| Acknowledgments |
|
v | |
| Introduction |
|
xvii | |
| PART I Security Fundamentals |
|
|
|
|
3 | (12) |
|
|
|
3 | (1) |
|
|
|
4 | (1) |
|
Access and Resource Control |
|
|
5 | (2) |
|
|
|
7 | (1) |
|
|
|
7 | (1) |
|
Confidentiality and Privacy |
|
|
8 | (3) |
|
Confidentiality Versus Privacy |
|
|
8 | (1) |
|
Protecting Confidentiality |
|
|
9 | (1) |
|
|
|
10 | (1) |
|
|
|
11 | (2) |
|
|
|
12 | (1) |
|
How Malicious Code Does Its Work |
|
|
12 | (1) |
|
|
|
13 | (1) |
|
|
|
13 | (2) |
|
Security Protocols and Algorithms |
|
|
15 | (26) |
|
Why Do I Need to Know This? |
|
|
15 | (1) |
|
|
|
16 | (4) |
|
How Secret-Key Encryption Works |
|
|
16 | (1) |
|
|
|
17 | (3) |
|
|
|
20 | (6) |
|
|
|
21 | (2) |
|
Plumbing for Digital Certificates |
|
|
23 | (1) |
|
How Public-Key Encryption Works |
|
|
24 | (1) |
|
|
|
25 | (1) |
|
|
|
26 | (3) |
|
How Digital Signatures Work |
|
|
26 | (2) |
|
Digital Signature Algorithms |
|
|
28 | (1) |
|
|
|
29 | (10) |
|
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Protocols |
|
|
30 | (1) |
|
The Internet Protocol Security Extension (IPsec) Protocols |
|
|
30 | (4) |
|
The Secure Multipurpose Internet Mail Extensions (S/MIME) |
|
|
34 | (1) |
|
Authentication-Only Protocols |
|
|
35 | (4) |
|
|
|
39 | (1) |
|
|
|
40 | (1) |
|
Windows and Exchange Security Architecture |
|
|
41 | (18) |
|
|
|
42 | (1) |
|
|
|
43 | (4) |
|
Built-In Accounts and Groups |
|
|
43 | (3) |
|
What Happens When You Log On? |
|
|
46 | (1) |
|
Access Control and Permissions |
|
|
47 | (10) |
|
How Exchange Modifies the Access Control Process |
|
|
48 | (1) |
|
Understanding Exchange-Specific Permissions |
|
|
49 | (3) |
|
|
|
52 | (2) |
|
Permissions and Mailboxes |
|
|
54 | (3) |
|
|
|
57 | (1) |
|
|
|
57 | (2) |
|
Threats and Risk Assessment |
|
|
59 | (14) |
|
Types of Security Threats |
|
|
60 | (4) |
|
|
|
61 | (1) |
|
|
|
62 | (1) |
|
|
|
62 | (2) |
|
Models for Risk Assessment |
|
|
64 | (7) |
|
|
|
65 | (2) |
|
|
|
67 | (2) |
|
Asset and Threat Assessment for Exchange (or, What Would You Like to Not Lose Today?) |
|
|
69 | (2) |
|
|
|
71 | (1) |
|
|
|
71 | (2) |
|
Physical and Operational Security |
|
|
73 | (10) |
|
Physical and Operational Threat Assessment |
|
|
74 | (1) |
|
Beefing Up Your Physical Security |
|
|
75 | (4) |
|
|
|
75 | (2) |
|
|
|
77 | (1) |
|
A Few Words About Laptops |
|
|
78 | (1) |
|
Strengthening Operational Security |
|
|
79 | (1) |
|
Keeping Your Secrets Secret |
|
|
79 | (1) |
|
|
|
80 | (1) |
|
|
|
80 | (3) |
| PART II Exchange Server Security |
|
|
Windows 2000 Server Security Basics |
|
|
83 | (34) |
|
Taking the First Step: Patch Management |
|
|
83 | (17) |
|
|
|
83 | (2) |
|
Figuring Out What Needs Patching |
|
|
85 | (1) |
|
Using the Microsoft Baseline Security Analyzer (MBSA) |
|
|
86 | (7) |
|
Using MBSA From the Command Line |
|
|
93 | (4) |
|
Automating Patch Distribution |
