Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 20, 2006

Messaging Security

Learn about 5 ways to encrypt your email communications
A Web Exclusive from Windows IT Pro
Devin L. Ganger
Feature
InstantDoc #93965
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Protocols Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

Microsoft Exchange Server gives you several options for keeping your email message data secure. The options fall into two categories: transport encryption, which protects the connection between two machines and thus protects the contents of the message over that conversation; and message encryption, which protects the message itself independent of the connections it travels over, ensuring that only the recipient can read it.

Transport Encryption
Transport encryption, also known as session encryption, protects the protocol over which the message data is transmitted. The three main kinds of transport encryption are: Encrypted Messaging API (MAPI), Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and IPsec.

If you want to secure sessions between Microsoft Outlook and Exchange, enable encryption of the MAPI protocol. MAPI uses remote procedure call (RPC) between the client and server. By default, the RPC streams are unencrypted, but you can enable 128-bit RPC encryption in the Outlook user profile. Be aware that this setting provides a relatively weak level of encryption and only protects the MAPI traffic between Exchange and Outlook. It does nothing to protect email messages that go beyond the sender's mailbox server.

SSL and TLS are similar protocols in that they provide application-level encryption. The main difference is that you must establish SSL communications on a different port from their unencrypted counterpart, while you can establish TLS over an initially unsecure connection. Exchange currently supports TLS only over SMTP connections but supports SSL over POP3, IMAP, Network News Transfer Protocol (NNTP), and HTTP. ( Exchange's TLS implementation isn't fully opportunistic; you can't handle both secured and unsecured connections from the same virtual server.)

IPsec is a set of IP extensions that provide the ability to authenticate and encrypt IP communications. IPsec has been part of Windows since Windows 2000. Although IPsec is more complex to enable and manage than other options, it also provides more flexibility. Because IPsec is an OS feature, it can protect any application (unlike SSL and TLS, which require that an application support the standards). With Windows IPsec, you need only create the proper Group Policy Objects (GPOs) and attach them to the proper containers in Active Directory (AD) to establish the necessary IPsec filters and behavior. IPsec is therefore suitable for protecting connections between front-end and back-end servers.

If your email message data travels over multiple hops, each hop must be secured or you potentially expose the data to unauthorized parties. If you do secure each hop, the message will be secure while traveling over the wire but will still be unencrypted on each intermediate system between the sender and recipient.

For more information about how to secure the various protocols used in Exchange (and where to use them), see the resources in the Learning Path box, including "Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" in the Exchange Server 2003 Technical Documentation Library at http://www.microsoft.com/ exchange/library.

Message Encryption
By contrast, the technique of message encryption sounds simple: Encode the message data with a key that only the recipient knows. No matter how the message gets there, you can be confident that only the recipient can read it. The two best known standards for message-level encryption are pretty good privacy (PGP) and Secure MIME (S/MIME).

PGP. PGP and the open-source alternative GNU Privacy Guard (GPG) provide a more ad hoc approach to implementing message security than S/MIME. Unlike S/MIME, PGP and GPG don't require a central public key infrastructure (PKI); users manage their own list of digital certificates (known as their keyring). Because of this feature, users must have a third-party plug-in to use PGP with Outlook. And, as far as I know, you can't validate PGP-signed messages (or view PGP-encrypted messages) in Microsoft Outlook Web Access (OWA) at all. In my experience, PGP is great for single users, but it doesn't scale well to the enterprise level.

S/MIME. S/MIME is an Internet Engineering Task Force (IETF)approved method for formatting and exchanging digitally signed and encrypted electronic messages. S/MIME requires a healthy PKI for deployment. The Exchange/Outlook implementation works in tandem with the certificate authority (CA) and AD functionality in Windows to let users easily enroll and gain their own certificates for securing their email messages. Outlook can then retrieve the necessary recipient certificates for other users in the organization. If you want to use S/MIME with users outside your organization, you need to ensure that your PKI is properly configured, a topic beyond the scope of this article.

S/MIME works as follows (PGP works similarly):

  1. The sender composes an email message in his or her mail client.
  2. As the email message is submitted, the message is encrypted and signed according to a specific set of public and private keys (the recipient's public key and the sender's private key).
  3. The message is routed through intermediate systems. It's impervious to inspection by outside parties; tampering and alteration attempts invalidate the digital signature.
  4. The recipient receives the email message. The recipient's client automatically inspects the digital signature to ensure validity, then applies a private key to decrypt the message.

Does this process sound too good to be true? S/MIME does indeed have two major catches. First, as I mentioned previously, S/MIME requires a working PKI to manage the public and private keys for recipients and senders. Exchange 2003 and Exchange 2000 provide, in combination with Windows 2003 and Win2K, the necessary capabilities to create a digital certificate PKI infrastructure suitable for use with S/MIME. This PKI infrastructure integrates with AD, letting users easily manage their own private keys and retrieve public keys for other users in the organization. The Outlook client supports S/MIME, and the Exchange 2003 version of OWA extends S/MIME support to OWA users.

Second, email messages are encrypted before they're submitted to the Exchange message store service. In other words, they travel across the wire, through all intermediate servers, and are stored in the mailbox in encrypted form. This approach disallows all sorts of useful functionality, such as the ability to scan message body content on behalf of server-side rules. S/MIME also interferes with the application of message hygiene measures and message retention and archival policies. Because the message is encrypted before it's ever submitted to an Exchange server, the Exchange organization can't decrypt the message to inspect it.

To use S/MIME, you need an S/MIME-aware software solution .These applications typically can access all user certificates. They scan email messages before they leave your organization and use the appropriate certificate to secure messages as required.

You need to be able to audit the S/MIME email-encryption process. You must also have good controls in place to manage access to the certificate repository because it will become a natural target for attacks. Finally, you need to ensure that your backup, recovery, and archival processes properly handle the complications your message security introduces. For example, you must have backup copies of the certificates, be able to rebuild your PKI, and archive old and expired certificates used for messages still in your archival system.

For more information about deploying S/MIME, see the resources in the Learning Path box, including "Message Security Guide for Exchange Server 2003" in the Exchange Server 2003 Technical Documentation Library.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For a discussion of Exchange confidentiality, integrity, and availability:
"Messaging CIA"


To bridge front-end and back-end Exchange servers with IPsec:
"Using IPSec with Exchange"


To implement S/MIME for messaging:
"Secure Email with S/MIME"

"Advanced Security in Exchange 2000, Part 2"


To implement SSL for POP, IMAP, SMTP, and HTTP in Exchange 2000 or 5.5:
"Secure Client Communications with SSL"


To run RPC over HTTP with SSL in Outlook 2003, Exchange 2003, and Windows 2003:
"Secure VPN Alternatives"

"Exchange 2003 RPC over HTTP Access"


To run SMTP over SSL in Exchange 2003:
"Understanding and Leveraging SSL-TLS for Secure Communications ebook"



"Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server and Message Security Guide for Exchange Server 2003 in the Exchange Server 2003 Technical Documentation Library"
Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Next Version of Exchange Named Exchange 2010?

Microsoft apparently inadvertently announced the official name of the next version of Exchange Server. ...
Related Articles S/MIME and Exchange 2007 SP1
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events The Myths & Truths of Email Management with SharePoint

Top 10 Email Security Challenges and Solutions

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing