Module 6: Designing a Security Strategy Contents Overview Introduction to Designing a Security Strategy Protecting Against External Security Threats Protecting Against Internal Security Threats 17 Designing an Encryption Strategy 22 Windows 2000 Security Considerations 30 Lab A: Planning Northwind Traders Security 35 Lab B: Securing Northwind Traders 40 Lab Discussion 56 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, Active Directory, BackOffice, FrontPage, NetMeeting, Outlook, PowerPoint, SQL Server, Visio, Visual Studio, Win32, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners Module 6: Designing a Security Strategy Instructor Notes Presentation: 75 Minutes This module provides students with the information necessary to design a security strategy for a Microsoft® Exchange 2000 organization Lab: 120 Minutes After completing this module, students will be able to: !" Identify security risks and describe security best practices !" Secure an Exchange 2000 organization from external security threats !" Secure an Exchange 2000 organization from internal security threats !" Design an encryption strategy !" Outline security considerations that are related to Microsoft Windows® 2000 Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the following materials: !" Microsoft PowerPoint® file 1573A_06.ppt !" The Planning for External Attacks job aid !" The Planning for Internal Attacks job aid !" The Designing an Authentication and Encryption Strategy job aid !" The Northwind Traders Case Study !" The Fourth Coffee Case Study iii iv Module 6: Designing a Security Strategy Preparation Tasks To prepare for this module, you should: !" Read all of the materials for this module !" Complete the labs and review the lab discussion questions !" Review the Planning for External Attacks job aid !" Review the Planning for Internal Attacks job aid !" Review the Designing an Authentication and Encryption Strategy job aid !" Review the Northwind Traders Case Study !" Review the Fourth Coffee Case Study !" Practice the instructor-led portions of the labs and be prepared to demonstrate them for the benefit of the class Note The job aids are in the Exchange 2000 Design Tool located at C:\MOC\1573A\LabFiles\Exchange_2000_Design_Tool, and on the student compact disc The case studies are in the Appendices and on the student compact disc Module 6: Designing a Security Strategy Module Strategy Use the following strategy to present this module: !" Introduction to Designing a Security Strategy Begin by describing the security risks to which most companies are vulnerable Next, discuss a list of best practices that every company should consider implementing !" Protecting Against External Security Threats Begin by discussing how to protect against viruses by using virus filters and virus scanners Continue by explaining why ports are a common entryway for security attacks, and discuss the list of ports and services outlined in the table Make sure students understand the importance of shutting down access to ports that they are not using Next, explain how to protect mailboxes and their content from security threats, and how to use bridgehead servers and routing groups to reduce the risk of external security attacks Conclude this topic by explaining how to plan firewalls Emphasize again that protecting the ports that provide access to a company’s resources is a crucial function of any effective security strategy !" Protecting Against Internal Security Threats Begin by discussing how to configure distribution list permissions and administrative groups Make sure students understand how configuring these two features can increase security Continue by discussing the importance of message archiving Complete this topic by describing when and why it is appropriate to configure top-level folder permissions !" Designing an Encryption Strategy Begin by explaining the importance of Microsoft Certificate Services, and describe how the Microsoft Exchange Key Management Server and the Certificate Service work together to increase security Finally, explain how to encrypt Internet mail !" Windows 2000 Security Considerations This topic discusses the security features in Windows 2000 that you should include in the security strategy for an Exchange 2000 organization Begin by discussing how the Kerberos version authentication protocol provides authentication capabilities Make sure that students understand the role of the Kerberos protocol in authentication delegation Complete this topic by discussing the Access Control Model and how to implement it in a security strategy v vi Module 6: Designing a Security Strategy Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Lab Setup The following list describes the setup requirements for the labs in this module !" For each student, a Microsoft Management Console (MMC) custom console must be created This custom console must include both the Active Directory Users and Computers snap-in and the Exchange System snap-in, and must be named your_firstname Console !" For each student, a personalized user account must be created in the appropriate