance Angle
TMG/UAG Both offer pre-auth – both are end of life – both still work WAP – On-Prem (Web Application Proxy) and Azure AD Application Proxy WAP is the Microsoft direction – Pre-auth only for OWA today, but for all clients in Windows Server 10 AAD Application Proxy can let you access Azure and on-premises apps from Azure – more on this later ARR No pre-auth and not recommended but will bridge SSL LB modules Let your LB vendor bridge SSL and possibly do pre-auth

19 What About Tackling It At The App+OS Layer?
Set-CASMailbox and Set-*VirtualDirectory Set-CASMailbox is one of the easiest and most powerful ways to meet requirements You can turn on or off EWS, OWA, Cached Mode, EAS etc etc. ADFS Supported Exchange 2013 SP1+ and can be used in 2010/3 co-existence Smartcard Outlook Anywhere Painfully hard to set up but works but means Outlook can do smartcard 2FA MFA Modern Auth is the future – More in a bit Certificate Authentication Exchange can require certs for OWA, EAS and OA (smartcard solution) Cert + Auth Require a certificate, then ask the user for creds

20 Or At Other Places IPsec MDM
Still a great way to control what can connect to what – more later MDM Device management, enrollment, enforcement and compliance

21 Let’s Offer a Solution to Some Of Those More Complex Requirements
4/16/2017 2:28 PM Let’s Offer a Solution to Some Of Those More Complex Requirements © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Crazy Complex Requirement #1 “You have to use Two-Factor auth”

23 Many ways to skin a cat The hardest part seems to be agreeing on what constitutes 2FA/MFA Stick to the definition rather than jumping to the solution There are some ways to do this today, and more are coming And there are some ways NOT to do this – Azure MFA and hacking Exchange for example

24 Certificates AND Credentials
Can be done at the Load Balancer or at the security device Certificate required for HTTP connection then Exchange requires creds for auth This can be done for OWA and EAS easily, Outlook not so much as there is no UI

25 ADFS Exchange 2013 SP1 added ADFS capabilities directly into Exchange
You can use ADFS in a mixed 2010/3 deployment if you front end with CAS 2013 (which you should anyway…) But you can use ADFS with Exchange 2010 if you use WAP ADFS is responsible for the authentication of the user, so whatever auth you require there is the auth you get Then use KCD from WAP to Exchange OWA and ECP only though

26 Smartcard Outlook Anywhere
Smartcard Outlook Anywhere for 2013 now supports the use of Virtual Smartcard as well as physical Virtual smartcard requires TPM But it’s still a pain to set up and requires that all users switch to it Implementation requires running a script to set IIS up correctly and installing a custom module for OAB authentication New content is here -

27 Multi-Factor Auth and Modern Authentication
ADAL (Active Directory Authentication Library) is the long term solution to meeting 2FA needs Outlook (in fact, Office) becomes a re-directable client Exchange asks for a security token and tells the client where it can get one Outlook heads to ADFS, ADFS enforces the MFA requirements, Outlook gets a token Outlook presents that to Exchange – job done More – Jono Luk – “Modern Authentication for the Office 2013 Clients” – Thursday 3:15PM

28 Crazy Complex Requirement #2 “Only certain people are allowed to access Exchange from the Internet”

29 The Problem With Exchange 2013…
In older versions of Exchange deciding who could access their mailbox using Outlook Anywhere was easy as it was direct RPC inside and HTTP from outside Set-CASMailbox Bob -MAPIBlockOutlookRpcHttp $True But Exchange 2013 made that harder… as OA is used inside and out There’s no nice way to enable only for internal – for some people So a pre-auth firewall was really the most logical answer (because modifying permissions in IIS causes global warming and hair loss)

30 Exchange 2013 to the Rescue! We’re adding some new parameters to let you enable/disable Outlook Anywhere and MAPI/HTTP But these are AutoDiscover only, they don’t block at a protocol layer This means you have to use different namespaces inside and out Works by combining the settings at an org and user level Set-OrganizationConfig –MAPIHTTPEnabled $True/False Set-CASMailbox ID –MAPIHTTPEnabled $True/False –MAPIBlockOutlookExternalConnectivity $True/False

31 Org Setting MapiHttpEnabled (System.Boolean) (Default: $false)
Here’s How It Works Org Setting MapiHttpEnabled (System.Boolean) (Default: $false) User Setting MapiHttpEnabled (new) (System.Boolean) (Accepted Values: $true, $false, $null (Default Value: $null - follow Org Setting) User Setting MAPIBlockOutlookExternalConnectivity (new) (System.Boolean) (Default: $false - not blocking) AutoD results $true $null $false External and internal URLs for Alchemy Internal URL for Alchemy External and internal URLs for RpcHttp Internal URL for RpcHttp

32 Crazy Complex Requirement #3 “You can’t let data get onto machines we don’t manage”

33 Managed Machines Are So Old Skool
The future direction is more towards BYOD but this one is still important to some older larger companies It’s getting harder as the number of OS and Device combinations are increasing MDM works for mobile and tablet clients but not so much for Outlook today So one approach could be to choose a non-vendor specific solution to the problem One that also could meet the 2FA requirement

34 Securing Connectivity with IPSec
Benefits Only authenticated machines can even allow a user to attempt to authenticate with user credentials Works with domain and non-domain joined machines Is Windows/Exchange version agnostic – works with XP upwards and on all versions of Exchange and all protocols IPSec is an open standard It IS two-factor – something you have – certificate – something you know – creds to log in Requirements A PKI needs to be in place to use machine certificates GPO’s should be used to distribute policies where possible A degree in nerdiness to figure out IPsec. Or a good Whitepaper Limitations IPSec – it’s IPSec. it’s hard.

