Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server
To help protect the communications between Windows Mobile-based devices and your Exchange front-end server, follow these steps:
- Deploy SSL to encrypt messaging traffic.
- Enable SSL on the default Web site.
- Configure basic authentication for the Exchange ActiveSync virtual directory.
If you plan to use certificate authentication instead of basic configuration, refer to Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
If you are using RSA SecurID, you must update the RSA Authentication Agent.
- Protect IIS by limiting potential attack surfaces
See Best Practices for Deploying a Mobile Messaging Solution in this document for more information about authentication and certification.
Deploying SSL to Encrypt Messaging Traffic
To protect incoming and outgoing e-mail, deploy SSL to encrypt messaging traffic. You can configure SSL security features on an Exchange server to verify the integrity of your content, verify the identity of users, and to encrypt network transmissions.
The steps involved in configuring SSL for Exchange ActiveSync are:
- Obtaining and installing a server certificate
- Validating installation
- Backing up the server certificate
- Enabling SSL for the Exchange ActiveSync virtual directory
To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type the following command: runas /user:administrative_accountname "mmc%systemroot%\system32\inetsrv\iis.msc"
Obtaining and Installing a Server Certificate
After you obtain a server certificate, you will install the server certificate, verify the installation of the server certificate, and back it up. When you use the Web Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate.
To obtain a server certificate from a Certificate Authority (CA)
Log on to the Exchange server by using an Administrator account.
Click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
Double-click the ServerName to view the Web sites. Right-click Default Web Site, and then click Properties.
Click to select the Directory Security tab. The following illustration shows the IIS Manager window and the Directory Security tab. Under Secure Communications, click Server Certificate.
In the Welcome Web Server Certificate Wizard dialog box, click Next, click Create a new certificate, and then click Next.
Click Prepare the request now, but send it later, and then click Next.
In the Name and Security Settings dialog box, type a name for your server certificate (for example, type <Exchange_Server_Name>), click Bit length of 1024, and then click Next. The following illustration shows the Name and Security Settings dialog box.
Ensure that Select cryptographic service provider is not selected.
- In the Organization Information dialog box, type a name in the Organizationtext box (for example, type <Company_Name>) and in the Organizational unit text box (for example, type <IT Department>), and then click Next.
- In the Your Site’s Common Name dialog box, type the fully qualified domain name of your server or cluster for Common name (for example, type <webmail.mycompany.com>), and then click Next. This will be the domain name that your client mobile devices will access.
- In the Geographical Information dialog box, click Country/region (for example, US), State/province (for example, <State>) and City/locality (for example, <City>), and then click Next.
- In the Certificate Request Filename dialog box, keep the default of C:\NewKeyRq.txt (where C: is the location your OS is installed), and then click Next.
- In the Request File Summary dialog box, review the information and then click Next. The following illustration shows an example of a Request File Summary.
- You should receive a success message when the certificate request is complete. Click Finish.
Next, you must request a server certificate from a valid CA. To do this, you must access the Internet or an intranet, depending on the CA that you choose, by using a properly configured Web browser.
The steps detailed here are for accessing the Web site for your CA. For a production environment, you will probably request a server certificate from a trusted CA over the Internet.
To submit the certificate request
Start Microsoft Internet Explorer. Type the Uniform Resource Locator (URL) for the Microsoft CA Web site, http://<server_name>/certsrv/. When the Microsoft CA Web site page displays, click Request a Certificate, and then click Advanced Certificate Request.
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64 encoded PKCS#10 file, or submit a renewal request by using a base-64 encoded PKCS #7 file.
On your local server, navigate to the location of the C:\ NewKeyRq.txt file that you saved previously.
Double-click to open the C:\ NewKeyRq.txt file in Notepad. Select and copy the entire contents of the file.
On the CA Web site, navigate to the Submit a Certificate Request page. If you are prompted to pick the type of certificate, select Web Server. The following illustration shows an example of a Submit a Certificate Request page.
