By default all data transported in an Exchange 2007 organization is secured. Client access including (OWA) and outlook anywhere is secured by SSL certificate, traffic between Exchange servers are encrypted using mutual Transport Layer Security (TLS). Also outlook 2007 client traffic is secured through Remote procedure call (RPC) encryption and encrypted MAPI submission.
Outlook 2003 can also use this encryption but it is not set by default. It is specific to each account and subsequently is configured from within Tools! Account Settings. In the account settings window select the option view or change existing email accounts. Then select change! More settings, under the encryption area in the security tab, check the box by the option encrypt data between Microsoft office outlook and Microsoft exchange
! | Important Note : These emails encryption is applicable only during the message transit between the clients to server and server to server. Once the message reached the client the encryption will be removed and the data can be viewed. |
Server to Server | Authentication | Encryption | Remarks |
Mailbox to Hub | NTLM /Kerberos | RPC Encryption Algorithm | Emails are encrypted during the Transit |
HUB to HUB | Kerberos | TLS | Emails are encrypted during the Transit |
Hub to AD | Kerberos | Kerberos | Emails are encrypted during the Transit |
Client to Server | authentication | Encryption | Remarks |
Outlook 2003 | Kerberos / NTLM | Default is disabled need to enable it | Emails are encrypted during the Transit |
Outlook 2007 | Kerberos / NTLM | yes using RPC encryption algorithm | Emails are encrypted during the Transit |
OWA | Form based | SSL | Emails are encrypted using SSL |
Outlook Anywhere | NTLM | SSL | |
Client to External | SMTP configuration settings | TLS | Provided the receiving SMTP is enabled with TLS encryption else the email will travel in encrypted format with in the org and will perform an ESMTP hand shake with the recipient SMTP using TLS if this fails then it will connect to the recipient SMTP and the email will travel in plain text format. |
Digital certificates are used both as a means of encrypting and decrypting information as well as signing messages digitally for sender validation. The majority of the certificates fall under the X.509 standard certificate format. X.509 certificates are made up of the following fields
1. Version number
2. Serial number
3. Signature algorithm ID
4. Issuer name
5. Validity period (standard date and end date)
6. Subject Name
7. Subject Public key information
8. Issuer unique identifier
9. Subject unique identifier
10. Extensions
11. Signature hash
Exchange uses X.509 certificates to secure communication between servers and between clients and the Exchange server. When Exchange 2007 is installed, it generates self signed certificate to secure point to point communication path. When client connect to CAS server, they use the self signed certificates or another SSL certificate can be used in its place. An alternate certificate would have to come either from a third party authority to trust the public Authority certificates. Since self signed certificates typically used in the local environment this is being produced by the local certificate authority. These are not trusted by a public authority and therefore, are not good replacements for securing communication and authentication over networks
2.1. Third party trusted certificates:
Many companies offer TLS / SSL certificate services which work well for Exchange server. Microsoft maintains the following trusted public Certificate authority named VeriSign, Entrust and Godaddy.
Please let me know if this post was helpful.
No comments:
Post a Comment