domain This user account must be added to the Domain Admins group, and assigned a mailbox on the server running Exchange 2000 that the student is using !" For each student, a user profile must be created on the student’s computer that enables the student to access their mailbox by using Microsoft Outlook® 2000 Lab Results Performing the labs in this module, including the “If Time Permits” exercise, introduces the following configuration changes: !" A message filter that filters out messages sent from contoso.msft is created in the Northwind Traders organization and applied to the Simple Mail Transfer Protocol (SMTP) virtual server on each student's server running Exchange 2000 !" Only members of the All Executives distribution list (DL) are allowed to send mail to the your_servername Executives DL !" Membership of the your_servername Executives DL is hidden from everybody’s view !" Microsoft Key Management Server is installed on the instructor’s machine !" All student your_username accounts are enabled for advanced security Module 6: Designing a Security Strategy Overview Topic Objective To provide an overview of the module topics and objectives ! ! Protecting Against Internal Security Threats ! Designing an Encryption Strategy ! In this module, you will learn how to design a security strategy that enables you to secure an Exchange 2000 organization from internal and external attacks, and how to implement an encryption strategy Protecting Against External Security Threats ! Lead-in Introduction to Designing a Security Strategy Windows 2000 Security Considerations A company’s messaging infrastructure is crucial to both communication and productivity Keeping this infrastructure secure and accessible is a high priority for most companies Designing an effective security strategy requires an understanding of the security risks to which most businesses are vulnerable A security strategy helps you to assess and avoid risks by identifying the systems and networks that you must protect, and by defining the mechanisms that you will use to secure your environment A comprehensive security strategy also addresses procedures for identifying and recovering from security breaches After completing this module, you will be able to: !" Identify security risks and describe security best practices !" Secure a Microsoft® Exchange 2000 organization from external security threats !" Secure an Exchange 2000 organization from internal security threats !" Design an encryption strategy !" Outline security considerations that are related to Microsoft Windows® 2000 Module 6: Designing a Security Strategy # Introduction to Designing a Security Strategy Topic Objective To outline the most basic topics that are associated with designing a security strategy Lead-in ! Identifying Security Risks ! Basic Best Practices You can begin designing your security strategy by identifying common security risks and the best practices that you can implement to prevent them Every comprehensive security strategy includes a description of the security risks to which the company is vulnerable In addition, an effective security strategy outlines the basic best practices and configuration changes that administrators need to implement to ensure the security of an Exchange 2000 organization Module 6: Designing a Security Strategy Identifying Security Risks Topic Objective To describe the security risks to which most businesses are vulnerable Forgery Forgery Data Theft Data Theft Or Tampering Or Tampering Denial of Denial of Service Service Lead-in Before you can protect your Exchange 2000 organization, you need to understand the security risks that your company may have to address Security Risks MailMailMailRelaying Relaying Spoofing Spoofing Trojan Trojan Horse Horse Virus Virus Before you can protect your Exchange 2000 organization, you need to understand the security risks to which most companies are vulnerable In general, there are two categories of security risks: passive attacks and active attacks In a passive attack, the attacker sets their network card to a listening mode, but does not tamper with data In an active attack, the attacker attempts to change information Determining whether information has been changed, and when that information was changed, may be impossible Both active and passive attacks can be initiated easily over local area networks (LANs), as well as over wide area network (WAN) links The following table identifies the most common types of security attacks Type of security risk Characteristics Data theft or tampering Copying, changing, or listening to data that is transmitted over a network or from a disk Forgery Passing data as a third party Denial of service Preventing connections to a server or network by flooding that server or network with incorrect and incomplete data This causes the receiving server to fill its buffers or queues until it can time out all of the erroneous packets Trojan horse A malicious, security-breaking program that’s disguised as something benign, such as a game or a joke Module 6: Designing a Security Strategy (continued) Type of