|
|
97 | (3) |
|
Securing What's Most at Risk: A Checklist |
|
|
100 | (10) |
|
|
|
101 | (1) |
|
Step 2: Set Strong Policies |
|
|
102 | (5) |
|
|
|
107 | (3) |
|
Tightening Things Further |
|
|
110 | (4) |
|
|
|
114 | (1) |
|
|
|
115 | (2) |
|
Installing Exchange with Security in Mind |
|
|
117 | (22) |
|
Designing an Active Directory Structure for Exchange |
|
|
118 | (2) |
|
Designing a Group Structure |
|
|
119 | (1) |
|
|
|
120 | (6) |
|
|
|
120 | (1) |
|
Preparing Your Organization and Domains |
|
|
121 | (3) |
|
Performing the Actual Installation |
|
|
124 | (1) |
|
|
|
124 | (1) |
|
Other Installation-Related Tasks |
|
|
125 | (1) |
|
|
|
126 | (9) |
|
Applying the Finishing Touches |
|
|
135 | (2) |
|
|
|
137 | (1) |
|
|
|
137 | (2) |
|
SMTP Relaying and Spam Control |
|
|
139 | (22) |
|
|
|
139 | (3) |
|
Understanding SMTP Store-and-Forward Protocol |
|
|
139 | (1) |
|
|
|
140 | (1) |
|
Why Relaying Is Necessary Sometimes |
|
|
141 | (1) |
|
How Relaying Can Get You in Trouble |
|
|
141 | (1) |
|
|
|
142 | (10) |
|
Controlling Access for SMTP Virtual Servers |
|
|
143 | (6) |
|
Controlling Who Can Relay |
|
|
149 | (1) |
|
Configuring Relaying on SMTP Connectors |
|
|
150 | (1) |
|
Verifying Your Relaying Configuration |
|
|
151 | (1) |
|
|
|
152 | (4) |
|
Common Spam-Blocking Tactics |
|
|
153 | (3) |
|
Using Exchange's Spam Control Features |
|
|
156 | (2) |
|
Creating a Domain or Sender Filter |
|
|
156 | (2) |
|
|
|
158 | (1) |
|
Evaluating Third-Party Antispam Products |
|
|
158 | (2) |
|
|
|
159 | (1) |
|
Questions About Capability |
|
|
159 | (1) |
|
|
|
160 | (1) |
|
|
|
160 | (1) |
|
Content Control, Monitoring, and Filtering |
|
|
161 | (16) |
|
|
|
162 | (2) |
|
|
|
162 | (1) |
|
|
|
162 | (1) |
|
Using a Commercial Product |
|
|
163 | (1) |
|
Filtering Inbound and Outbound Content |
|
|
164 | (2) |
|
Evaluating Filtering Products |
|
|
165 | (1) |
|
Reading Other People's Mail |
|
|
166 | (3) |
|
|
|
167 | (1) |
|
Granting Permission to Other Mailboxes |
|
|
168 | (1) |
|
|
|
169 | (2) |
|
Setting Up Message Tracking: A Quick Review |
|
|
170 | (1) |
|
Tracking a Specific Message |
|
|
171 | (1) |
|
Searching the Store for Specific Content |
|
|
171 | (4) |
|
Searching Mailboxes with Exmerge |
|
|
172 | (3) |
|
|
|
175 | (1) |
|
|
|
175 | (2) |
|
|
|
177 | (14) |
|
Understanding Virus Protection Principles |
|
|
177 | (3) |
|
|
|
178 | (2) |
|
|
|
180 | (1) |
|
Designing Defense in Depth |
|
|
180 | (6) |
|
|
|
180 | (2) |
|
|
|
182 | (1) |
|
Exchange Server Protection |
|
|
182 | (4) |
|
|
|
186 | (1) |
|
|
|
187 | (1) |
|
|
|
187 | (4) |
| PART III Communications Security |
|
|
Securing Internet Communications |
|
|
191 | (30) |
|
|
|
191 | (10) |
|
Requesting an SSL Certificate |
|
|
192 | (7) |
|
|
|
199 | (2) |
|
|
|
201 | (14) |
|
Understanding the Windows IPsec Implementation |
|
|
204 | (3) |
