List of Figures | Secure Messaging with Microsoft Exchange Server 2000

Chapter 2: Security Protocols and Algorithms

Figure 2-1: Encrypting data with a block cipher produces a ciphertext block.
Figure 2-2: Some of the attributes for a digital certificate.
Figure 2-3: Public-key encryption in action.
Figure 2-4: The digital signature process.
Figure 2-5: The AH data follows the IPv4 packet header; the AH signature is calculated on the IPv4 header and the datagram’s payload.
Figure 2-6: IPsec transport vs. tunnel mode.
Figure 2-7: In one mode of IPsec, AH is used to sign the entire packet, but only a portion of it is protected by ESP.
Figure 2-8: Outlook’s Change Security Settings dialog box lets you specify which algorithms should be used for an S/MIME message.

Chapter 3: Windows and Exchange Security Architecture

Figure 3-1: The Exchange Administration Delegation Wizard is boring but useful.

Chapter 6: Windows 2000 Server Security Basics

Figure 6-1: This machine came out looking like a winner after its MBSA scan.
Figure 6-2: : If you have good security settings in Internet Explorer, you’ll be notified whenever a signed ActiveX component or .cab file is downloaded.
Figure 6-3: The MBSA scanning interface is very straightforward.
Figure 6-4: The SUS server pulls data from Windows Update and makes it available on your intranet, subject to the policies you define.
Figure 6-5: Be sure you select the appropriate template, or Exchange will abruptly stop working properly.
Figure 6-6: The Additional Security page. Make sure the Disable Web Distributed Authoring And Versioning check box is cleared.
Figure 6-7: Apply the correct policies to each OU.

Chapter 7: Installing Exchange with Security in Mind

Figure 7-1: Use the Windows 2000 Delegation of Control Wizard to give your account managers the needed permissions.
Figure 7-2: The Permissions page of the Delegation of Control Wizard is where you specify which individual properties or property sets are being delegated.
Figure 7-3: Delegate Exchange permissions by selecting the group you want to delegate to and the role that the group should have.
Figure 7-4: Edit the ACE added by the Delegation of Control Wizard to deny access to sensitive properties
Figure 7-5: Add more restrictive ACEs on your Exchange installation directory.

Chapter 8: SMTP Relaying and Spam Control

Figure 8-1: A simple routed SMTP environment.
Figure 8-2: The Access tab of the SMTP virtual server Properties dialog box.
Figure 8.3: The SMTP virtual server evaluates the connection control settings before accepting messages for delivery.
Figure 8-4: Setting authentication properties on the SMTP virtual server is one way to control who can relay through it.
Figure 8-5: Block or allow SMTP connections by specifying IP addresses in the Connection dialog box.
Figure 8-6: Use the Computer dialog box to specify IP addresses, ranges, or DNS domains that you want to block.
Figure 8-7: The Relay Restrictions dialog box lets you specify who can and who cannot relay through your server.
Figure 8-8: Block senders or domains with the Filtering tab of the Message Delivery Properties dialog box.
Figure 8.9: You must turn on filter evaluation on individual SMTP virtual servers.

Chapter 9: Content Control, Monitoring, and Filtering

Figure 9-1: Turning on journaling allows you to see copies of all messages sent from or to mailboxes in the specified message store.
Figure 9-2: Add Send As and Receive As permissions to the mailbox.
Figure 9.3: You can search for messages by a variety of fields.
Figure 9-4: Use the Source Server page to select which mailbox server you want to scan.
Figure 9-5: The Message Details tab gives you the ability to scan by subject line or attachment name.

Chapter 11: Securing Internet Communications

Figure 11-1: Name your certificate and select a key length of at least 1024 bits.
Figure 11-2: Select an online CA to send your request directly to it.
Figure 11-3: The Welcome page for the Windows Certificate Services CA.
Figure 11-4: To issue a certificate for a virtual server, select the Advanced Request option.
Figure 11-5: Paste your certificate request file into the Saved Request text box and click Submit.
Figure 11-6: Download the new certificate to finish installing it.
Figure 11-7: Turning on outbound TLS only requires selecting one check box.
Figure 11-8: You can turn on regular or extra-strength TLS for inbound connections.
Figure 11-9: A simple filter list: protect all traffic to port 80 on other machines.
Figure 11-10: Policies, rules, and filters nest together.
Figure 11-11: The Authentication Method page lets you choose among the IPsec authenticators that Windows supports.
Figure 11-12: Choose the source and destination ports you want to apply.
Figure 11-13: Select the newly created filter list to make it part of the rule you’re creating.
Figure 11-14: Actions can allow or deny non-IPsec traffic that matches the filter rule.
Figure 11-15: You can select a custom set of algorithms and Quick Mode IKE settings for each rule.
Figure 11-16: All of the filter action settings are located in the New Filter Action Properties dialog box.
Figure 11-17: Pick the mail protocols that you want to publish.

