Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 20, 2006

Messaging Security

Learn about 5 ways to encrypt your email communications
A Web Exclusive from Windows IT Pro
Devin L. Ganger
Feature
InstantDoc #93965
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Protocols Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Microsoft Exchange Server gives you several options for keeping your email message data secure. The options fall into two categories: transport encryption, which protects the connection between two machines and thus protects the contents of the message over that conversation; and message encryption, which protects the message itself independent of the connections it travels over, ensuring that only the recipient can read it.

Transport Encryption
Transport encryption, also known as session encryption, protects the protocol over which the message data is transmitted. The three main kinds of transport encryption are: Encrypted Messaging API (MAPI), Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and IPsec.

If you want to secure sessions between Microsoft Outlook and Exchange, enable encryption of the MAPI protocol. MAPI uses remote procedure call (RPC) between the client and server. By default, the RPC streams are unencrypted, but you can enable 128-bit RPC encryption in the Outlook user profile. Be aware that this setting provides a relatively weak level of encryption and only protects the MAPI traffic between Exchange and Outlook. It does nothing to protect email messages that go beyond the sender's mailbox server.

SSL and TLS are similar protocols in that they provide application-level encryption. The main difference is that you must establish SSL communications on a different port from their unencrypted counterpart, while you can establish TLS over an initially unsecure connection. Exchange currently supports TLS only over SMTP connections but supports SSL over POP3, IMAP, Network News Transfer Protocol (NNTP), and HTTP. ( Exchange's TLS implementation isn't fully opportunistic; you can't handle both secured and unsecured connections from the same virtual server.)

IPsec is a set of IP extensions that provide the ability to authenticate and encrypt IP communications. IPsec has been part of Windows since Windows 2000. Although IPsec is more complex to enable and manage than other options, it also provides more flexibility. Because IPsec is an OS feature, it can protect any application (unlike SSL and TLS, which require that an application support the standards). With Windows IPsec, you need only create the proper Group Policy Objects (GPOs) and attach them to the proper containers in Active Directory (AD) to establish the necessary IPsec filters and behavior. IPsec is therefore suitable for protecting connections between front-end and back-end servers.

If your email message data travels over multiple hops, each hop must be secured or you potentially expose the data to unauthorized parties. If you do secure each hop, the message will be secure while traveling over the wire but will still be unencrypted on each intermediate system between the sender and recipient.

For more information about how to secure the various protocols used in Exchange (and where to use them), see the resources in the Learning Path box, including "Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" in the Exchange Server 2003 Technical Documentation Library at http://www.microsoft.com/ exchange/library.

Message Encryption
By contrast, the technique of message encryption sounds simple: Encode the message data with a key that only the recipient knows. No matter how the message gets there, you can be confident that only the recipient can read it. The two best known standards for message-level encryption are pretty good privacy (PGP) and Secure MIME (S/MIME).

PGP. PGP and the open-source alternative GNU Privacy Guard (GPG) provide a more ad hoc approach to implementing message security than S/MIME. Unlike S/MIME, PGP and GPG don't require a central public key infrastructure (PKI); users manage their own list of digital certificates (known as their keyring). Because of this feature, users must have a third-party plug-in to use PGP with Outlook. And, as far as I know, you can't validate PGP-signed messages (or view PGP-encrypted messages) in Microsoft Outlook Web Access (OWA) at all. In my experience, PGP is great for single users, but it doesn't scale well to the enterprise level.

S/MIME. S/MIME is an Internet Engineering Task Force (IETF)approved method for formatting and exchanging digitally signed and encrypted electronic messages. S/MIME requires a healthy PKI for deployment. The Exchange/Outlook implementation works in tandem with the certificate authority (CA) and AD functionality in Windows to let users easily enroll and gain their own certificates for securing their email messages. Outlook can then retrieve the necessary recipient certificates for other users in the organization. If you want to use S/MIME with users outside your organization, you need to ensure that your PKI is properly configured, a topic beyond the scope of this article.

S/MIME works as follows (PGP works similarly):

  1. The sender composes an email message in his or her mail client.
  2. As the email message is submitted, the message is encrypted and signed according to a specific set of public and private keys (the recipient's public key and the sender's private key).
  3. The message is routed through intermediate systems. It's impervious to inspection by outside parties; tampering and alteration attempts invalidate the digital signature.
  4. The recipient receives the email message. The recipient's client automatically inspects the digital signature to ensure validity, then applies a private key to decrypt the message.

Does this process sound too good to be true? S/MIME does indeed have two major catches. First, as I mentioned previously, S/MIME requires a working PKI to manage the public and private keys for recipients and senders. Exchange 2003 and Exchange 2000 provide, in combination with Windows 2003 and Win2K, the necessary capabilities to create a digital certificate PKI infrastructure suitable for use with S/MIME. This PKI infrastructure integrates with AD, letting users easily manage their own private keys and retrieve public keys for other users in the organization. The Outlook client supports S/MIME, and the Exchange 2003 version of OWA extends S/MIME support to OWA users.

Second, email messages are encrypted before they're submitted to the Exchange message store service. In other words, they travel across the wire, through all intermediate servers, and are stored in the mailbox in encrypted form. This approach disallows all sorts of useful functionality, such as the ability to scan message body content on behalf of server-side rules. S/MIME also interferes with the application of message hygiene measures and message retention and archival policies. Because the message is encrypted before it's ever submitted to an Exchange server, the Exchange organization can't decrypt the message to inspect it.

To use S/MIME, you need an S/MIME-aware software solution .These applications typically can access all user certificates. They scan email messages before they leave your organization and use the appropriate certificate to secure messages as required.

You need to be able to audit the S/MIME email-encryption process. You must also have good controls in place to manage access to the certificate repository because it will become a natural target for attacks. Finally, you need to ensure that your backup, recovery, and archival processes properly handle the complications your message security introduces. For example, you must have backup copies of the certificates, be able to rebuild your PKI, and archive old and expired certificates used for messages still in your archival system.

For more information about deploying S/MIME, see the resources in the Learning Path box, including "Message Security Guide for Exchange Server 2003" in the Exchange Server 2003 Technical Documentation Library.

End of Article

Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Learning Path For a discussion of Exchange confidentiality, integrity, and availability:
"Messaging CIA"


To bridge front-end and back-end Exchange servers with IPsec:
"Using IPSec with Exchange"


To implement S/MIME for messaging:
"Secure Email with S/MIME"

"Advanced Security in Exchange 2000, Part 2"


To implement SSL for POP, IMAP, SMTP, and HTTP in Exchange 2000 or 5.5:
"Secure Client Communications with SSL"


To run RPC over HTTP with SSL in Outlook 2003, Exchange 2003, and Windows 2003:
"Secure VPN Alternatives"

"Exchange 2003 RPC over HTTP Access"


To run SMTP over SSL in Exchange 2003:
"Understanding and Leveraging SSL-TLS for Secure Communications ebook"


MICROSOFT RESOURCES
"Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server and Message Security Guide for Exchange Server 2003 in the Exchange Server 2003 Technical Documentation Library"
Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Related Articles S/MIME and Exchange 2007 SP1
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Managing IT Across Multiple Locations

The Easiest Way to Save Time and Money on E-mail and SharePoint Management

Bail Out Your Exchange Environment

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement