Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

Securing Exchange Email
Page 1 | Page 2 | Page 3

Securing Exchange Email

Overview

For some organizations and certain people in all organizations the security of their e-mail is essential.? Out of the box Exchange 2003 provides a fairly secure environment that meets the needs of most organizations and their users.? But for users, like the CxOs, they might have some very sensitive e-mails that they only want a few people to be able to read.? In addition, those people or organizations with a need for a higher level of security might want to also ensure that people receiving their e-mails know that they are in fact from that user and have not been tampered with.? This is where S/MIME or Secure Multipurpose Internet Mail Extensions comes into play. S/MIME is supported by Exchange 2003, Outlook 2003, Outlook Web Access 2003, many other non-Microsoft mail systems, and earlier versions of Outlook and Exchange in some form.

Exchange 2003 supports both e-mail encryption and signing without any configuration changes to Exchange itself, in most cases.? When a user digitally signs an e-mail it tells their client, Outlook 2003 in this example, to create and store a checksum or hash with the message and to digitally sign the message and encrypt the message checksum with the user?s private key.? When the receiving user opens the message, Outlook will get the user?s public key from the Certificate Authority (CA) that issued it and decrypt the message checksum and verify that the message has not been modified since it was sent. ?This is supported by both Outlook 2003 and OWA 2003 ?out of the box?.? When a user chooses to encrypt a message, the entire message is encrypted using both the recipient?s public key and the sender?s private key.? When the message is received by the recipient, their private key and the sender?s public key is used to verify the message checksum and to decrypt the message.

For both e-mail signing and encryption, public and private certificates (keys) are required.? These certificates can either be created internally using a Windows 2003 certificate server or using public certificates, which must be purchased.? If e-mails only need to be signed and encrypted within your organization, a Windows 2003 CA will meet your needs.? Otherwise, certificates must be purchased for each user sending encrypted messages.? In this article I will only be focusing on using Windows 2003 CA for internal e-mail security.

A) Setting up a Certificate Authority

The first step is to setup a certificate authority to issue certificates, which includes both public and private keys, to end users.?? Windows 2003 Enterprise Edition supports auto-enrollment of keys which allows all users in your organization to get keys automatically.? Without Enterprise Edition users must manually request and install certificates on the systems they normally use.? The steps below cover both cases.

Note: ? The server that the CA is installed on cannot be renamed or moved to another domain.? The CA can be moved to another system, in the case of system failure, but the system must be named the same as the original system

A.1)         Environment Requirements

1)       Windows 2003 Enterprise Edition server

?        Enterprise Edition is required for auto-enrollment for client certificates.? Without Enterprise Edition, users will have to manually request a certificate.

2)       Windows 2003 Domain Controller

?        Only one DC has to be running Windows 2003. When installing Windows 2003, the AD schema is updated to the Windows 2003 version which is required for a Windows 2003 CA server.?

A.2)         Installing a CA

1)       On a Windows 2003 box launch Add/Remove Programs

2)       Click on Add/Remove Windows Components and select ?Certificate Services?

A)    Choose ?Enterprise root CA? if you know no other root CA has been deployed in your environment or at least integrated with the Active Directory

B)     Enter the name for the CA, the server name can be used

C)    Confirm the paths where the certificate database will be stored

A.3)         Setting up certificates for users

1)       Creating a certificate template

A)    Launch the certificate management snap-in

a)      Under Administration Tools launch Certification Authority

b)     Right click on ?Certification Templates? and choose Manage

B)     Create a new certificate template

?        A certificate template is used by the CA server to issue new certificates to users with the appropriate settings.

a)      Right click on ?Exchange User? and choose Duplicate Template, see Figure 1 - Duplicate Template

Figure 1 - Duplicate Template

b)     Change the name to ?Exchange User Certificate?, or other name of your choice

c)     Check ?Publish certificate in Active Directory? and confirm the other options shown in Figure 2 - General Settings

Figure 2 - General Settings

d)     On the Request Handling tab, choose ?Signature and encryptions? for the Purpose and confirm the other options as shown in Figure 3 - Request Handling

Figure 3 - Request Handling

 

e)     On the Subject Name tab choose ?Build from this Active Directory information? and select ?Fully distinguished name?

1)     Check ?Include e-mail name in subject name? also, as shown in Figure 4 - Subject Name

Figure 4 - Subject Name

f)      On the Superseded Templates tab click Add?

1)     Select ?Exchange User? from the list and click OK. You should end up with the settings shown in Figure 5 - Superseded Templates

Figure 5 - Superseded Templates

?        This will tell Windows to not use the preexisting Exchange User template anymore.

g)     Configure security on the new template so the required users are auto enrolled to get a certificate created from the template

1)     To enable all users in your organization to get a certificate based on this template, grant ?Authenticated Uses? Read, Enroll, and Autoenroll rights, as shown in Figure 6 - Security

Figure 6 - Security

2)     If you want to limit which users get certificates you will need to create a new group, or select an existing one and grant it these three rights

h)     Click OK when done to save the newly created certificate template

2)       Enable auto-enrollment of certificates in the Active Directory

?        Auto-enrollment requires the CA server is installed on a Windows 2003 Enterprise Edition server.

A)    Modify a GPO to enabled auto enrollment

?        This setting is not used if you are not using Windows 2003 Enterprise Edition.

a)      Launch ADU&C, right click your domain, and choose properties

b)     Click the ?Default Domain Policy? and choose Edit

?        If you have GPMC installed open it and edit the policy.

c)     Expand ?User Configuration\Windows Settings\Security Settings? and click on ?Public Key Policy?

d)     Verify ?Enroll certificates automatically? is check

e)     Check the two options under Enroll certificates automatically, as shown in Figure 7 - Autoenrollment Settings

Figure 7 ? Auto-enrollment Settings

f)      Repeat the above steps for "Computer\Windows Settings\Security Settings\Public Key Policy\Autoenrollment Settings"

g)      Click OK and close the GPO

B)     Wait a few days for users to get their new certificates

C)    View the issued certificates

a)      Launch the certificate management snap-in

b)     Click on ?Issued Certificates?

c)     Sort by Requester Name to see what certificates have been issued to your users, those issued based on the new template should have ?Exchange User Certificate? in the Certificate Template column
 

Securing Exchange Email
Page 1 | Page 2 | Page 3

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008