Chapter 12: E-Mail Encryption

Figure 12-1: A hierarchy is possible with just two entries. Your hierarchy begins when you bring up the first CA, which becomes the root for your hierarchy.
Figure 12-2: Longer keys are used when additional security is needed. These longer certificates can also have a longer lifetime or validity period because the keys are harder to break.
Figure 12-3: The KMS administrator can edit the properties of this entry to enroll, recover, and revoke the e-mail certificate of the selected user.
Figure 12-4: The information you provide here will be signed into the CA certificate, so don’t misspell anything.
Figure 12-5: Users can request certificates themselves by using the Web enrollment application.
Figure 12-6: Using the Certification Authority console, the administrator can select the Pending Requests option from the right pane, and right-click a specific request to issue or deny.
Figure 12-7: The KMS lets you set preferred algorithms for downlevel and S/MIME clients.
Figure 12-8: If your KMS certificate is invalid, you wont be able to use KMS.
Figure 12-9: Use the Passwords tab to specify how many people must concur before revoking or recovering users’ certificates.
Figure 12-10: You can enroll, recover, or revoke users from their Properties dialog boxes in Active Directory Users and Computers.
Figure 12-11: Specify where to back up the CA data.

Chapter 13: Securing Outlook

Figure 13-1: Blocked attachments are still in the store, but users can’t access them through Outlook.
Figure 13-2: The Outlook Security Settings tab gives you control over how Outlook handles attachments.
Figure 13-3: Control programs’ access to the Outlook object model and address book with the Programmatic Settings tab.
Figure 13-4: Pick the certificate source you want to use for your request.
Figure 13-5: You can use Outlook’s import/export feature to move or copy your certificates between machines, but be careful not to unnecessarily expose them to compromise.
Figure 13-6: Use the Secure E-Mail control group in the Options dialog box Security tab to control Outlook’s S/MIME behavior.
Figure 13-7: Create groups of security settings for use with different certificates or recipients.
Figure 13-8: To sign or encrypt a message, just select the check boxes that correspond to the desired security features.

Chapter 14: Securing Outlook Web Access

Figure 14-1: The basic authentication dialog box appears when you’re using basic authentication, when integrated authentication fails and the browser needs your credentials, or when you’ve set specific access control lists on the requested Web directory.
Figure 14-2: The Authentication Methods dialog box lets you specify which authentication methods you want your Outlook Web Access server to accept.
Figure 14-3: The IIS Error Mapping dialog box lets you provide customized messages for specific errors.
Figure 14-4: Using ISA as a reverse proxy.
Figure 14-5: The simplest configuration is to place Outlook Web Access behind a single firewall.
Figure 14-6: A DMZ offers better security than a single-firewall configuration.
Figure 14-7: Use the Rules tab to create a new rule to protect port 80 FE/BE traffic.
Figure 14-8: The IP Filter List dialog box lists the current filters associated with a filter list; the filter list belongs to a policy.
Figure 14-9: The Destination Sets page of the ISA Management snap-in.
Figure 14-10: Create a destination in the destination set for the /Exchange virtual directory.
Figure 14-11: Include each Outlook Web Access virtual directory in your destination set.

Chapter 15: Securing POP and IMAP

Figure 15-1: You can enable basic and integrated authentication separately for each POP or IMAP virtual server.
Figure 15-2: Turning on SSL is easy, but remember that it might break your wireless clients.
Figure 15-3: Configure Outlook to use SSL for IMAP, SMTP, or both.

Chapter 16: Instant Messaging Security

Figure 16-1: IM is treated as an Exchange feature, so you turn it on or off in the Exchange Features tab.
Figure 16-2: The Privacy tab lets you control who can see selected users’ presence information.
Figure 16-3: Use the Firewall Topology tab to tell the IM server which networks are directly reachable.

Chapter 17: Security Logging

Figure 17-1: You can view local security settings.
Figure 17-2: Change the audit policy using the Local Security Policy Setting dialog box.
Figure 17-3: Edit a domain’s group policy in the policy’s Properties dialog box.
Figure 17-4: Change audit options for a domain in the Group Policy dialog box.
Figure 17-5: Change the security policy setting using the Security Policy Setting dialog box.
Figure 17-6: Folder properties are set through the Properties dialog box.
Figure 17-7: Setting access control settings in the Access Control Settings dialog box.
Figure 17-8: Setting entries to log in the Auditing Entry dialog box.
Figure 17-9: The EventCombMT application is shown at startup.
Figure 17-10: The EventCombMT application is shown for the preceding example.