security risk Characteristics Virus A program that searches out other programs and infects them by embedding copies of itself in them so that they become Trojan horses When the corrupted programs are run, the embedded virus also runs This is how the virus propagates itself Viruses are typically invisible to the user Spoofing Impersonating another person by configuring that person’s e-mail address in the perpetrator’s own e-mail client Mail-Relaying Relaying mail through your company’s servers with the intent of disguising the actual origin of the mail Note For more information about general security issues, see http://www.microsoft.com/security 44 Module 6: Designing a Security Strategy Exercise Creating and Applying a Message Filter In this exercise, you will create a message filter and apply it to all SMTP virtual servers that handle inbound SMTP mail for Northwind Traders Identify which student in the classroom will create the message filter This student will be referred to as Student A Scenario You have completed analysis of the security needs of Northwind Traders and created a design for security that includes creating and applying a message filter to SMTP virtual servers that handle inbound SMTP mail Recently, you have received a considerable amount of unsolicited commercial e-mail from the domain contoso.msft You need to create and apply a message filter to block messages that are sent from contoso.msft !" Student A only: To create a message filter Expand Northwind Traders, and then expand Global Settings Right-click Message Delivery, and then click Properties In the Message Delivery Properties dialog box, click Filtering, select Archive filtered messages, and then select Filter messages with blank sender Click Add and then type *@contoso.msft Click OK to close the Add Sender dialog box Click OK to close the Message Delivery Properties dialog box For Your Information You can force Active Directory replication between VAN-GC and the other domain controllers in the room by using Active Directory Sites and Services Important Do not start the next exercise until replication has occurred and the message filter can be viewed from your server !" students: To apply a message filter All Expand Northwind Traders, expand Administrative Groups, expand your_domain Administrative Group, expand Servers, expand your_servername, expand Protocols, and then expand SMTP Right-click Default SMTP Virtual Server, and then click Properties In the Default SMTP Virtual Server Properties dialog box, on the General tab, click Advanced In the Advanced dialog box, click Edit Select the Apply Filter check box, and then click OK to close the Identification dialog box Click OK to close the Advanced dialog box, and then click OK to close the Default SMTP Virtual Server Properties dialog box Module 6: Designing a Security Strategy 45 !" Students: To verify that the message filter is working All Switch to Outlook Express Click Outbox, and delete all contents Click New Mail In the To box, type your_firstname.your_lastname@nwtraders.msft and in the Subject box type Attempt to Send Junkmail and then click Send In the Outlook Express dialog box, verify that the server error message reads "The message could not be sent because the server rejected the sender’s e-mail address" Click Hide to close the Outlook Express dialog box In Outlook Express, click Tools, click Accounts, and then click Mail Click the junk mail account that you created in Exercise 1, click Remove, and then click Yes Click Close to close the Internet Accounts dialog box 10 Close Outlook Express 11 If prompted to send messages in the Outbox, click No 46 Module 6: Designing a Security Strategy Exercise Configuring Distribution List Permissions In this exercise, you will configure distribution list permissions for secured Northwind Traders distribution lists Scenario You have completed analysis of the security needs for Northwind Traders, and have created a security design that includes preventing users from sending e-mail to specific distribution lists Now you need to configure distribution list permissions The following table lists the technical support personnel for Northwind Traders and their respective domains User name (alias) Domain Paul West (paulwe) NAmerica Luis Bonifaz (luisbo) SAmerica Jae Pak (jaepa) Europe Sunil Koduri (sunilko) Africa Meng Phua (mengph) Asia James Smith (jamessmith) SPacific !" prevent unauthorized users from sending messages to To your_servername Executives Expand Active Directory Users and Computers, expand your_domain, click Users, right-click your_servername Executives, and then click Properties Click Exchange General, and then in the Message restrictions box, select Only from Click Add In the Select Recipient dialog box, in the Look in box, click nwtraders.msft In the Name column, click All Executives, click Add, and then click OK Click OK to close the your_servername Executives Properties dialog box !" hide the membership of your_servername Executives To Expand Active Directory Users and Computers, expand your_domain, and then click Users Right-click your_servername