Implementing Email Security with Exchange Server 2003
If you have successfully configured Email Security your users will have the ability to send and receive signed and encrypted email.
Each security implementation is based on a public and private key infrastructure; this means you have to deploy certificates created by a certificate authority.
If user A sends a signed message, Exchange hashes the message and encrypts this hash with the private key of user A. Then this email is transmitted to the recipient. This email system now hashes this message again and using the senders’ public key, decrypts the encrypted hash created by the sending system. If both hashes are the same, the email is unchanged and you have confirmed that it was sent by user A.
If user A sends an encrypted message, Exchange encrypts this message using the recipients’ public key. Then this email is sent to the recipient. This message can now be decrypted using the recipients’ private key.
Creating a Certificate Authority
The requirement for automatic certificate enrollment is, as already mentioned, a Windows Server 2003 one. This does not mean that you have to have a Windows Server 2003 Active Directory but you have to update your Active Directory with the Windows Server 2003 Forestprep and Domainprep (using adprep.exe). Each of your servers should have Windows 2000 Server SP3 or above installed. Now you can install your Windows Server 2003 Certificate Authority within your Windows 2000 Server Active Directory. It is independent from the configuration if you are installing your own PKI or using a public trust center.
After having installed the CA service in your network you now can start configuring automatic enrollment for Exchange Server certificates: At first you have to create new templates that support automatic enrollment using the certificate template snapin. Just choose the Exchange User Windows 2000 template, right click it and point to “duplicate template” from the context menu.
Now you have to configure the following settings for this template:
Figure 1: Configure the publishment of certificates in AD
Publishing all certificates in Active Directory is required, because the “Global Address List” of Exchange Server 2003 is based on AD. If you have configured this feature, all certificates are available in Active Directory.
Figure 2: Configuring Request Handling Properties
In “Request Handling Properties” you have to choose signature and encryption and you should configure key archiving to provide key recovery. In addition to this, enrolling the certificate without requiring user input is the proposed solution.
Figure 3: Configuring Subject Name Properties
Inclusion of the email-name in the subject of your template is required and absolutely necessary.
Figure 4: Configuring Superseded Templates
To make sure that the old Exchange User template would never be used again you should configure it so that this new template supersedes the old one.
Figure 5: Configuring Security Settings for Automatic Enrollment
To configure automatic enrollment for this new template you have to make sure that the user group has the rights to read, enroll and autoenroll this certificate. After this procedure you just have to configure this template as a new template of the certificate authority. This can be done using the CA snapin.
Figure 6: Configure Autoenrollment using GPOs
The last step is to configure the autoenrollment feature in the GPO settings. Afterwards you should wait a few days to make sure that all users have had their certificates enrolled. You can check this using the CA snapin. Errors are logged in the application log.
That’s all for configuring email security in the CA and Active Directory. Now you can configure your Outlook clients for email security. This can be done via the security setting properties from the Outlook options menu. You can then configure that all messages are encrypted or signed or you can configure this on each message itself from the options menu.
As you have seen within this article Exchange S/MIME Email security can be configured quite easily if you are having a Windows Server 2003 Certificate Authority implemented. The automatic enrollment feature provides quite an easy way to deploy certificates for every user in your active directory environment without user interaction. Therefore you can configure this during working days without interrupting the user’s work. Using the Office System 2003 Resource Kit Utilities you can even automate the configuration of your Outlook profiles for your users. The only thing you have to teach your users is how to activate email encryption and/or signature.
With Windows Server 2003 Certificate Services you have the possibility to configure certificate archiving and certificate recovery. This means even if the public and/or private keys are lost, you can recover them to make sure that no messages are being lost.