Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 01, 2000

Advanced Security in Exchange 2000, Part 3


A Web Exclusive from Windows IT Pro
Jan De Clercq
Feature
InstantDoc #8910
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Advanced Security in Exchange 2000 and Outlook 2000-Part 3
In the past several months, many highly destructive viruses have moved quickly through companies around the world. As a result, email security has become a hot topic. After the recent Love Letter outbreak, Microsoft released an Outlook patch to protect against such attacks and upgraded the Secure MIME (S/MIME) capabilities of its Outlook 2000 mail client. Microsoft bundled the upgrade with Service Release 1a (SR1a) for Office 2000. The upgrade is known as the Outlook 2000 Federal Release at Microsoft because most of its features meet the US Government's secure mail standards. You can get both the antivirus patch and SR1a from the Microsoft Office Update Web site. Let's look at SR1a's S/MIME enhancements and new capabilities.

Enhanced Ease of Use
SR1a includes an important new feature called auto-configuration that makes it easy to set up and use secure messaging. Auto-configuration simplifies common S/MIME configuration scenarios, such as security profile generation and automatic recovery after a certificate becomes invalid. Auto-configuration launches when you click the Get Digital ID button in the Security Options dialog box and each time you read, send, save, forward, or reply to a secure message.

When auto-configuration runs, several steps take place behind the scenes. First, auto-configuration searches for a valid S/MIME profile. If the profile is invalid (e.g., if its certificates have expired), auto-configuration tries to fix the profile by looking for valid S/MIME certificates in the user's certificate store, which is part of the user's NT profile. If auto-configuration can't fix the S/MIME profile, it tries to create a new S/MIME profile using existing valid certificates. If this doesn't work, it launches the Secure E-mail Wizard, as Figure 1 shows. With the wizard, you can access the Outlook S/MIME Help files or request a new S/MIME certificate by clicking the GetDigital ID button. If you decline the wizard's help or if a secure mail operation fails, Outlook displays a dialog box that explains why it couldn't send a secure message. As Figure 2 shows, these dialog boxes are much more comprehensive than their equivalents in earlier versions of Outlook. (Auto-configuration has also improved other parts of the Outlook user interface¾UI. The secure messaging options Encrypt Message and Add Digital Signature always appear regardless of whether an S/MIME profile is available.)

Note that auto-configuration doesn't automatically renew an invalid certificate. Recovery succeeds only if a valid certificate is available from the certificate store. Also, although the wizard explains how to acquire a certificate, it doesn't request a certificate on your behalf.

Support for Enhanced Security Services
Request for Comments (RFC) 2634 specifies four optional security service extensions, also known as Enhanced Security Services (ESS), for S/MIME. Microsoft has implemented two of them in SR1a: secure receipts and security labels.

Secure Receipts. Secure receipts (which you shouldn't confuse with Outlook's delivery receipts or read receipts) provide "non-repudiation of reading," giving you cryptographic proof that the intended recipient has read and verified a signed message. A secure receipt is signed, meaning that when you receive a message and reply to it using a signed or secure receipt, you sign the receipt using a private key. You can't deny having done so because only you can access and use it.

A secure receipt takes three steps in its travels. First, you generate and send a message, specifying a secure receipt. Next, the recipient responds to the secure receipt request. Finally, you receive the secure receipt.

You can set the secure receipt request for signed only or signed and encrypted messages, as Figure 3 shows. The message can be clear or opaque signed (for more information about clear and opaque signing, see Advanced Security in Exchange 2000, Part 2. In SR1a, you can set secure receipts on the message level only. You can't make secure receipts receiver-dependent-if you set "request secure receipt for this message," it applies to all recipients. Also, secure receipts always return to the message's sender; it's not possible to set another return mailbox. You can make secure receipts the default by checking the "Request secure receipt for all S/MIME signed messages" box in Outlook's security options.

By default, Outlook 2000 SR1a automatically sends a secure receipt when you open the message and when the system can cryptographically verify the message signature. If you add the Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\Outlook\Security\RespondToReceiptRequests (REG_DWORD) and set it to 1, Outlook prompts you before sending a secure receipt: "A request has been made to send a secure receipt when the message has been verified. Do you want to send a secure receipt?" This prompt is independent of the "You must specify your security password to send a secure receipt response" message that you must respond to to get access to your private key.

To verify a secure receipt—to cryptographically verify the receipt's signature and instruct Outlook to check the receipt's content against the original—you must open the receipt. If the original message isn't in the Sent Items folder, Outlook prompts you to find it. If you can't find the original message, the secure receipt verification fails. If verification succeeds, Outlook 2000 automatically adds tracking information to the original message, as Figure 4 shows. Tracking information enables easy and centralized receipt status checking.

Once you've installed SR1a, you might notice that each digitally signed message has a Signed By field in the message header that contains the signer's RFC 822 mail address. The address also appears in the signer's certificate that accompanies the signed mail message. The Signed By field protects against spoofing (i.e., the obfuscation of the source mail address), offering a more reliable representation of the sender's identity than the SMTP From field. Before SR1a, anyone could easily modify SMTP From fields because they were never cryptographically protected. With SR1a and later, you can find the RFC 822 address inside the signed portion of the message.