Click inside the Saved Request box, paste the contents of the file into the box, and then choose Submit. The contents in the Saved Request dialog box should look similar to the following example:
- On the Certificate Issued page, click DER encoded, and then click Download certificate.
- In the File Download dialog box, click Save this file to disk, and then click OK. Keep the default setting to save the file to the desktop, and click Save.
- Close Internet Explorer.
At this point, a server certificate exists on your desktop that can be imported into the Exchange server certificate store.
Next, you must install the certificate.
To install the certificate
Start Internet Information Service (IIS) Manager and expand <DomainName>
Right-click Default Web Site and then click Properties. In the Properties dialog box, select the Directory Security tab. Under Secure Communication, click Server Certificate.
In the Certificate Wizard dialog box, click Next.
Select Process the Pending Request and install the certificate. Click Next.
Navigate to, or type, the location and file name for the file containing the server certificate, certnew.txt, that is located on the desktop, and then click Next.
Select the SSL port that you wish to use. We recommend that you use the default SSL port, which is Port 443.
In the Certificate Summary Information dialog box, click Next, and then click Finish.
To verify the installation, you can view the server certificate.
To view the server certificate
In the Default Web Site Properties dialog box, click Directory Security. Under Secure Communications, select View Certificate. The following illustration shows the Certificate dialog box.
At the bottom of the Certificate dialog box, a message displays indicating that a private key is installed, if appropriate. Click OK to close the Certificate dialog box.
If the certificate does not show that the device carries the private key that corresponds to the certificate, over the air synchronization will not work.
In order for the authentication to function, you must add the CA to the Trusted Root CA list.
To add a CA to the trusted root CA list
Start Internet Explorer and type the URL for your Certificate Authority. For example, if you received your server certificate from the CA that you configured earlier, type http://<server_name>/certsrv.
Click Download a CA certificate, certificate chain, or CRL, and then click Download CA certificate on the next page as well. In the File download dialog box, click Save this file to disk, and then click OK.
Type a server certificate Name (for example, <certnewca.cer>) and then save the file to the desktop.
Navigate to the desktop. Right-click the file that you created in step 3, and then click Install Certificate. In the Certificate Import Wizard dialog box, click Next.
Click Place all certificates in the following store, and then click Browse. Select the Trusted Root Certification Authorities folder, and then click OK. The following illustration shows the Select Certificate Store dialog box.
You may use the Intermediate Certificate Authorities instead of the Trusted Root Certificate Authorities.
- Click Next. A dialog box that says that the certificate is being added to the trusted certificate store appears; click Yes to this dialog box. Click Finish, and the message import successful displays.
Backing up the Server Certificate
You can use the Web Server Certificate Wizard to back up server certificates. Because IIS works closely with Windows, you can use Certificate Manager, which is called Certificates in Microsoft Management Console (MMC), to export and to back up your server certificates.
If you do not have Certificate Manager installed in MMC, you must add Certificate Manager to MMC.
To add Certificate Manager to MMC
From the Start menu, click Run.
In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
The following illustration shows the Add/Remove Snap-in and AddStandalone Snap-in dialog boxes. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
Click Computer Account, and then click Next.
Click theLocal computer (the computer that this console is running on) option, and then click Finish.
Click Close, and then click OK.
With Certificate Manager installed, you can back up your server certificate.
To back up your server certificate
- Locate the correct certificate store. This store is typically the Local Computer store in Certificate Manager.
When you have Certificate Manager installed, it points to the correct Local Computer certificate store.
- In the Personal store, click the server certificate that you want to back up.
- On the Action menu, point to All tasks, and then click Export.
- In the Certificate Manager Export Wizard, click Yes, export the private key.
- Follow the wizard default settings, and type a password for the server certificate backup file when prompted.
Do not select Delete the private key if export is successful, because this option disables your current server certificate.
- Complete the wizard to export a backup copy of your server certificate.
