Step 3: Protect Communications between Phones with the Windows Mobile 6.5 Operating System and Microsoft Exchange Server 2010
Follow these steps to help protect communications between your Exchange Client Access Server and Windows® phones:
- Deploy SSL to encrypt messaging traffic.
- Enable SSL on the default Web site.
- Configure basic authentication for the Exchange ActiveSync virtual directory.
- Protect IIS by limiting potential attack surfaces.
See Best Practices for Mobile Messaging Deployment with Exchange Server 2010 for more information about authentication and certification.
Deploy SSL to Encrypt Messaging Traffic
To help protect incoming and outgoing e-mail, deploy SSL to encrypt message traffic. You can configure SSL security features on an Exchange server to verify the integrity of content, to verify the identity of users, and to encrypt network transmissions.
The following steps show how to configure SSL for Exchange ActiveSync:
- Obtain and install a server certificate
- Validate the installation
- Back up the server certificate
- Enable SSL for the Exchange ActiveSync virtual directory
To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type the following command: run as /user:administrative_accountname "mmc%systemroot%\system32\inetsrv\iis.msc"
Obtain and Install a Server Certificate
Follow these directions to obtain a server certificate, install it, verify the installation, and back it up. When you use the Web Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate.
To obtain a server certificate from a Certification Authority
- Log on to the Exchange server using an Administrator account.
- Click Start, Programs, Microsoft Exchange Server 2010, and then click Exchange Management Console.
- Expand the Microsoft Exchange On-Premises tree and then click Server Configuration.
- In the Actions pane, click New Exchange Certificate.
- In the New Exchange Certificate wizard, type an administrator-friendly name in the text box and click Next.
- In the Client Access server (Outlook Web Access) list, select both the checkboxes and type the domain names that Outlook requires.
- In the Client Access server (Exchange ActiveSync) list, select the checkbox and type the domain names that Outlook requires, and then click Next.
- In the Organization and Location section, type the organization details.
- Verify the details in the Configuration Summary and click New. You will see the following screen below.
Next, you must request a server certificate from a valid Certification Authority. To do this, you must access the Internet or an intranet, depending on the Certification Authority that you choose, using a properly configured Web browser.
The steps detailed here are for accessing the Web site for your Certification Authority. For a production environment, you will probably request a server certificate from a trusted Certification Authority over the Internet.
To submit the certificate request
- Start Microsoft Internet Explorer. Type the Uniform Resource Locator (URL) for the Microsoft Certification Authority Web site, http://<server_name>/certsrv/. When the Microsoft CA Web site page displays, click Request a Certificate, and then click Advanced Certificate Request.
- On the Advanced Certificate Request page, click Submit a certificate request by using a base-64 encoded PKCS#10 file, or submit a renewal request by using a base-64 encoded PKCS #7 file.
- On your local server, navigate to the location of the C:\NewKeyRq.txt file that you saved previously.
- Double-click to open the C:\NewKeyRq.txt file in Notepad. Select and copy the entire contents of the file.
- On the Certification Authority Web site, navigate to the Submit a Certificate Request page. If you are prompted to pick the type of certificate, select Web Server. The following illustration shows an example of a Submit a Certificate Request page.
Click inside the Saved Request box, paste the contents of the file into the box, and then choose Submit. The content of the Saved Request dialog box should look similar to the following example:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
- On the Certificate Issued page, click DER encoded, and then click Download certificate.
- In the File Download dialog box, click Save this file to disk, and then click OK. Keep the default setting to save the file to the desktop, and click Save.
- Close Internet Explorer.
At this point, a server certificate exists on your desktop that can be imported into the Exchange server certificate store. Next, you must install the certificate.
To install the server certificate
- In the Exchange Management Console, in the Actions pane, click Import Exchange Certificate.
- In the Import Exchange Certificate wizard, browse and select the downloaded certificate, assign a password to the certificate, select the Assign the services to the certificate now checkbox, and click Import.
- Select the services required, click Import, and then click Finish.
The certificate is now installed as shown in the figure below.
Validate the Installation
To verify the installation, view the server certificate.
To view the server certificate
- In the Default Web Site Properties dialog box, click Directory Security. Under Secure Communications, select View Certificate. The following illustration shows the Certificate dialog box.
- At the bottom of the Certificate dialog box, a message indicates that a private key is installed, if appropriate. Click OK to close the Certificate dialog box
If the certificate does not show that the phone carries the private key that corresponds to the certificate, over-the-air synchronization will not work.
For authentication to function, you must add the Certification Authority to the trusted root Certification Authority list.
To add a Certification Authority to the trusted root Certification Authority list
- Start Internet Explorer and type the URL for your Certificate Authority. For example, if you received your server certificate from the Certification Authority that you configured earlier, type http://<server_name>/certsrv.
- Click Download a CA certificate, certificate chain, or CRL, and then on the following page click Download CA certificate. In the File download dialog box, click Save this file to disk, and then click OK.
- Type a server certificate Name (for example, <certnewca.cer>) and then save the file to the desktop.
- Navigate to the desktop. Right-click on the file that you created in step 3, and then click Install Certificate. In the Certificate Import Wizard dialog box, click Next.
- Click Place all certificates in the following store and then click Browse. Select the Trusted Root Certification Authorities folder, and then click OK. The following illustration shows the Select Certificate Store dialog box.
Place all certificates in the following store and then click Browse. Select the Trusted Root Certification Authorities folder, and then click OK. The following illustration shows the Select Certificate Store dialog box.
- Click Next. A dialog box stating that the certificate is being added to the trusted certificate store appears; click Yes to close this dialog box. Click Finish, and the message import successful displays.