Executives, and then click Exchange Tasks On the Welcome to the Exchange Task Wizard page, click Next Click Hide Membership, and then click Next On the Hide Membership page, click Next On the Completing the Exchange Task Wizard page, click Finish Module 6: Designing a Security Strategy 47 !" verify that members of the All Executives DL can send messages to To the your_servername Executives DL Open Outlook, and then click New Click To, click your_servername Executives, click To, and then click OK to close the Select Names dialog box In the Subject box, type Test Message To Secured DL and then click Send Verify that you receive the message in your Inbox Close Outlook Close your_firstname Console Log off from Windows 2000 !" verify that unauthorized users cannot send messages to the To your_servername Executives DL Log on to Windows 2000 as the technical support representative for your domain by using the information located in the table at the beginning of this exercise On the desktop, right-click Microsoft Outlook, and then click Properties In the MS Exchange Settings Properties dialog box, click Show Profiles In the Mail dialog box, click Add On the Microsoft Outlook Setup Wizard page, select the Microsoft Exchange Server check box, and then click Next In the Profile Name box, type your_domain Helpdesk and then click Next In the Microsoft Exchange server box, type your_city-mbx1 in the Mailbox box, and type the alias of your helpdesk representative, using the information in the table at the beginning of this exercise, and then click Next When asked if you travel with this computer, verify that No is selected, and then click Next Click Finish to close the Microsoft Outlook Setup Wizard 10 In the Mail dialog box, in the When starting Microsoft Outlook, use this profile list, verify that your_domain Helpdesk is selected, and then click Close 11 Open Outlook, and then click New 12 In the new message, click To, click your_servername Executives, click To, and then click OK to close the Select Names dialog box 13 In the Subject box, type Test Message To Secured DL from your_username and then click Send 14 Verify that you receive a message from the System Administrator with a Subject of "Undeliverable: Test Message To Secured DL" 15 Close Outlook 16 Log off from Windows 2000 48 Module 6: Designing a Security Strategy Exercise Implementing Message Journaling In this exercise, you will implement message journaling on all servers in Northwind Traders For Your Information Because this is a classroom, we have had to place the archive mailbox on the mailbox server In most environments, you would want this mailbox to be located on a dedicated, secure server Scenario You have completed your analysis of Northwind Traders security needs, and created a design for security that includes archiving all messages that are sent from or received by your organization Now you need to configure message journaling !" Instructor only: To create the system policy container In your_firstname Console, expand Northwind Traders, expand Administrative Groups, and then expand Central Administrative Group Right-click Central Administrative Group, point to New, and then click System Policy Container !" Student on City-mbx1 only: To create a mailbox store in which to create the message archive recipient Log onto Windows 2000 as your_username Open your_firstname Console Expand Northwind Traders, expand Administrative Groups, expand your_domain Administrative Group, and then expand Servers Click your_servername, right-click your_servername, point to New, and then click Storage Group In the Properties dialog box, in the Name box, type Message Archive Storage Group and then click OK Expand your_servername, right-click Message Archive Storage Group, point to New, and then click Mailbox Store In the Properties dialog box, in the Name box, type Message Archive Store and then click OK Click Yes to mount the new store, and then click OK to close the Message Archive Store dialog box Module 6: Designing a Security Strategy 49 !" Student on City-FE1 server only: To create a mailbox that receives archived messages Expand Active Directory Users and Computers and then expand your_domain Right-click Users, point to New, and then click User In the Full name box, type your_domain Message Archive Recipient and in the User logon name box type your_domainmsgarchive and then click Next In the Password and Confirm password boxes, type password select the Password never expires checkbox, and then click Next Verify that the Create an Exchange mailbox checkbox is selected, and in the Server box, click Northwind Traders/your_domain Administrative Group/City-mbx1, and in the Mailbox Store box, click Message Archive Storage Group/ Message Archive Store, and then click Next Click Finish to create the new object !" Student on City-FE2 only: To create a mailbox store policy that enables message journaling Expand Northwind Traders, expand Administrative Groups, expand Central Administrative Group, and then expand System Policies Right-click System Policies, point to New, and then click Mailbox store policy In