Kevin Remde's IT Pro Weblog
IT Pro Resources
IT Pro Evangelist Blogs
My friend and teammate Kai Axford delievered an EXCELLENT webcast just a few minutes ago, for which I had the honor of covering the Q&A. The webcast was all about ways to secure your messaging using Exchange 2003, Outlook 2003, ISA Server 2004, S/MIME, PKI, OWA… Great stuff!
Here is the link to the webcast for On Demand Viewing.
And below I’ve listed the Q&A from the session, so you webcast viewers can take advantage of the resource links directly. I hope you find them useful!
Here’s the link to Brian Komar's PKI Security Book Kai mentioned:
How to protect SMTP using Transport Layer: Check out "How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server" http://support.microsoft.com/?id=829721
Securiing email using S/MIME and Exchange Server 2003:Read the “Exchange Server 2003 Message Security Guide” available at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx.
“Please ask Mr. Kai to not speak so loudly into the microphone. Thank you.”This just happens when he gets exctied. Hopefully he toned it down enough for you later in the webcast.
“If I install S-MIME in my organization, I will have impact with the users that have out of my company?”Not necessarily. As Kai said, it has everything to do who you trust and how those who trust you have access to a trusted root authority. The impact will be in getting the public keys out to recipients of emails that you want to sign or encrypt, so that they can take advantage of it.
“What is Certificate Services?”http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/63e3ba1c-cc23-40b1-9ca2-853869677318.mspx
“But what is the real-world impact of switching to S-MIME in an organiztion as it pertains to outside trusts, ie. hotmail, sbcgloabl, yahoo, etc.?”Their client will have to support certificate authentication. (S/MIME). It's pretty common now. AND they will have to install the public key you provide them.
“What's that desktop bkgrd called with the host ip and domain script?”He's probably run a tool to build that. I know there is one like it at SysInternals.com called "BGInfo". http://www.sysinternals.com/Utilities/BgInfo.html
“The installation of certificate services were done in the exchange servers with the mailboxes user?”Certificate Services is outside of Exchange in Exchange 2003. It is a free component that you can install on any Windows 2000 or 2003 Server. It’s included with the OS.
“Thanks, so of this way, is not necessary any configuration between exchange server and certificate server?”Other than that checkbox Kai showed earlier for supporting certificates, no.
For more PKI / S/MIME information: Read the “Exchange Server 2003 Message Security Guide” available at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx
“Where can you get the certificates services ? is this something already in windows 2000 /2003 or is this something that has to be downloaded from microsoft.com if downloaded what is the website address ?”FREE.. and you already have it. It's an installable component of the server product.
More information on using Windows Rights Management: See http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
“WRM can be deployed to all users into a organization?”|Yes.
“Does WRM protect email from being forwarded when sent to an email system other than Exchange?”Yes. It stops on your end before it goes out.
“Is Windows IRM free or cost money ?”
Windows Rights Management Servce is a product. It does cost money. See:http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
“What is the diference between sign and encrypt the message? when the message goes signed can be spyed?”Signed just means you can be sure that it came from who it says it came from, but doesn't mean the message itself is encrypted... so yes, if you're not using some other encryption, the message can be read.
For a complete list of the other ports required in the Exchange front-end and back-end server,see “Front-End and Back-End Topology for Exchange Server 2003 and Exchange 2000 Server” at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx
For more information about Exchange Server 2003 RPC over HTTP(S) deployment configurations, see “Exchange Server 2003 RPC over HTTP(S) Deployment Scenarios” at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3rpc.mspx
“Asked: is there other solution such as certificate services of other providers?”Yes. S/MIME and email signing and encryption doesn't have to use the Microsoft certificate services. It will work with any standard PKI you want to use.
“Does it work on a 2003 exchange cluster server?”Yes.
“What is the e-mail addres of Kai? Can he receive questions to his e-mail?”
firstname.lastname@example.org. Yes, he's happy to get emailed questions from you. But try me first. :)
Using ISA Server 2004 with Exchange Server 2003:see http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.mspx
“Can we get a hold of those scripts that change the IPs?”
Email Kai. He may be able to get them to you.
Deployment Scenarios for RPC over HTTP(S):http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/ee9b228f-db48-4860-8bfd-3195881b8980.mspx
For more information about limiting client access to Exchange Server,Refer to Article ID: 328240 at http://support.microsoft.com/kb/328240
For more information about the Outlook 98 and Outlook 2000 version of the e-mail security enhancements, refer to “Outlook 98 E-mail Security Update” at http://www.microsoft.com/technet/archive/office/office97/support/out98sec.mspx and “Outlook 2000 SR-1 Update: E-mail Security” at http://www.microsoft.com/technet/prodtechnol/office/office2000/support/o2ktool.mspx
For a list of the restricted file types, see the “Outlook E-mail Security Update— Frequently Asked Questions” at http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspxor “Attachment File Types Restricted by Outlook 2003” at http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
For more information about setting the Level1Remove registry key see “Administrator-Controlled Settings vs. User-Controlled Settings” at http://office.microsoft.com/en-us/assistance/HA011402961033.aspx
For more information about configuring Outlook security settings, see “Customizing Security Settings by Using the Outlook Security Template” at http://office.microsoft.com/en-us/assistance/HA011402931033.aspx
For more information about using ISA Server 2004 with Exchange Server 2003, see http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.mspx
For more information about installing an SSL certificate on your server, read the Knowledge Base article 298805 at http://support.microsoft.com/default.aspx?scid=kb;en-us;298805
For more information about additional security-related features, read “How to manage Outlook Web Access features in Exchange Server 2003” at http://support.microsoft.com/?kbid=830827
To download the Outlook Web Access administration tool, go to http://www.microsoft.com/downloads/details.aspx?familyid=4bbe7065-a04e-43ca-8220-859212411e10&displaylang=en
OWA Publishing through ISA Server 2004:http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx
Exchange Server 2003 SP2 is coming!http://www.microsoft.com/exchange/downloads/2003/sp2/overview.mspx
Exchange Book:Answered: http://www.amazon.com/exec/obidos/tg/detail/-/0735619905/103-8014442-7447030?v=glance
“Great Job man”