Back up the Server Certificate
You can use the Web Server Certificate Wizard to back up server certificates. Because IIS works closely with Windows, you can use Certificate Manager, which is called Certificates in the Microsoft Management Console (MMC), to export and to back up your server certificates.
If you do not have Certificate Manager installed in MMC, you must add Certificate Manager to MMC.
To add Certificate Manager to MMC
- From the Start menu, click Run.
- In the Open box, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- In the Add/Remove Snap-in dialog box, click Add.
- The following illustration shows the Add/Remove Snap-in and Add Standalone Snap-in dialog boxes. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
- Click Computer Account, and then click Next.
- Click the Local computer (the computer that this console runs on) option, and then click Finish.
- Click OK.
With Certificate Manager installed, you can back up your server certificate.
To back up your server certificate
Locate the correct certificate store. This store is typically the Local Computer store in Certificate Manager.
When you have Certificate Manager installed, it points to the correct Local Computer certificate store.
After you configure your network to issue server certificates, you must update your Exchange Client Access server and its services by requiring SSL communication with the Exchange Client Access server. The following section describes how to enable SSL for your default Web site.
Enable SSL for the Default Web Site
After you obtain an SSL certificate to use with either your Exchange Client Access server on the default Web site or on the Web site where you host the \OWA, \Exchweb, \Microsoft-Server-Exchange ActiveSync, and \Public virtual directories, you can enable the default Web site to require SSL.
SSL is enabled by default. Exchange installs with a self-signed certificate so that EAS will work with SSL; however, you need to replace the self-signed certificate with a valid third-party certificate from a CA because the Windows Mobile operating system will not accept a self-signed certificate.
The \OWA, \Exchweb, \Microsoft-Server-Exchange ActiveSync, and \Public virtual directories are installed by default during any Exchange Server 2010 installation. The \RPC virtual directory for RPC over HTTP communication is installed manually when you configure Exchange Server 2010 to support RPC over HTTP.
To require SSL on the default Web site
- In the Internet Information Services (IIS) Manager, select the Default Web Site or the Web site where you are hosting your Exchange Server 2010 services, and then click the SSL Settings feature.
- Modify the settings as per your requirements, right click, and then click Apply.
After you complete this procedure, the virtual directories on the Exchange Client Access server that is on the default Web site are configured to use SSL.
Configure Basic Authentication
The Exchange ActiveSync Web site supports SSL connections as soon as the server certificate is bound to the Web site. However, users still have the option of connecting to the Exchange ActiveSync Web site using a non-secure connection. You can require all client Windows® phones to successfully negotiate an SSL link before connecting to Exchange ActiveSync Web site directories.
Microsoft recommends that you enforce basic authentication on all HTTP directories that the ISA server makes accessible to external users. In this way, you can take advantage of the ISA server feature that enables the relay of basic authentication credentials from the firewall to the Exchange ActiveSync Web site.
This is a default configuration and does not have to be user-modified.
Require SSL Connection to the Exchange ActiveSync Web Site Directories
This step helps prevent non-authenticated communications from reaching the Exchange ActiveSync Web site.
Unlike prior versions, all virtual directories are SSL-enabled by default in Microsoft Exchange Server 2010. Assuming you are setting up both OWA and EAS, you will need to configure the following additional directories to enable SSL, and make them accessible to remote users:
To require an SSL connection to the Exchange ActiveSync Web site directories
- Click Start, point to Administrative Tools and then click Internet Information Services (IIS) Manager. In Internet Information Services (IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.
- Click on the Microsoft-Server-Exchange ActiveSync directory so that it is highlighted, and then click the Authentication feature.
- The following illustration shows the Authentication dialog box. Right-click an attribute to modify it.
- After you have required basic authentication on the directories you have chosen, close the Internet Information Services (IIS) Manager console.
Configure or Update RSA SecurID Agent (Optional)
If you have chosen to deploy RSA SecurID as an additional security layer, you should set up your Exchange server as an Agent Host within the RSA ACE/Server’s database.
There have been timing limitations between IIS 7.0 and the RSA/ACE Agent. Be sure to update your RSA/ACE Agent for better compatibility with IIS 7.0. For more information, see the RSA Security Web site.
Protect IIS by Limiting Potential Attack Surfaces
Before you expose servers to the Internet, Microsoft recommends that you help protect IIS by turning off all features and services except those that are required.
- In Windows Server 2008, IIS features are disabled by default to help improve security.
Windows Server 2003 SP2 and IIS 6.0
Microsoft Windows Server 2003 has many built-in features that help secure IIS 6.0 servers. To help protect against malicious users and attackers, the default configuration for members of the Windows Server 2003 family does not include IIS. When IIS is installed, it is configured in a highly secure, "locked down" mode that allows only static content. By using the Web Service Extensions feature, you can enable or disable IIS-specific functionality based on the exact needs of your organization.
UrlScan version 2.5 is a security tool that helps restrict the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from reaching the server. UrlScan 2.5 will now install as a stand-alone installation on servers running Microsoft IIS 4.0 and later.
UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality equal to or better than most of the features of UrlScan 2.5. However, UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. If you have incorporated the UrlScan security tool into your server management practices for IIS and for other Microsoft servers, you may want to utilize the additional functionality and features of UrlScan 2.5.
To download the UrlScan security tool, visit the UrlScan Security Tool Web site. For more information about the UrlScan and functionality beyond what is provided by IIS 6.0, see "Determining Whether to Use UrlScan 2.5 with IIS 6.0" on the UrlScan Security Tool Web site. Microsoft has now released URlScan 3.0. This augments UrlScan 2.5 with additional functionality, including the ability to filter based on query strings, which can help mitigate SQL injection attacks.