Exchange 2000 uses the Transport Layer Security (TLS) protocol, which is based on and interoperable with SSL. Enabling TLS for Exchange 2000 is similar to enabling SSL for Exchange Server 5.5.
- Open the Microsoft Management Console (MMC) Exchange System Manager snap-in and navigate to the SMTP virtual server for which you want to turn on TLS.
- Right-click the virtual server and choose Properties to open the Properties dialog box.
- Go to the Access tab.
- Click Authentication. Make sure to select the Enable SSL client authentication check box.
- Go to the Delivery tab and click Outbound Security.
- Select the TLS encryption check box.
- Click OK.
Turning on SSL (or TLS) protects outbound messages (i.e., messages leaving the server through SMTP) but doesn't protect traffic traveling from clients—Microsoft Outlook Web Access (OWA), POP3, and IMAP4 in particular—to the server. To fix this problem, you can enable the use of SSL with OWA, and you can suggest that POP3 or IMAP4 users use a client (e.g., Microsoft Outlook Express) that supports the use of SSL with POP3 and IMAP4.
If you want to protect network traffic between clients and servers and you're using Win2K, you can use the IP Security (IPSec) protocol to shield all TCP/IP traffic. Unlike SSL, IPSec is transparent to applications, so you don't need to change any Exchange Server settings to use it. And if the client supports IPSec, you get end-to-end traffic encryption. Of course, you first need to enable IPSec, and your network (including routers and firewalls) must permit it to pass. (For details about using IPSec, see Paula Sharick, "Use IPSec to Protect Your LAN Resources," October 2000.)
For Your Eyes Only
Your messaging system faces a slightly more insidious danger than outright attacks: people who read other people's messages. By and large, this is a personnel problem rather than a technical problem, and it isn't always malicious. (Messages that end up bouncing to the postmaster mailbox are a rich source of amusement for administrators at many sites.) However, you can apply technology to limit the chances of this type of snooping.
You often have legitimate reasons to grant a user access to another user's mailbox. For example, when you use Outlook for calendaring, you open other users' calendars. This action causes the system to generate event ID 1016 in the Application log. Any tool that opens a user's mailbox (e.g., Messaging API—MAPI—virus scanners, brick-level backup tools) will generate the same event. Your company's legal or human resources (HR) department might also have reason to monitor specific mailboxes.
In Exchange Server 5.5, the site service account permits unfettered access to all mailboxes on a server. Whoever has access to the site service account name and password can log on and read the contents of any mailbox—without leaving any sign that he or she did so. You probably don't want to permit this broad behavior on your network. Because the site service account is so powerful, choose a strong password and limit access to the account. I also recommend that you monitor the Security log to ensure that the account is being used properly.
Although you could use the account to provide access to a specific mailbox's contents, doing so increases the likelihood that the account will be compromised. A better solution is to grant someone else permissions to the mailbox in question (bearing in mind that this action might cause the alternate recipient to generate return receipts, potentially telling the world that someone other than the recipient is reading the mail). Or you can use message journaling to copy all mail traffic for that mailbox to another mailbox or public folder, from which a designated user can then inspect the messages. (I'll discuss journaling in the next column.)
Exchange 2000 tightens the site service account loophole considerably; the site service account no longer exists, and the Administrator account and the Domain Admins and Enterprise Admins groups are explicitly denied access to individual mailboxes. (See the Microsoft article "XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000" at http://support.microsoft.com/support/kb/articles/q262/0/54.asp for instructions about how to give snooping power to a designated account.) You can also use message journaling in Exchange 2000.
Run, Don't Walk
Next time, I'll discuss related security topics, including the best way to protect your Exchange Server machines and clients against viruses. In the meantime, I suggest that you immediately go to Microsoft's security site (http://www .microsoft.com/technet/security), read the NT security checklists, and evaluate how your current preparations stack up. Also, consider reading a good security book, such as Stefan Norberg's Securing Windows NT/2000 Servers for the Internet (O'Reilly, 2000) or Michael Howard's Designing Secure Web-Based Applications for Microsoft Windows 2000 (Microsoft Press, 2000). For a great general introduction to network security, check out Bruce Schneier's Secrets and Lies: Digital Security in a Networked World (John Wiley & Sons, 2000). The time you spend researching security now might save you from major problems later.