Securing Exchange Email

Overview

For some organizations and certain people in all organizations the security of their e-mail is essential.? Out of the box Exchange 2003 provides a fairly secure environment that meets the needs of most organizations and their users.? But for users, like the CxOs, they might have some very sensitive e-mails that they only want a few people to be able to read.? In addition, those people or organizations with a need for a higher level of security might want to also ensure that people receiving their e-mails know that they are in fact from that user and have not been tampered with.? This is where S/MIME or Secure Multipurpose Internet Mail Extensions comes into play. S/MIME is supported by Exchange 2003, Outlook 2003, Outlook Web Access 2003, many other non-Microsoft mail systems, and earlier versions of Outlook and Exchange in some form.

Exchange 2003 supports both e-mail encryption and signing without any configuration changes to Exchange itself, in most cases.? When a user digitally signs an e-mail it tells their client, Outlook 2003 in this example, to create and store a checksum or hash with the message and to digitally sign the message and encrypt the message checksum with the user?s private key.? When the receiving user opens the message, Outlook will get the user?s public key from the Certificate Authority (CA) that issued it and decrypt the message checksum and verify that the message has not been modified since it was sent. ?This is supported by both Outlook 2003 and OWA 2003 ?out of the box?.? When a user chooses to encrypt a message, the entire message is encrypted using both the recipient?s public key and the sender?s private key.? When the message is received by the recipient, their private key and the sender?s public key is used to verify the message checksum and to decrypt the message.

For both e-mail signing and encryption, public and private certificates (keys) are required.? These certificates can either be created internally using a Windows 2003 certificate server or using public certificates, which must be purchased.? If e-mails only need to be signed and encrypted within your organization, a Windows 2003 CA will meet your needs.? Otherwise, certificates must be purchased for each user sending encrypted messages.? In this article I will only be focusing on using Windows 2003 CA for internal e-mail security.

A) Setting up a Certificate Authority

The first step is to setup a certificate authority to issue certificates, which includes both public and private keys, to end users.?? Windows 2003 Enterprise Edition supports auto-enrollment of keys which allows all users in your organization to get keys automatically.? Without Enterprise Edition users must manually request and install certificates on the systems they normally use.? The steps below cover both cases.

Note: ? The server that the CA is installed on cannot be renamed or moved to another domain.? The CA can be moved to another system, in the case of system failure, but the system must be named the same as the original system

A.1)         Environment Requirements

1)       Windows 2003 Enterprise Edition server

        Enterprise Edition is required for auto-enrollment for client certificates.? Without Enterprise Edition, users will have to manually request a certificate.

2)       Windows 2003 Domain Controller

        Only one DC has to be running Windows 2003. When installing Windows 2003, the AD schema is updated to the Windows 2003 version which is required for a Windows 2003 CA server.?

A.2)         Installing a CA

1)       On a Windows 2003 box launch Add/Remove Programs

2)       Click on Add/Remove Windows Components and select ?Certificate Services?

A)    Choose ?Enterprise root CA? if you know no other root CA has been deployed in your environment or at least integrated with the Active Directory

B)     Enter the name for the CA, the server name can be used

C)    Confirm the paths where the certificate database will be stored

A.3)         Setting up certificates for users

1)       Creating a certificate template

A)    Launch the certificate management snap-in

a)      Under Administration Tools launch Certification Authority

b)     Right click on ?Certification Templates? and choose Manage

B)     Create a new certificate template

        A certificate template is used by the CA server to issue new certificates to users with the appropriate settings.

a)      Right click on ?Exchange User? and choose Duplicate Template, see Figure 1 - Duplicate Template

Figure 1 - Duplicate Template

b)     Change the name to ?Exchange User Certificate?, or other name of your choice

c)     Check ?Publish certificate in Active Directory? and confirm the other options shown in Figure 2 - General Settings

Figure 2 - General Settings

d)     On the Request Handling tab, choose ?Signature and encryptions? for the Purpose and confirm the other options as shown in Figure 3 - Request Handling

Figure 3 - Request Handling

 

e)     On the Subject Name tab choose ?Build from this Active Directory information? and select ?Fully distinguished name?

1)     Check ?Include e-mail name in subject name? also, as shown in Figure 4 - Subject Name

Figure 4 - Subject Name

f)      On the Superseded Templates tab click Add?

1)     Select ?Exchange User? from the list and click OK. You should end up with the settings shown in Figure 5 - Superseded Templates

Figure 5 - Superseded Templates

        This will tell Windows to not use the preexisting Exchange User template anymore.

g)     Configure security on the new template so the required users are auto enrolled to get a certificate created from the template

1)     To enable all users in your organization to get a certificate based on this template, grant ?Authenticated Uses? Read, Enroll, and Autoenroll rights, as shown in Figure 6 - Security

Figure 6 - Security

2)     If you want to limit which users get certificates you will need to create a new group, or select an existing one and grant it these three rights

h)     Click OK when done to save the newly created certificate template

2)       Enable auto-enrollment of certificates in the Active Directory

        Auto-enrollment requires the CA server is installed on a Windows 2003 Enterprise Edition server.

A)    Modify a GPO to enabled auto enrollment

        This setting is not used if you are not using Windows 2003 Enterprise Edition.

a)      Launch ADU&C, right click your domain, and choose properties

b)     Click the ?Default Domain Policy? and choose Edit

        If you have GPMC installed open it and edit the policy.

c)     Expand ?User Configuration\Windows Settings\Security Settings? and click on ?Public Key Policy?

d)     Verify ?Enroll certificates automatically? is check

e)     Check the two options under Enroll certificates automatically, as shown in Figure 7 - Autoenrollment Settings

Figure 7 ? Auto-enrollment Settings

f)      Repeat the above steps for "Computer\Windows Settings\Security Settings\Public Key Policy\Autoenrollment Settings"

g)      Click OK and close the GPO

B)     Wait a few days for users to get their new certificates

C)    View the issued certificates

a)      Launch the certificate management snap-in

b)     Click on ?Issued Certificates?

c)     Sort by Requester Name to see what certificates have been issued to your users, those issued based on the new template should have ?Exchange User Certificate? in the Certificate Template column