Security Labels. A security label, a kind of tagging system for email messages, defines a message content's sensitivity. As with secure receipts, you can set security labels on signed messages. The power of the security label feature lies in its ability to restrict a user's access to a mail message, which is a standard requirement for messaging systems in military environments. The military, which doesn't want a sergeant-even if that sergeant is a system administrator-to have access to a general's mail, conceived of many of the concepts that RFC 2634 defines and SR1a implements.

In SR1a, Microsoft provides a UI that lets you attach security labels to the messages you send using Outlook. In addition to the UI, you need two things to implement security labels: security policy modules, which define the classification levels, and client-side logic, which enforces the security labels based on a user's classification level. Because security policies differ for each organization, Microsoft doesn't provide the logic for security labels out-of-the-box. Microsoft will provide a sample policy and a policy module design document in an upcoming Microsoft Platform software development kit (SDK) update.

Enhanced Certificate Access
SR1a makes it easier to share certificates you get from Certification Authorities (CAs) external to your organization or certificates that belong to S/MIME users in other organizations. You can store certificates in a contact entry, and you can publish personal certificates to the Exchange Global Address List (GAL).

The pre-SR1a releases of Outlook 2000 only store a pointer to a contact's certificate in a contact entry. You can find the real certificate (also known as the certificate blob) in the Registry. SR1a stores the certificate twice-once in the Registry and once in the Contacts folder. Sharing certificates is easy: Simply create a Contacts public folder or send the contact as an attachment to an email message.

To publish your personal certificates to the GAL, go to Tools, Options, Security Options, and select Publish to GAL (this button is available only when you're running Outlook in Corporate/Workgroup mode). In pre-SR1a versions of Outlook, only the Exchange advanced security certificates (the ones generated using the Key Management Service-KMS) publish to the Exchange directory. With SR1a and later, you can publish any S/MIME certificate and any certificate you receive from a commercial Certificate Authority (CA) to the GAL. To disable this feature, change the Registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\Outlook\Security\PublishToGalDisabled (REG_DWORD) to 1.

Under the Hood: Cryptographic Changes
Microsoft has implemented major cryptographic changes in Outlook 2000 SR1a. SR1a supports the Cryptographic Message Syntax (CMS), the Diffie-Hellman key agreement protocol, and the Digital Signature Algorithm (DSA).

The CMS standard describes a format for attaching cryptographic content—such as a digital signature or the result of an encryption operation-to messages. CMS, which RFC 2630 defines, is an open standard that extends the Public Key Cryptography Standards (PKCS) 7 message format. CMS differs from PKCS 7 in that it offers support for message body nesting, key agreement protocols, and unauthenticated message attributes.

Outlook 2000 SR1a can handle messages that consist of multiple layers of encryption and signing—for example, a message that you have signed and encrypted and that another user has also signed. SR1a doesn't support arbitrarily nested messages; the limit is three layers. Also, it's important to note that Outlook SR1a can't generate messages with a nested message body. However, if SR1a receives a triple-wrapped message, it displays the different encryption and signature layers correctly. SR1a comes with a new interface for displaying extended message security, encryption, and signature details, as Figure 5 shows. To access the new interface, click an S/MIME's signature or its encryption detail icon.

Outlook SR1a and later can use key agreement protocols, such as the Diffie-Hellman protocol. Earlier versions support only key transport protocols. Communicating parties use key agreement protocols to agree on a symmetric bulk encryption key. In a key agreement protocol, each partner knows a piece of the puzzle, and each piece contributes to generate a bulk encryption key. The alternative is a key transport protocol, in which one party generates a bulk encryption and sends it securely to the other. Because key agreement protocols use asymmetric cryptography more than key transport protocols do, key agreement protocols offer a higher level of security and are more resistant to attacks.

CMS and SR1a also support delivery of unauthenticated attributes, which are attributes that you can exclude from a digital signature operation. You can add unauthenticated attributes after message signing and change them during transmission without invalidating the digital signature. An example of such an attribute is a disclaimer on every outgoing message that passes through your organization's SMTP gateway. SR1a can handle messages carrying unauthenticated attributes, but it doesn't yet provide a way to add such attributes to a message.

Enabling and Configuring SR1a S/MIME Features
The new SR1a S/MIME features are not enabled by default. To enable them, add the Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\office\9.0\outlook\security\enablesrfeatures (REG_DWORD) and set it to 1.

You can control most of the SR1a Outlook S/MIME features using Registry settings, many of which I have mentioned in this article. For a detailed list of Registry settings, see the Outlook 2000 SR1 white paper. Because these settings are security-related, most organizations will want to enforce them. To do so, create a custom administrative template (*.adm), load it into the Windows 2000 Group Policy Object (GPO) editor, and use GPOs to enforce the settings on your user workstations.

An Upgrade That's Worth the Effort
SR1a extends Outlook's S/MIME capabilities with support for secure receipts, security labels, and message body nesting. SR1a also gives you auto-configuration and enhanced certificate access, two new features that will please most secure messaging users. For organizations with high-security requirements, these features are certainly worth the upgrade. Remember that when implementing security labels, SR1a is just a starting point. Security labels require a great deal of custom development.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...
Related Articles Advanced Security in Exchange 2000, Part 2

Advanced Security in Exchange 2000, Part 1
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing