Guide to the Secure Configuration and Administration of Microsoft ...

More documents

Recommendations

Info

Exchange to “Foreign” E-mail System Jack (Client) Exchange can also connect to what Microsoft terms “foreign” e-mail systems. Foreign email systems are simply e-mail networks outside of the Exchange environment, such as X.400 and Simple Mail Transport Protocol (SMTP) mail systems. Exchange Server 5.0 and Exchange Server 5.5 provide connectors for both of these. Exchange Server 5.5 and third party vendors offer additional connectors that are not covered in this document. The X.400 connector provides connectivity to X.400 hosts. Server-to-server communication between Exchange and X.400 hosts is not encrypted, nor is any kind of robust authentication provided. Only plain text authentication is available as an option. The Internet Mail Service (IMS) provides connectivity to SMTP hosts. In Exchange Server 5.0 there are no encryption or authentication options when connecting to non- Exchange SMTP hosts. In Exchange Server 5.5, Secure Socket Layer (SSL) encryption and Simple Authentication and Security Layer (SASL) authentication can be used provided these features are supported by the other hosts with which the Exchange Server will connect. Please note that this feature is not well documented and attempts by the author and others to enable SMTP over SSL have failed. GWS1 (Server) VulCo (Organization ) Washington (Site) Baltimore (Site) GWS2 (Server) Authentication: -X.400: Simple, non-encrypted passwords -Internet Mail Service: SASL optional (Exchange 5.5) Encryption: -X.400: None -Internet Mail Service: SSL optional (Exchange 5.5) Foreign E-mail Networks Figure 3 Exchange to “Foreign” E-mail Systems -- Security Options 24
Summary When connecting servers in an Exchange environment: Consider the encryption and authentication features provided when selecting a connector. If using the Internet Mail Service as a server-to-server connector, it is recommended that encryption and authentication be enabled. To do so, select the Internet Mail Service object under the site/configuration/connections object and select File/Properties and the “Security” tab. If using “Windows NT challenge/response and encryption”, enter an account name and password chosen unique for this function. If using the Dynamic Remote Access Service connector, configure RAS per the “Guide to Implementing Windows NT in Secure Networking Environments.” 25
Page 1 and 2: Guide to the Secure Configuration a
Page 3 and 4: Trademark Information Windows NT, M
Page 5 and 6: Table of Contents About the Guide t
Page 7 and 8: Chapter 3, “Administrative Permis
Page 9 and 10: Chapter 1 Exchange Server Installat
Page 11 and 12: separate partition will provide a l
Page 13 and 14: Chapter 2 Client Installation Insta
Page 15 and 16: Domain Admins: Full Control SYSTEM
Page 17 and 18: Chapter 3 Administrative Permission
Page 19 and 20: Summary In summary, when assigning
Page 21 and 22: Site Level Server Level The Directo
Page 23 and 24: Server Level At the server level, t
Page 25 and 26: Configuration Use the Windows NT ev
Page 27: GWS1 (Server) Jack (Client) NT Remo
Page 31 and 32: other hosts were detailed in Chapte
Page 33 and 34: Chapter 7 Client Security and “Ad
Page 35 and 36: For each zone, one of four levels o
Page 37 and 38: Respect the concept of least privil
Page 39 and 40: KMS password. It is very critical t
Page 41 and 42: When advanced security is invoked,
Page 43 and 44: ecommended that you follow the guid
Page 45 and 46: “contributor” right (allowing o
Page 47 and 48: Authentication Exchange 5.0 Exchan
Page 49 and 50: Data Confidentiality It is importan
Page 51 and 52: IMAP LDAP allowed authentication me
Page 53 and 54: To control anonymous access: Selec
Page 55 and 56: This issue can be overcome simply b
Page 57 and 58: For recoverability, log files can b
Page 59 and 60: from using the distribution list, t
Page 61 and 62: Revisions: Version 1.1 - Cleaned up

Guide to the Secure Configuration and Administration of Microsoft ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?