the New Policy dialog box, select General, and then click OK On the General tab, type your_domain Message Archiving policy and then click General (Policy) On the General (Policy) tab, verify that the Default public store is set to a server in your domain Select Archive all messages sent or received by mailboxes on this store, and then click the corresponding Browse button In the Look in box, click your_domain In the Name column, click your_domain Message Archive Recipient, and then click OK Click OK to close the Message Archiving Policy Properties dialog box !" Students: To apply the Message Archiving Policy to your server All Log on to Windows 2000 as your_username Expand Northwind Traders, expand Administrative Groups, expand Central Administrative Group, and then expand System Policies Right-click your_domain Message Archiving Policy, and then click Add Mailbox Store Click Mailbox Store (your_servername), click Add, and then click OK Click Yes to add the item to the policy 50 Module 6: Designing a Security Strategy !" Students: To verify that messages are being archived All Open Outlook, and then click New Click To, in the Name column click your_username, click To, and then click OK In the Subject box, type Message Archive Test and then click Send Switch to your_firstname Console Expand City-MBX1, expand Message Archive Storage Group, expand Message Archive Store, and then click Mailboxes Verify in the details pane that the Message Archive mailbox is listed and that the number in the Total Items column is greater than Open Outlook Express Click Tools, and then click Accounts In the Internet Accounts dialog box, click Add, and then click Mail 10 In the Display name box, type your_domain Message Archive Recipient and then click Next 11 In the E-mail address box, type your_domainmsgarchive@nwtraders.msft and then click Next 12 On the E-mail Server Names page, in the Incoming mail (POP3, IMAP, HTTP) server box, type archive_server.your_domain.nwtraders.msft 13 On the Email Server Names page, in the Outgoing mail (SMTP) server box, type your_server.your_domain.nwtraders.msft and then click Next 14 On the Internet Mail Logon page, in the Account name box, type your_domainmsgarchive and in the password box type password and then click Next 15 Click Finish to complete the Internet Connection Wizard 16 In the Internet Accounts dialog box, click the Mail tab 17 Click the city_mbx1.your_domain.nwtraders.msft account, and then click Properties 18 Click Advanced, select the Leave a copy of messages on server check box, and then click OK 19 Click Close to close the Internet Accounts dialog box 20 Click Send/Recv, and then click Inbox to verify that the message from your_username with the subject "Message Archive Test" appears 21 Close Outlook Express Module 6: Designing a Security Strategy !" Students: To remove the policy from your mailbox store All Switch to your_firstname Console Expand Northwind Traders, expand Administrative Groups, expand Central Administrative Group, and then expand System Policies Click your_domain Message Archiving Policy, right-click your_servername, and then click Remove from policy Click Yes to remove the item from the policy Close your_firstname Console Log off from Windows 2000 51 52 Module 6: Designing a Security Strategy If Time Permits Install Key Manager Scenario One of the executives at Northwind Traders has recently read an article about encrypting messages, and has decided that she would like to be able to encrypt all messages that she sends to other executives You decide to implement Key Management Server to meet this need !" Instructor only: To configure the Certification Authority (CA) Log on to Windows 2000 as your_username On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority In Certification Authority, expand NWTraders CA Right-click Policy Settings, point to New, and then click Certificate to Issue In the Select Certificate Template dialog box, hold down the CTRL key and then click Enrollment Agent (Computer), click Exchange User, click Exchange Signature Only, and then click OK Close Certification Authority !" Instructor only: To install Key Manager On the taskbar, click Start, point to Settings, and then click Control Panel Double-click Add/Remove Programs Click Microsoft Exchange 2000, and then click Change/Remove On the Welcome to the Microsoft Exchange 200 Installation Wizard page, click Next On the Component Selection page, in the Action column, next to Microsoft Exchange 2000, click Change, and next to Microsoft Exchange Messaging and Collaboration Services, click Change, and next to Microsoft Exchange Key Management Service, click Install, and then click Next On the Administrative Group page, in the Admin Group Name box, click First Administrative Group, and then click Next On the Key Management Service Information page, click Manual password entry, and then click Next In the Microsoft Exchange 2000 Installation Wizard dialog box, read the Key Management server password and write it down Click OK to close the dialog box, and then click Next 10 On the Completing the Microsoft Exchange 