Hardening Exchange Server 2007 – Part 3: Securing Email Client Access

If you missed the first articles in this series please read:

Before we begin, please note that this article is based on a beta version of Windows Server 2008 and Exchange Server 2007 SP1 and it is possible that some features will be changed or removed in the final versions of these products.

I do not intend to cover the same topics that Rui Silva did in his series about Hardening Exchange Server 2003. This series will only contain information unique to Exchange Server 2007 and Windows Server 2008. If you want additional information about securing the environment, educating users and much more, I recommend reading Rui’s articles as well.

In this article I will give you a high level overview about securing different e-mail client types such as POP3, IMAP4, OWA and Outlook Anywhere (also known as RPC over HTTP(S).

POP3

POP3 (Post Office Protocol version 3) is a relatively old protocol to get e-mails from an e-mail server like Exchange Server. Beginning with Exchange Server 2003, Exchange supports POP3 but the protocol is disabled by default. The same is true for Exchange Server 2007, so you must change the startup type of this protocol to Automatic. One of the important changes in Exchange Server 2007 POP3 access is that no unencrypted sessions are allowed. Exchange Server 2007 uses a self signed certificate to secure the message transmission. As a result you have to configure your e-mail client to access the Exchange Server over a secure connection. It is a good idea to remove the self signed certificate after the Exchange installation with a trusted certificate from an in house Certificate Authority or with a certificate from a trusted third party CA (Certificate Authority). As you might know, to configure POP3 access, you must use the Exchange Management Shell (EMS). Beginning with Exchange Server 2007 SP1 parts of managing POP3 will be part of the Exchange Management Console (EMC).

IMAP4

IMAP4 (Internet Message Access Protocol version 4) is also relatively old protocol. IMAP4 is the successor of POP3 with several enhancements.

Beginning with Exchange Server 2003, Exchange supports IMAP4 but the protocol is disabled by default. The same is true for Exchange Server 2007, so you must change the startup type of this protocol to Automatic. One of the important changes in Exchange Server 2007 IMAP4 access is that no unencrypted sessions are allowed. Exchange Server 2007 uses a self signed certificate to secure the message transmission. As a result you have to configure your e-mail client to access the Exchange Server over a secure connection.

Ports used by POP3 and IMAP4

Protocol

Default port

IMAP4/SSL

993 (TCP)

IMAP4 with or without TLS

143 (TCP)

POP3/SSL

995 (TCP)

POP3 with or without TLS

110 (TCP)

Table 1

OWA

Outlook Web Access (OWA) is also secured by default. As any other Exchange client service, Outlook Web Access is also secured with a self signed certificate and the HTTPS access is activated by default. It is recommended that the Administrator account uses its own certificate for OWA access from a trusted internal Certificate Authority (CA) or from a trusted third party CA. Exchange Server 2007 Outlook Web Access provides some additional security settings. Some of these security settings are part of the additional Outlook Web Access security package which was first introduced with Exchange Server 2003. Most settings of this tool (and some additional ones) are now available natively in Exchange Server 2007. Exchange Server 2007 provides this additional security features:

  • Outlook Web Access segmentation
  • Outlook Web Access Full feature client and light version
  • Restrict access to Outlook Web Access for specific users
  • Customizing Microsoft Office Sharepoint Integration
  • Controlling Direct Access to file Server shares
  • Block access for specific file types

Outlook Anywhere

Outlook Anywhere, formerly known as RPC over HTTPS in Exchange Server 2003 provides full Outlook 2007 access over HTTPS from outside the internal network. Because securing Outlook Anywhere is similar to OWA, there is no need to write in any more detail about this feature.

Exchange Active Sync (EAS)

Exchange Active Sync provides access to e-mail and more for mobile clients like Smartphones, PDAs (Personal Digital Assistants) and mobile phones. EAS is activated by default and it is possible to configure EAS settings with Exchange Active Sync policies. With the help of policies you can enforce the following settings:

  • Request passwords for mobile clients
  • Request alphanumeric password
  • Allow or disallow downloading of attachments
  • Allow access to Windows Sharepoint services documents
  • Allow the wiping of stolen or lost devices
  • Activate device encryption

ISA Server 2006

You can use ISA Server 2006 (Internet Security and Acceleration Server) to provide an additional layer of security for accessing Exchange Server 2007 with Outlook Web Access (OWA), Outlook Anywhere and Exchange Active Sync (EAS). With the help of ISA Server 2006 you can securely publish all these Exchange Server clients. ISA Server 2006 provides additional security in the form of HTTPS to HTTP Bridging, Link Inspection, Content filtering, user pre-authentication and more.

Patch Management

It is important to keep your Messaging clients and the underlying Operating System up to date. You should use WSUS (Windows Server Updates Services) or other Patch Management software.

Anti-SPAM

Exchange Server 2007 can use integrated anti-spam features for the Hub Transport Server role and the Edge Transport Server role. You must activate the anti-spam features on a Hub Transport Server via the Exchange Management Shell (EMS).

Exchange Server 2007 provides the following anti-spam features:

  • Aggregation of Outlook Junk E-mail Filter Lists
  • IP Reputation Service 
  • Sender reputation 
  • Sender ID 
  • Recipient filtering
  • Spam quarantine
  • Content filtering
  • Connection filtering 
  • SMTP Tarpitting

You can use Forefront Edge Security to provide some additional anti-spam features.

Antivirus

You should use a client side antivirus scanner which scans file access on demand like Forefront Client Security. On the server side you should use a central antivirus solution like Microsoft Forefront Edge Security as mentioned in the second part of this article series.

Conclusion

In this part of the series we discussed how to secure client access from various clients like POP3, IMAP4, OWA and Outlook Anywhere. Please note that this article could not focus on all the security enhancements and new security features in Exchange Server 2007.

If you missed the first articles in this series please read:

Links

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top