If you missed the first articles in this series please read:
- Hardening Exchange Server 2007 – Part 1: Introductory Steps.
- Hardening Exchange Server 2007 – Part 2: Secure by Default
Before we begin, please note that this article is based on a beta version of Windows Server 2008 and Exchange Server 2007 SP1 and it is possible that some features will be changed or removed in the final versions of these products.
I do not intend to cover the same topics that Rui Silva did in his series about Hardening Exchange Server 2003. This series will only contain information unique to Exchange Server 2007 and Windows Server 2008. If you want additional information about securing the environment, educating users and much more, I recommend reading Rui’s articles as well.
In this article I will give you a high level overview about securing different e-mail client types such as POP3, IMAP4, OWA and Outlook Anywhere (also known as RPC over HTTP(S).
POP3
POP3 (Post Office Protocol version 3) is a relatively old protocol to get e-mails from an e-mail server like Exchange Server. Beginning with Exchange Server 2003, Exchange supports POP3 but the protocol is disabled by default. The same is true for Exchange Server 2007, so you must change the startup type of this protocol to Automatic. One of the important changes in Exchange Server 2007 POP3 access is that no unencrypted sessions are allowed. Exchange Server 2007 uses a self signed certificate to secure the message transmission. As a result you have to configure your e-mail client to access the Exchange Server over a secure connection. It is a good idea to remove the self signed certificate after the Exchange installation with a trusted certificate from an in house Certificate Authority or with a certificate from a trusted third party CA (Certificate Authority). As you might know, to configure POP3 access, you must use the Exchange Management Shell (EMS). Beginning with Exchange Server 2007 SP1 parts of managing POP3 will be part of the Exchange Management Console (EMC).
IMAP4
IMAP4 (Internet Message Access Protocol version 4) is also relatively old protocol. IMAP4 is the successor of POP3 with several enhancements.
Beginning with Exchange Server 2003, Exchange supports IMAP4 but the protocol is disabled by default. The same is true for Exchange Server 2007, so you must change the startup type of this protocol to Automatic. One of the important changes in Exchange Server 2007 IMAP4 access is that no unencrypted sessions are allowed. Exchange Server 2007 uses a self signed certificate to secure the message transmission. As a result you have to configure your e-mail client to access the Exchange Server over a secure connection.
Ports used by POP3 and IMAP4
Protocol |
Default port |
IMAP4/SSL |
993 (TCP) |
IMAP4 with or without TLS |
143 (TCP) |
POP3/SSL |
995 (TCP) |
POP3 with or without TLS |
110 (TCP) |
Table 1
OWA
Outlook Web Access (OWA) is also secured by default. As any other Exchange client service, Outlook Web Access is also secured with a self signed certificate and the HTTPS access is activated by default. It is recommended that the Administrator account uses its own certificate for OWA access from a trusted internal Certificate Authority (CA) or from a trusted third party CA. Exchange Server 2007 Outlook Web Access provides some additional security settings. Some of these security settings are part of the additional Outlook Web Access security package which was first introduced with Exchange Server 2003. Most settings of this tool (and some additional ones) are now available natively in Exchange Server 2007. Exchange Server 2007 provides this additional security features:
- Outlook Web Access segmentation
- Outlook Web Access Full feature client and light version
- Restrict access to Outlook Web Access for specific users
- Customizing Microsoft Office Sharepoint Integration
- Controlling Direct Access to file Server shares
- Block access for specific file types
Outlook Anywhere
Outlook Anywhere, formerly known as RPC over HTTPS in Exchange Server 2003 provides full Outlook 2007 access over HTTPS from outside the internal network. Because securing Outlook Anywhere is similar to OWA, there is no need to write in any more detail about this feature.
Exchange Active Sync (EAS)
Exchange Active Sync provides access to e-mail and more for mobile clients like Smartphones, PDAs (Personal Digital Assistants) and mobile phones. EAS is activated by default and it is possible to configure EAS settings with Exchange Active Sync policies. With the help of policies you can enforce the following settings:
- Request passwords for mobile clients
- Request alphanumeric password
- Allow or disallow downloading of attachments
- Allow access to Windows Sharepoint services documents
- Allow the wiping of stolen or lost devices
- Activate device encryption
ISA Server 2006
You can use ISA Server 2006 (Internet Security and Acceleration Server) to provide an additional layer of security for accessing Exchange Server 2007 with Outlook Web Access (OWA), Outlook Anywhere and Exchange Active Sync (EAS). With the help of ISA Server 2006 you can securely publish all these Exchange Server clients. ISA Server 2006 provides additional security in the form of HTTPS to HTTP Bridging, Link Inspection, Content filtering, user pre-authentication and more.
Patch Management
It is important to keep your Messaging clients and the underlying Operating System up to date. You should use WSUS (Windows Server Updates Services) or other Patch Management software.
Anti-SPAM
Exchange Server 2007 can use integrated anti-spam features for the Hub Transport Server role and the Edge Transport Server role. You must activate the anti-spam features on a Hub Transport Server via the Exchange Management Shell (EMS).
Exchange Server 2007 provides the following anti-spam features:
- Aggregation of Outlook Junk E-mail Filter Lists
- IP Reputation Service
- Sender reputation
- Sender ID
- Recipient filtering
- Spam quarantine
- Content filtering
- Connection filtering
- SMTP Tarpitting
You can use Forefront Edge Security to provide some additional anti-spam features.
Antivirus
You should use a client side antivirus scanner which scans file access on demand like Forefront Client Security. On the server side you should use a central antivirus solution like Microsoft Forefront Edge Security as mentioned in the second part of this article series.
Conclusion
In this part of the series we discussed how to secure client access from various clients like POP3, IMAP4, OWA and Outlook Anywhere. Please note that this article could not focus on all the security enhancements and new security features in Exchange Server 2007.
If you missed the first articles in this series please read:
- Hardening Exchange Server 2007 – Part 1: Introductory Steps.
- Hardening Exchange Server 2007 – Part 2: Secure by Default
Links
- Exchange Server 2007 – Security and protection
- Securing Exchange Server 2007 Client Access
- Hardening an Exchange Server 2003 Environment (Part 1)
- Hardening an Exchange Server 2003 Environment (Part 2)
- Hardening an Exchange Server 2003 Environment (Part 3)
- Hardening an Exchange Server 2003 Environment (Part 4)
- Introduction to Exchange 2007 Server Roles
- Microsoft Forefront
- Using POP3 and IMAP4 to Access Exchange 2007 (Part 1)
- Using POP3 and IMAP4 to Access Exchange 2007 (Part 2)
- Microsoft Internet Security and Acceleration Server 2006