|
|
|
207 | (8) |
|
Publishing MAPI RPCs with ISA Server |
|
|
215 | (3) |
|
Creating the Publishing Rules |
|
|
216 | (1) |
|
Allowing the Exchange Server to Proxy |
|
|
217 | (1) |
|
Authentication Traffic Configuring Outlook |
|
|
218 | (1) |
|
|
|
218 | (1) |
|
|
|
219 | (2) |
|
|
|
221 | (38) |
|
Understanding the Exchange-PKI Combination |
|
|
221 | (1) |
|
Planning Your Encryption Infrastructure |
|
|
222 | (19) |
|
Detailing Your Specific PKI Goals |
|
|
222 | (3) |
|
Designing Your CA Infrastructure |
|
|
225 | (7) |
|
Diving in to Digital Certificates |
|
|
232 | (4) |
|
|
|
236 | (1) |
|
Understanding the Exchange KMS |
|
|
237 | (1) |
|
|
|
238 | (2) |
|
Server Performance Guidelines |
|
|
240 | (1) |
|
Installing Certificate Services |
|
|
241 | (10) |
|
Installing Certificate Services |
|
|
242 | (2) |
|
|
|
244 | (2) |
|
|
|
246 | (5) |
|
Configuring and Managing Certificate Services |
|
|
251 | (4) |
|
Delegation and Segregation |
|
|
251 | (1) |
|
Building Trusts and Trust Lists |
|
|
252 | (1) |
|
Backing up and Restoring the CA |
|
|
253 | (1) |
|
|
|
254 | (1) |
|
|
|
255 | (1) |
|
|
|
255 | (4) |
| PART IV Client Security |
|
|
|
|
259 | (24) |
|
Understanding Outlook's Security Features |
|
|
259 | (6) |
|
The Outlook Security Update |
|
|
260 | (1) |
|
|
|
260 | (3) |
|
Address Book and Object Model Security |
|
|
263 | (1) |
|
|
|
263 | (1) |
|
|
|
264 | (1) |
|
Customizing the Outlook Security Update |
|
|
265 | (7) |
|
Installing the Security Package |
|
|
265 | (1) |
|
Installing the Trusted Code Control |
|
|
266 | (1) |
|
Creating a Public Folder for Security Settings |
|
|
266 | (1) |
|
|
|
267 | (4) |
|
Deploying Outlook Security Settings |
|
|
271 | (1) |
|
Customizing Settings for End Users |
|
|
272 | (1) |
|
|
|
273 | (6) |
|
|
|
273 | (3) |
|
|
|
276 | (2) |
|
Signing or Encrypting a Message |
|
|
278 | (1) |
|
Reaching into Outlook's Toolbox |
|
|
279 | (2) |
|
Converting Inbound HTML Mail to Plaintext |
|
|
279 | (1) |
|
|
|
280 | (1) |
|
|
|
281 | (1) |
|
|
|
281 | (2) |
|
Securing Outlook Web Access |
|
|
283 | (40) |
|
Understanding Outlook Web Access |
|
|
283 | (5) |
|
Front-End and Back-End Servers |
|
|
283 | (2) |
|
Understanding Outlook Web Access Authentication |
|
|
285 | (3) |
|
Controlling Access to Outlook Web Access |
|
|
288 | (9) |
|
Controlling Access to Servers |
|
|
289 | (1) |
|
Setting Permissible Authentication Methods |
|
|
289 | (2) |
|
Using Form-Based Authentication |
|
|
291 | (3) |
|
Controlling Access for Specific Users |
|
|
294 | (1) |
|
Using Outlook Web Access Segmentation |
|
|
294 | (3) |
|
Using SSL with Outlook Web Access |
|
|
297 | (7) |
|
|
|
298 | (1) |
|
Automatically Redirecting Non-SSL Requests |
|
|
298 | (1) |
|
Enabling Password Changes Through Outlook Web Access |
|
|
299 | (3) |
|
Load Balancing SSL Traffic with Outlook Web Access |
|