2000 Wizard page, click Finish 11 In the Add/Remove Programs dialog box, click Close 12 Close Control Panel 13 Open your_firstname Console Module 6: Designing a Security Strategy 53 14 Expand Northwind Traders (Exchange), expand Administrative Groups, expand First Administrative Group, and then click Advanced Security 15 In the details pane, right-click Key Manager, point to All Tasks, and then click Start Service 16 In the Key Manager Start Up Password box, type the password that you recorded earlier 17 Right-click Key Manager, and then click Properties 18 In the Key Management Service password box, type password and then click OK 19 Click Administrators, then in the Key Management Service password box type password, and then click OK 20 Click Add and add the name for each student in the class by clicking each student domain in the Look in box, then clicking each student’s name in the Name column, and then clicking OK You must repeat this step for each student in the class Type password in each password box when prompted 21 In the Key Manager Properties dialog box, click Enrollment, in the Key Management Service password box type password, and then click OK 22 On the Enrollment page, select the Send token in an e-mail check box and then Customize Message 23 In the Welcome Message dialog box, in the Body box, add two blank lines to the beginning of the text, on the first line type NWTraders Security Directive and then click OK 24 Click OK to close the Key Manager Properties dialog box !" Students: To enroll users for e-mail security All Log onto Windows 2000 as NWTRADERS\Administrator Open your_firstname Console Expand Northwind Traders (Exchange), expand Administrative Groups, expand First Administrative Group, and then click Advanced Security In the details pane, right-click Key Manager, point to All Tasks, and then click Enroll Users In the Key Management Service password box, type password and then click OK In the Enroll Users Selection dialog box, click OK to display an alphabetic list of user names from the global address book In the Enroll Users dialog box, in the Address Book column, click your_username, click Add, and then click Enroll When notified that the selected users were successfully enrolled for e-mail security, click OK Click Close to close the Enroll Users dialog box 54 Module 6: Designing a Security Strategy !" Students: To configure the Outlook client for digital All encryption/signature Log onto Windows 2000 as your_username Open Outlook, and then open the message that you received from the System Attendant with a subject of “Advanced Security.” Notice that the top line reads NWTraders Security Directive Select the 12 character temporary key and then press CTRL+C to copy the key to the clipboard Close the message that you received from the System Attendant On the Outlook menu, click Tools, click Options, and then click Security On the Security page, click Get a Digital ID, click Set up Security for me on the Exchange Server, and then click OK In the Setup Advanced Security dialog box, in the Digital ID Name box, type your_username SecureID, in the Token box press Ctrl-V to paste the token saved to the clipboard, and then click OK to close the Setup Advanced Security dialog box In the Microsoft Outlook Security Password dialog box, in the Password and Confirm boxes, type password and then click OK Click OK to acknowledge that your security request has been sent to the Microsoft Exchange Key Management server Click OK to close the Options dialog box 10 After a few minutes you will receive an encrypted notification from the Security Authority Open the notification, in the password box, type password, and then click OK 11 When prompted to add the certificate to the root store, click yes 12 In the Microsoft Outlook Security Logon dialog box, in the password box, type password and then click OK 13 Read the message that indicates that your account is successfully securityenabled, and then close the message !" Students: To send a secure message All On the Outlook menu, click Tools, click Options, and then click Security On the Security tab, select the Encrypt contents and attachments for outgoing messages check box and then select the Add digital signature to outgoing messages check box Click OK to close the Options dialog box Click New to send a message to a partner in your domain who has been security enabled Open an encrypted message from your partner Notice the icon in the Inbox indicating that the message is both signed and encrypted Module 6: Designing a Security Strategy 55 !" Students: To open your mailbox from Outlook Web Access All On the taskbar, click Start, and the click Run In the Open box type: http://localhost/exchange and then click OK Are you able to read an encrypted message? ANSWER: No, because encryption was completed in Outlook, not in Outlook Web Access To achieve security by using Outlook Web Access, you would need to implement SSL Close Internet Explorer, close Outlook, close your_firstname Console, and then log off Windows 2000 !" Students: To revoke the digital certificate from your_username All