Module 6
Planning and Deploying Messaging Security
Module Overview
• Designing Message Security
• Designing Antivirus and Anti-Spam Solutions
Lesson 1: Designing Message Security
• Defining Message Security Requirements
• Designing Restrictions to Message Flow
• Designing SMTP Connector Security
• Designing Secure Message Routing Between Partner Organizations
• Designing Client-Based Messaging Security
Defining Message Security Requirements
• Is confidential business information sent by using e-mail?
• Is private customer information sent by using e-mail?
• Are recipients and senders internal, or is e-mail sent externally?
• Are confidential e-mails sent primarily to a limited number of external organizations, or to a variety of recipients?
If e-mail is secured using policies or technical solutions, analyze the effectiveness and satisfaction with the solution If e-mail is secured using policies or technical solutions, analyze the effectiveness and satisfaction with the solution
To collect information required to analyze message recipients and senders, ask:
To collect information required to analyze e-mail message contents, ask:
Designing Restrictions to Message Flow
Transport rules can restrict message flow or modify message contents for messages in transitTransport rules can restrict message flow or modify message contents for messages in transit
• Restrict message flow with transport rules
• Implement Hub Transport rules
• Implement Edge Transport rules
• Implement message classifications
Designing SMTP Connector Security
• Configure authentication for SMTP Receive connectors
• Configure authentication for SMTP Send connectors
• TLS
SMTP connector
SMTP connector
Options for providing additional security for SMTP e-mail:
Designing Secure Message Routing Between Partner Organizations
Generate a request for TLS certificates on the Edge Transport server11
Configure outbound Domain Security33Configure inbound Domain Security44Test Domain-secured mail flow55
Import and enable the certificate on the Edge Transport server22
Domain Security uses TLS with mutual authentication to provide session-based authentication and encryptionDomain Security uses TLS with mutual authentication to provide session-based authentication and encryption
To set up partner security:
Designing Client-Based Messaging Security
Exchange servers
S/MIME encrypted
S/MIME provides message-level authentication, non-repudiation, data integrity, and message encryption S/MIME provides message-level authentication, non-repudiation, data integrity, and message encryption
AD RMS is a technology that works with RMS-aware applications to help protect documents and e-mail from unauthorized use
AD RMS is a technology that works with RMS-aware applications to help protect documents and e-mail from unauthorized use
Lesson 2: Designing Antivirus and Anti-Spam Solutions
• Overview of Antivirus and Anti-Spam Solution Requirements
• Options for Implementing Antivirus and Anti-Spam Solutions in Exchange Server 2010
• Designing Anti-Spam Solutions
• Recommendations for Monitoring the Anti-Spam Solution
• Designing Antivirus Solutions
• Managing Antivirus Solutions
Overview of Antivirus and Anti-Spam Solution Requirements
• How often are antivirus and anti-spam filters updated, and are the processes automated?
• How does the anti-spam solution provide a balance between false positives and reducing as much spam as possible?
• What options does the solution provide for quarantining potentially malicious messages?
• What management and monitoring tools does the solution provide?
• How well does the solution integrate with your current system?
Critical factors to consider when evaluating antivirus and anti-spam solutions include:
Options for Implementing Antivirus and Anti-Spam Solutions in Exchange Server 2010
• Connection filtering
• Sender filtering
• Recipient filtering
• Sender ID
• Content filtering
• Sender reputation
• Attachment filtering
• Forefront Protection 2010 for Exchange Server
• Office Outlook Junk e-mail filtering
Exchange Server 2010 provides a number of antivirus and anti-spam solutions:
Designing Anti-Spam Solutions
Consider implementing Edge Transport servers as SMTP gateway servers
Configure filter agents to reject messages
Scan messages for spam before scanning for viruses
Scan for spam at the messaging gateway/Edge Server
Implement safelist aggregation Implement automatic anti-spam updates Increase the filtering level over time
Scan for spam on the Hub Transport server
Recommendations for Monitoring the Anti-Spam Solution
• Monitor for false positives
• Monitor for filtering effectiveness
• Monitor the quarantine mailbox
• Collect user feedback on the spam filter effectiveness
• Identify administrators, and provide monitoring tools
• Establish guidelines regarding when to monitor the system
• Establish a change control process for modifying spam filters
Exchange Server 2010 enables anti-spam stamps to help you diagnose spam-related problemsExchange Server 2010 enables anti-spam stamps to help you diagnose spam-related problems
As part of the monitoring process design, you should:
As part of the monitoring process, you should:
Designing Antivirus Solutions
Scan both incoming and outgoing e-mail
Strip attachments of certain file types
Delete rather than clean infected messages
Implement a defense-in-depth approach
Consider implementing Forefront Security for Exchange Server
Managing Antivirus Solutions
Monitor daily statistics
Regularly monitor antivirus software sites
Automate as many processes as possible
Develop clearly defined policies and processes
Develop a user education process Consider using Microsoft Exchange Hosted Services
Lab: Planning and Deploying Messaging Security
• Exercise 1: Designing Message Security
• Exercise 2: Designing Antivirus and Anti-Spam Solutions
• Exercise 3: Implementing Message Security
Logon information
Estimated time: 60 minutes
Lab Scenario
You are a messaging engineer for the A. Datum Corporation, an enterprise-level organization with multiple locations. You have been tasked with undertaking an analysis of the organization’s message security requirements. After you complete the analysis, you must update the necessary documentation.
After you have completed the message security analysis, you will investigate the organization’s antivirus and anti-spam requirements, and update the necessary documentation with your planned changes.
Finally, you will implement S/MIME within the A. Datum organization, as per the security requirements document.
Lab Review
• In exercise 3, you configured S/MIME by deploying a suitable certificate to all users in the Adatum.com domain. Using this method, could you exchange S/MIME-secured messages with partner organizations?
• What alternatives could you use instead of S/MIME to secure communications between partner organizations?
Module Review and Takeaways
• Review Questions
• Best Practices