Download presentation
Presentation is loading. Please wait.
Published byJudith Berry Modified over 8 years ago
1
1
2
2
3
Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions assigned to an object can be applied directly to the object or inherited from a parent object There two types of Permissions Standard Permissions Part of the default permissions for Active Directory Extended Permissions Added when Exchange is installed Used to gain more specific administrative 3
4
4
5
Overview When implementing an Exchange 2003 infrastructure an appropriate Administrative model needs to be chosen To facilitate creating different Administrative Models Exchange 2003 provides an Exchange Delegation Wizard Exchange Delegation Wizard enables an Administrator to select a user or group and give them a specific administrative role with the organization 5
6
6
7
7
8
Users can fully administer Exchange System Information Add Delete Rename Modify Permissions 8
9
9
10
Permissions Container Microsoft Exchange Full Control Organization Send As and Receive As denied Administrative Groups All Permissions inherited; Send As and Receive As denied 10
11
11
12
Users can fully administer Exchange System Information Add Delete Rename Cannot Modify Permissions 12
13
13
14
Permissions Container Microsoft Exchange All permissions except Full Control Organization Send As and Receive As denied Administrative Groups All Permissions inherited except Full Control and Change; Send As and Receive As denied 14
15
15
16
16
17
17
18
Permissions Container Microsoft Exchange Read, List Object and List Contents permissions allowed Organization Read, List Object and List Contents permissions inherited View information store status permission allowed Administrative Groups Read, List Object and List Contents permissions inherited View information store status permission inherited 18
19
Public Key Infrastructures Overview To enable secure messaging Exchange relies on digital signatures and certification authorities to identify sending and receiving parties System used for authentication is known as Public Key Infrastructures (PKI) Microsoft has a proprietary PKI provided through Key Management Service (KMS) used with Exchange 2000 KMS removed in Exchange 2003 and certification PKI is handled by the OS 19
20
Public Key Infrastructures (2) Key-Based Cryptography Cryptographic algorithms fall into one of two categories Symmetric and Asymmetric Symmetric cryptography Known as secret key cryptography Sender and receiver share a single, predetermined key Sender and receiver need to decide on and transmit the shared key they can send any encrypted messages Asymmetric cryptography Known as public key cryptography Keys used for Encryption and Decryption are different Sender and receiver do not need to decided on a key or transmit prior to sending encrypted messages 20
21
Public Key Infrastructures (3) Certificates, Certificate Authorities and Trust To encrypt messages using a public key encryption system senders need to be able to access public keys of intended recipients Requires the use of a third party to act as a repository for the users' public keys and verify keys are associated with the appropriate users A certificate is a digital declaration that contains a given user's public key and authenticates the user A Certificate Authority (CA) is an entity that issues the certificate and attests to the fact that the certificate is valid and the user is authenticated A CA can be a third-party company such as VeriSign or a Windows 2003 server configured as a CA within the organization 21
22
Windows 2003 Public Key Infrastructures Windows uses Certificate Services to create a CA The CA issues and manages digital certificates in either an enterprise situation or a stand-alone situation Enterprise Integrated with Active Directory Stand Alone Can be members of a domain Can be part of a workgroup Two types of certification hierarchies: Rooted and Cross Certification Rooted Hierarchy Defines either an enterprise root CA or a stand alone CA Root CA issues itself a certificate called a self-signed certificate Below the root CA are one or more Enterprise or Stand Alone subordinate CAs Cross Certification Hierarchy CA acts as both a root CA and a subordinate CA Used when two organizations want to establish a certificate trust between themselves Commonly deployed in business-to-business scenarios when participating organizations have existing CA hierarchies 22
23
Securing Communications SSL/TLS can be used to secure SMTP traffic between e-mail servers SSL/TLS can be used to secure both client-to-server traffic and server-to-traffic Securing client-to-server traffic is less complicated than securing server-to-server traffic Clients that use SMTP but not SSL cannot communicate with servers configured to SSL ESMTP must be configured to allow clients to query what features they support 23
24
Securing Communications (2) Possible configurations when enabling SSL/TLS Force SSL/TLS for all e-mail traffic Enabling SSL/TLS for specific domains Enabling SSL/TLS for inbound e-mail 24
25
E-Mail Encryption S/MIME protocol is used to secure e-mail by digitally signing or encrypting email messages SSL/TLS secures messages during transit. S/MIME ensures end-to-end security Encrypts on send Decrypts on receive S/MIME uses certificates to encrypt/decrypt Designed to enable compatibility and authentication between different organizations and among different vendors 25
26
Summary Permissions that are assigned to an object within Exchange 2003 can be applied directly to the object itself or they can be inherited There are two types of permissions Standard and Extended Standard Part of the default permissions for Active Directory Extended Added when Exchange 2003 is installed The Exchange Administration delegation wizard enables you to select a user or group and give them a specific administrative role within the organization 26
27
Summary (2) A Microsoft Windows PKI provides an integrated set of services and administrative tools for creating deploying, and managing public key-based applications using public key cryptography Symmetric Key Cryptography In symmetric key cryptography, the encryption and decryption are identical. Parties wanting to secure their communication using secret keys, exchange their encrypted keys securely before they can exchange data 27
28
Summary (3) Asymmetric Key Cryptography Keys used for encryption and decryption are different No need for the encryption key to be kept secret Certificates are used to verify the identities of senders and receivers A certificate contains a user's public key A certificate also authenticates a user as who they claim to be A CA is an entity that issues a digital certificate and attests to the fact that the certificate is valid and that the user is authentic 28
29
Summary (4) A certificate chain associates a certificate with a list of issuing CAs that ultimately leads to a certificate that the receiver implicitly trusts. A root certificate forms the root of a certificate hierarchy that the receiver accepts as authentic SSL/TLS can be used to encrypt and secure both client-to-server traffic and server-to-server traffic Server-to-server SSL/TLS traffic is best handle using a separate dedicated SMTP connector 29
30
Summary (5) The S/MIME protocol allows users to send secure e- mail by digitally signing or encrypting e-mail messages S/MIME is an updated version of MIME encoding standard that ensures so-called end-to-end security by allowing users to encrypt message when they are created and by allowing recipients to decrypt messages upon receipt 30
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.