|
302 | (1) |
|
Controlling Content Caching |
|
|
303 | (1) |
|
Securing Outlook Web Access with Firewalls |
|
|
304 | (9) |
|
Opening the Correct Firewall Ports |
|
|
306 | (3) |
|
Protecting FE/BE Communications |
|
|
309 | (4) |
|
Publishing Outlook Web Access with ISA Server |
|
|
313 | (5) |
|
Creating the Web Listener |
|
|
314 | (1) |
|
Creating the Outlook Web Access Destination Set |
|
|
315 | (2) |
|
Creating the Web Publishing Rule |
|
|
317 | (1) |
|
Applying the Finishing Touches |
|
|
318 | (3) |
|
Shutting Down the Information Store |
|
|
318 | (1) |
|
Minimizing Running Services |
|
|
319 | (2) |
|
|
|
321 | (1) |
|
|
|
321 | (2) |
|
|
|
323 | (10) |
|
Understanding POP and IMAP |
|
|
323 | (1) |
|
Controlling User Access to IMAP and POP |
|
|
324 | (2) |
|
Choosing an Authentication Method |
|
|
324 | (1) |
|
Controlling Access by IP Address |
|
|
325 | (1) |
|
Regulating Who Can Use the Protocol Server |
|
|
325 | (1) |
|
Using POP and IMAP with SSL |
|
|
326 | (3) |
|
|
|
329 | (1) |
|
|
|
329 | (4) |
| PART V Advanced Topics |
|
|
Instant Messaging Security |
|
|
333 | (14) |
|
Understanding Exchange Instant Messaging |
|
|
333 | (3) |
|
|
|
335 | (1) |
|
Controlling User Access to IM |
|
|
336 | (3) |
|
Controlling Access for Individual Users |
|
|
336 | (1) |
|
Setting User Privacy Properties |
|
|
337 | (1) |
|
Controlling Access for Groups |
|
|
338 | (1) |
|
Controlling Access Using Internet Information Services |
|
|
339 | (1) |
|
Controlling the IM Client Through Group Policies |
|
|
339 | (2) |
|
|
|
341 | (4) |
|
|
|
341 | (1) |
|
Blocking Outbound Traffic |
|
|
342 | (1) |
|
Restricting File Transfers |
|
|
343 | (1) |
|
Using Firewalls with Exchange IM |
|
|
343 | (2) |
|
Filtering, Archiving, and Monitoring IM Traffic |
|
|
345 | (1) |
|
|
|
346 | (1) |
|
|
|
346 | (1) |
|
|
|
347 | (40) |
|
Understanding Security Logging |
|
|
347 | (2) |
|
How Windows 2000 Auditing Works |
|
|
348 | (1) |
|
What Windows 2000 Puts in the Event Logs |
|
|
348 | (1) |
|
Using Auditing in Windows 2000 |
|
|
349 | (8) |
|
|
|
349 | (1) |
|
Controlling What Gets Audited |
|
|
349 | (5) |
|
|
|
354 | (3) |
|
|
|
357 | (3) |
|
Account Management Events |
|
|
357 | (1) |
|
|
|
358 | (1) |
|
|
|
359 | (1) |
|
|
|
359 | (1) |
|
|
|
360 | (1) |
|
|
|
360 | (3) |
| PART VI Appendixes |
|
|
|
|
363 | (14) |
|
The Ten Immutable Laws of Security |
|
|
363 | (6) |
|
The Ten Immutable Laws of Security Administration |
|
|
369 | (8) |
|
|
|
377 | (10) |
|
Permissions on Objects in the Exchange Configuration Tree |
|
|
378 | (3) |
|
Permissions on the Server Object and Its Children |
|
|
381 | (1) |
|
Permissions on Other Objects in the Configuration Tree |
|
|
382 | (1) |
|
Permissions Set on Public Key Services Objects |
|
|
383 | (1) |
|
Permissions on Objects in the Domain Naming Context |
|
|
384 | (3) |
| Index |
|
387 | |