After you configure your network to issue server certificates, you must protect your Exchange front-end server and its services by requiring SSL communication to the Exchange front-end server. The following section describes how to enable SSL for your default Web site.
Enabling SSL for the Default Web Site
After you obtain an SSL certificate to use either with your Exchange front-end server on the default Web site or on the Web site where you host the \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, \OMA, \Public, and \RPC virtual directories, you can enable the default Web site to require SSL.
The \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, \OMA, and \Public virtual directories are installed by default on any Exchange Server 2003 SP2 installation. The \RPC virtual directory for RPC over HTTP communication is installed manually when you configure Exchange Server 2003 SP2 to support RPC over HTTP.
For information about how to set up Exchange Server 2003 to use RPC over HTTP, see Exchange Server 2003 RPC over HTTP Deployment Scenarios.
To require SSL on the default Web site
In the Internet Information Services (IIS) Manager, select the DefaultWeb site or the Web site where you are hosting your Exchange Server 2003 services, and then click Properties.
On the Directory Security tab, in the Secure Communications box, click Edit.
The following illustration shows the Secure Communications dialog box. Click the Require Secure Channel (SSL) check box. Click OK.
Depending upon your installation, the Inheritance Overrides dialog box may appear. Select the virtual directories that should inherit the new setting, for example Microsoft-Server-ActiveSync, and then click OK.
On the Directory Security tab, click OK.
After you complete this procedure, all virtual directories on the Exchange front-end server that is on the default Web site are configured to use SSL.
Configuring Basic Authentication
The Exchange ActiveSync Web site supports SSL connections as soon as the server certificate is bound to the Web site. However, users still have the option to connect to the Exchange ActiveSync Web site by using a non-secure connection. You can require all client Windows-Mobile based devices to successfully negotiate an SSL link before connecting to the Exchange ActiveSync Web site directories.
We also recommend that you enforce basic authentication on all HTTP directories that the ISA Server makes accessible to external users. In this way, you can take advantage of the ISA Server feature that enables the relay of basic authentication credentials from the firewall to the Exchange ActiveSync Web site.
Require SSL Connection to the Exchange ActiveSync Web Site Directories
This prevents all non-authenticated communications from reaching the Exchange ActiveSync Web site and significantly improves the level of security.
If you plan to use Certificate Authentication instead of basic configuration, you must deploy SSL by following the instructions for configuring SSL for Exchange ActiveSync, which are located in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
You can repeat these steps with the /Exchange, /Exchweb, /OMA, and /Public directories that are found in the left pane of the IIS MMC console. This can be done to require SSL on the five Web site directories that you can make accessible to remote users:
To require an SSL connection to the Exchange ActiveSync Web site directories
Click Start, point to Administrative Tools and then click InternetInformation Service (IIS) Manager. In Internet Information Services(IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.
Right-click on the Microsoft-Server-ActiveSync directory so that it is highlighted, and then click Properties.
Click Directory Security. In the Authentication and access control frame, click Edit.
The following illustration shows the Authentication Methods dialog box. Click to clear all check boxes except for the Basic authentication (password is sent in clear text) check box. Place a check mark in the Basic authentication check box.
On the back-end (mailbox) server, you must enable Integrated Windows Authentication in order for Exchange ActiveSync to work. Only disable it on the front-end Exchange server.
- Click Yes in the dialog box that warns you that the credentials should be protected by SSL. In the Default domain text box, type in your domain name.
- Click OK.
- In the Exchange Properties dialog box, click Apply, and then click OK.
- After you have required basic authentication on the directories that you have chosen, close the Internet Information Services (IIS) Manager console.
Confirm forms-based authentication not selected on the Exchange front-end server
Forms-based authentication can be configured on the Exchange front-end server when not using ISA Server to publish Exchange Web client access. When ISA Server is being used to publish Exchange Web client access, forms-based authentication should only be configured on the ISA Server computer.
Perform the following procedure to confirm that forms-based authentication is not selected on the Exchange front-end server.