35 Securing OA and OWA with IPSec
How It Works You configure policies on client and server that specify the traffic that triggers the rule – and the actions that will be taken Property Value Destination IP IP of TMG/CAS Destination Port TCP443 Source IP My IP Source Port My Port Authentication A Certificate from Fabrikam CA Encryption None Property Value Destination IP My IP Destination Port TCP443 Source IP Any Source Port Authentication A Certificate from Fabrikam CA Encryption None Client Server

36 Securing OA and OWA with IPSec
CA SA IKE IKE Application Application Transport Layer Transport Layer Policy IPSec Driver IPSec Driver Policy Internet Layer Internet Layer Link Layer Link Layer

37 Crazy Complex Requirement #4 “You can’t open any inbound ports but want access to Exchange from the Internet”

38 The David Copperfield Solution
How do I give access to my internal resources but not open any inbound ports on my firewall? No, VPN is inbound The answer could be Magic. Or Azure. Or Azure App Proxy Requires Azure AD Premium or Basic (MFA only with Premium) – Premium is included in EMS/ECS This provides pre-auth for OWA, can be an endpoint (no pre-auth) for EAS, and OA down the road (plan)

39 Azure App Proxy At A Cloud Height Level
Application Proxy Outbound Initiated Connection User On-Prem

40

41 What’s the User Experience?
You give the users a URL in Azure to hit Can be an Azure URL or a custom URL for a domain you control They log in – with either an Azure AD identity (DirSync or managed) or ADFS using their on-prem account Azure (directly or via ADFS) enforces MFA if enabled Once the user passes that, the connection is proxied via the established connector tunnel and the users gets to OWA The user then logs in via FBA if enabled, or via KCD if you want SSO And now you are using your internal OWA deployment with no inbound connections through the firewall That’s magic! “Enable Your On-Premises Apps for the Cloud with Microsoft Azure Active Directory Application Proxy” – Tuesday May 5th – 3:15PM – Watch the recording!

42 4/16/2017 2:28 PM So, In Summary © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 So What’s the Answer? The answer could be any of them, or none of them
Or perhaps it’s a combination of them? The key is to understand what each solution brings to the table and what you need to prove to meet the requirements you have ADAL and MFA support is the direction in the clients are heading but don’t dismiss Azure and IPsec

44 Pre-Release Programs Be first in line!
Microsoft Ignite 2015 Pre-Release Programs Be first in line! 4/16/2017 2:28 PM Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features Close relationship with the product teams Opportunity to provide feedback Technical conference calls with members of the product teams Opportunity to review and comment on documentation Get selected to be in a program: Sign-up at Ignite at the Preview Program desk OR Fill out a nomination: Questions: Visit the Preview Program desk in the Expo Hall Contact us at: © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Please evaluate this session
4/16/2017 2:28 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46 4/16/2017 2:28 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite /16/2017 2:28 PM"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
Esri International User Conference | San Diego, CA Technical Workshops | Road Ahead - Silverlight Rex Hansen Wednesday, July 13.

Esri International User Conference | San Diego, CA Technical Workshops | Road Ahead - Silverlight Rex Hansen Wednesday, July 13.
ResourceAssociated Exchange Cmdlet(s)Category MSFT_xExchActiveSyncVirtualDirectorySet-ActiveSyncVirtualDirectoryClient Access Server MSFT_xExchAutodiscoverVirtualDirectorySet-AutodiscoverVirtualDirectoryClient.

ResourceAssociated Exchange Cmdlet(s)Category MSFT_xExchActiveSyncVirtualDirectorySet-ActiveSyncVirtualDirectoryClient Access Server MSFT_xExchAutodiscoverVirtualDirectorySet-AutodiscoverVirtualDirectoryClient.
Pre-Release Programs Be first in line! Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features.

Pre-Release Programs Be first in line! Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features.
April 2014 Slides are herehere Video is herehere.

April 2014 Slides are herehere Video is herehere.
Pre-Release Programs Be first in line! Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features.

Pre-Release Programs Be first in line! Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features.
Managed Availability works by implementing Probes, Monitors and Responders:  The Probe is the component that performs the simple test. It doesn’t.

Managed Availability works by implementing Probes, Monitors and Responders:  The Probe is the component that performs the simple test. It doesn’t.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
0-1 Team # Status Report (1 of 4) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team #: Team Name.

0-1 Team # Status Report (1 of 4) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team #: Team Name.
0-1 Team # Status Report (1 of 4) Client Contact –Status Point 1 –Status Point 2 Team Meetings –Status Point 1 –Status Point 2 Team Organization –Description.

0-1 Team # Status Report (1 of 4) Client Contact –Status Point 1 –Status Point 2 Team Meetings –Status Point 1 –Status Point 2 Team Organization –Description.
On-premises Exchange organization Office 365 Active Directory synchronization Exchange 2013 Office 365 User, contacts, &

On-premises Exchange organization Office 365 Active Directory synchronization Exchange 2013 Office 365 User, contacts, &
Microsoft Ignite /17/ :58 AM

Microsoft Ignite /17/ :58 AM
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Agenda Networking Basics Project Teams Nestle Case.

Agenda Networking Basics Project Teams Nestle Case.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

Similar presentations

Ads by Google