Log on to Windows 2000 as your_username and open your_firstname Console Expand Northwind Traders (Exchange), expand Administrative Groups, expand First Administrative Group, and then click Advanced Security In the details pane, right-click Key Manager, point to All Tasks, and then click Revoke Certificates In the Key Management Service password box, type password and then click OK In the Revoke Users dialog box, in the Available Users column, click your_username, click Add, and then click Revoke When notified that the selected users were successfully revoked from e-mail security, click OK Click Close to close the Revoke Users dialog box Log off Windows 2000 56 Module 6: Designing a Security Strategy Lab Discussion Topic Objective To discuss the lab Lead-in Let’s discuss the configuration tasks you performed in the labs For Your Information The questions and answers on this discussion page are not printed in the student workbooks They are intended to facilitate classroom discussion, but you should also feel free to ask your own questions QUESTION: What information does the Northwind Traders Case Study provide that can be used to identify the company's security requirements? ANSWERS: Traveling employees use VPN to connect to the corporate network Windows 2000 Professional and Outlook 2000 are standard on all computers Home users are not provided with a messaging client One physical location on each continent has a connection to the Internet Servers running Exchange 2000 are not to be used to relay unsolicited commercial e-mail (UCE) Northwind Traders wants to protect employees from receiving UCE, and also from receiving e-mail from non-existent Internet domains Delivery Tip Because Outlook Web Access is used in this environment, users should configure their browsers to disable their logon cache and to delete saved pages Northwind Traders wants to prevent employees from sending company-wide messages and from using certain distribution lists, such as those intended for company executives The router for each office is configured to allow only port 80 (HTTP) and port 443 (SSL) traffic into and out of the perimeter network Additional ports can be opened if they are needed Northwind Traders does not want user aliases to match SMTP aliases All servers that are exposed to the Internet must be configured to reduce the effectiveness of denial of service attacks Module 6: Designing a Security Strategy 57 Northwind Traders must save copies of every message sent and received Northwind Traders wants to stop viruses before the viruses can infiltrate the network, and they also want to protect the client computers at the desktop level QUESTION: Do you agree with the lab answers? ANSWER: Answers will vary QUESTION: If you disagree or see other areas for security, explain why you disagree and what your suggestions would be ANSWERS: Answers will vary QUESTION: What you need to configure for Northwind Traders to address their external security needs? ANSWERS: Configure all default SMTP virtual servers for no SMTP relay (There are no POP3/IMAP4 clients in this environment.) Create a message filter and apply it to each virtual server that receives inbound SMTP mail Set up virus protection at the gateway Install virus scanners on the client computers May need to open/close ports at the firewall May need to disable services that aren’t used QUESTION: What you need to configure for Northwind Traders to address their internal security needs? ANSWERS: Configure DL permissions on company-wide and executive distribution lists You can also limit the number of recipients to which each message can be addressed Configure a dedicated server running Exchange 2000 for message archives, and configure message journaling Configure administrative groups and administrative roles QUESTION: Based on the “If Time Permits” exercise in the lab What you need to configure for Northwind Traders to address their digital signature and encryption needs? ANSWERS: Use X.509 v3 certificates, and implement Key Management Server Use Windows 2000 Certificate Server 58 Module 6: Designing a Security Strategy QUESTION: Did we modify the classroom sufficiently to meet Northwind Traders' needs? ANSWER: No, we did not We still need to the following: Set up virus protection at the gateway Install virus scanners on the client computers Implement Key Manager Server Configure a dedicated server running Exchange 2000 for message archives, and configure message journaling instead of using a user mailbox server ... information has been changed, and when that information was changed, may be impossible Both active and passive attacks can be initiated easily over local area networks (LANs), as well as over wide area... Strategy ! In this module, you will learn how to design a security strategy that enables you to secure an Exchange 2000 organization from internal and external attacks, and how to implement an... disguised as something benign, such as a game or a joke 4 Module 6: Designing a Security Strategy (continued) Type of security risk Characteristics Virus A program that searches out other programs and