Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

Securing Exchange Email
Page 1 | Page 2 | Page 3

4)       Start a new e-mail and verify the Encrypt and Signing buttons, , are shown in the tool bar

A)    These buttons should show-up at the end of the tool bar. ?You might have to adjust the toolbar in order to see them, see Figure 10 - E-mail Encrypt and Signing Option

Figure 11 - E-mail Encrypt and Signing Option

5)       If the user attempts to send a encrypted message to a user who?s public key has not been stored in the Active Directory yet, as shown in Figure 10 - User Without a Certificate, they will receive a warning dialog that the e-mail cannot be encrypted

Figure 12 - User Without a Certificate

6)       If the user needs to use Outlook 2003 from another system, like from home, they will need to export their certificate, private key, using the following steps

?        These steps also need to be followed if another user should be able to open up someone else?s encrypted e-mails.? For example, if a manager?s assistant should be able to open up the manager?s encrypted e-mails, the manager?s key will need to be exported from his system and imported into his assistant?s system

A)    Goto Tools\Options and click the Security tab

B)     Click Import/Export?

C)    Click ?Export your Digital ID to a file?

D)    Click Select? and choose the certificate. It should have ?Secure Email? under Intended Purposes

E)     Enter in a file name to save the certificate to

F)     Enter a password and confirm it

G)    Click OK to save the file

?        This will save the user?s private key to the file selected.

7)       To import the certificate on another system, one that isn?t a member of the domain, or to allow another user to open e-mails encrypted for someone else

A)    Goto Tools\Options and click the Security tab

B)     Click Import/Export?

C)    Click Browse? and select the file previously created, using the steps above

D)    Enter in the password and a friendly name for the certificate

?        This will allow the user who imported the certificate, which contains a private key, to open up any e-mails sent to the owner of the certificate.

B.3)         Outlook Web Access 2003

1)       Requirements

A)    To use S/MIME support in OWA 2003, clients must be running Internet Explorer 6.x or higher

B)     Computers running IE must be Windows 2000 or higher

C)    Users must be able to install COM components on the system that they are running Internet Explorer on

2)       Installing the S/MIME control for OWA

?        The control is installed on the local system, not on the Exchange server.

A)    Login to OWA

B)     Click Options

C)    Under E-mail Security, click Download

Figure 13 - OWA E-mail Security

D)    This will start a download of ?setupmcl.exe.? ?Download the file and run it

E)     You will be prompted a few times with security warnings. ?Choose the correct response to run the program and install the COM component

F)     Click on Options again once the install has finished

G)    You will now see options to always encrypt and/or sign outgoing messages

?        I would recommend not checking these boxes since all messages will be signed and encrypted.? Since not all clients support both of these features, this can cause problems for users receiving these e-mails.? Signing is supported by the most common e-mail clients, but encryption requires the sharing of public keys between both the sending and receiving parties.? If the receiving party is outside of your organization and you are not using a public certificate server, you must manually send the receiving party the sending user?s public key.? The receiving party must then install this key. These steps are not included in this article.

Figure 14 - Email Security Options

H)    To sign or encrypt a message, users just need to create a new e-mail message and click the appropriate icon in the tool bar

a)      To sign a message, the user should click

b)     To encrypt a message, the user need to click

1)     Before a user can send an encrypted message to another user, the recipient user?s public key must be stored in the Active Directory

2)     Otherwise, the sending user will see the following message:

Conclusion

Using the steps above, users can both ensure that the messages they send are not modified in transit and can control who can read them.? Using an internal certificate server, you can provide both of these services for free, not counting the cost of a Windows server license.? To be able to send signed and encrypted e-mails to people outside your organization, you will need to purchase certificates from a public certificate vendor or setup sharing of certificates.? If you have a partner organization that you want to encrypt all e-mails with, then the best thing to do is to setup a SMTP connector that encrypts all traffic to that partner.? See Amit Zinman?s article on this topic: http://www.msexchange.org/tutorials/SMTP-Connections-Servers.html.

 

Encrypting e-mail does not prevent the user receiving the encrypted e-mail from then forwarding it on, un-encrypted, to other people.? So for those very special e-mails, make sure senders understand this fact.? See the related link below for more information.

One final thing to be aware of is that ActiveSync clients before Exchange 2003 SP2 and Windows Mobile 5.0 with the Messaging and Security Feature Pack do NOT support S/MIME messages.? This means that these clients can only read un-encrypted e-mail messages and cannot validate digital signatures on signed messages.? They also cannot send signed or encrypted messages.? Microsoft has added this support with the Messaging and Security Feature Pack for Windows Mobile 5.0.

Related Links

?        Moving the CA to another server: KB298138

o       This is a good article to review on how to backup your CA completely, which should be done on a regular basis

?        Quick Start for S/MIME in Exchange Server 2003 white paper\book
http://www.microsoft.com/downloads/details.aspx?FamilyId=2305405C-FAF1-488A-A856-AD467BB59B26&displaylang=en.

o       This white paper, 150 pages, includes detailed information on S/MIME, setup instructions for OWA, troubleshooting information, and more.

?        Site to get public certificates for a reasonable? price: http://www.godaddy.com/

o       Their root level certificate is only installed on Windows Mobile 5.0 devices.? Also, it may not be installed on an older OS; it is included with the root level certificate update from Microsoft Update.

?        To further control who can open and forward e-mails and control who can open or edit Microsoft Office documents, you will need to implement a Rights Management? Server, see the article below by Santhosh Sivarajan for how to do this:
http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part1.html

 

 
 

Securing Exchange Email
Page 1 | Page 2 | Page 3

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008