To confirm forms-based authentication is not selected on an Exchange front-end server
Start Exchange System Manager.
If administrative groups are enabled, expand Administrative Groups.
Expand Servers, and then expand your front-end server.
Expand Protocols, expand HTTP, right-click Exchange Virtual Server, and then click Properties.
Click the Settings tab, and clear the check box Enable Forms Based Authentication.
If you receive a message that states that Internet Information Services (IIS) must be restarted, click OK. To restart IIS, type the following command at a command prompt: iisreset.
Perform this procedure on every Exchange front-end server in your environment that will be used for Outlook Web Access.
Configure or Update RSA SecurID Agent (Optional)
If you have chosen to deploy RSA SecurID as an additional security layer, you should set up your Exchange server as an Agent Host within the RSA ACE/Server’s database at this point.
There have been timing limitations between IIS 6.0 and the RSA/ACE Agent. Be sure to update your RSA/ACE Agent for better compatibility with IIS 6.0. For more information, see the RSA Security Web site.
Protect IIS by Limiting Potential Attack Surfaces
Before you expose servers to the Internet, we recommend that you protect IIS by turning off all features and services except those that are required.
- In Windows Server 2003, IIS features are already disabled by default to ensure the most secure defaults are in place for your server.
- In Microsoft Windows Server 2000, you can protect IIS by downloading and running the IIS Lockdown Wizard and the UrlScan tool.
Windows Server 2003 SP2 and IIS 6.0
Microsoft Windows Server 2003 has many built-in features that help secure IIS 6.0 servers. To help protect against malicious users and attackers, the default configuration for members of the Windows Server 2003 family does not include IIS. When IIS is installed, it is configured in a highly secure, "locked down" mode, only allowing static content. By using the Web Service Extensions feature, you can enable or disable IIS functionality based on the individual needs of your organization even further.
For more information, see "Reducing the Attack Surface of the Web Server" (IIS 6.0) in the IIS Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=67608.
UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will accept. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from ever reaching the server. UrlScan 2.5 will now install as a stand alone installation on servers running Microsoft IIS 4.0 and later.
UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than most of the features of UrlScan 2.5. UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. Also, if you have incorporated the use of UrlScan security tool into your server management practices for IIS and for other Microsoft servers, you may want to utilize the additional functionality and features of UrlScan 2.5.
To download the UrlScan security tool, visit the UrlScan Security Tool Web site: http://go.microsoft.com/fwlink/?LinkId=62665.
For more information about the UrlScan and functionality beyond those provided by IIS 6.0, see "Determining Whether to Use UrlScan 2.5 with IIS 6.0" on the UrlScan Security Tool Web site.
UrlScan must be correctly configured for use with Exchange Server 2003 SP2. For full details about how to configure UrlScan for use with Exchange Server 2003 SP2, see "Fine-tuning and known issues when you use the UrlScan tool in an Exchange Server 2003 SP2 environment" at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=62666.
Windows Server 2000
If you are using Windows Server 2000, you should download the IIS Lockdown Wizard to help you disable the IIS features and services that are unnecessary for your environment. To provide multiple layers of protection against attackers, the IIS Lockdown Wizard also contains an earlier version of the UrlScan security tool, which functions in an almost similar way to the UrlScan 2.5 feature discussed earlier.
The IIS Lockdown Wizard contains a configuration template for Exchange that turns off unwanted features and services. To use this configuration template, run the IIS Lockdown Wizard, select the Exchange template and then change or accept the default configuration options. Additional templates are provided as part of the lockdown tool as well.
For more information about how to install and use IIS Lockdown Wizard, see How to install and use the IIS Lockdown Wizard.
To download the IIS Lockdown Tool (version 2.1) visit "IIS Lockdown Tool (version 2.1)" at the Windows 2000 Web site.
To help maximize the security of your Exchange servers, apply all the required updates both before and after you apply the IIS Lockdown Wizard. The updates help the servers remain protected against known security vulnerabilities.