Helping to Protect E-Mail Confidentiality Scenario

The following procedure to protect e-mail confidentiality relates to small and medium business scenarios similar to the one shown in the following figure.

Figure 1. E-mail services in the medium IT environment

Specifically, e-mail users require confidentiality for e-mail sent to both internal and external locations. To help achieve this, you implement Exchange Server 2003 and the e-mail clients to support S/MIME.

Helping to Protect E-Mail Confidentiality

The following steps identify the configuration procedures that are necessary to help protect your e-mail confidentiality.

Before You Begin

Before you implement S/MIME in an Exchange Server 2003 environment, you must understand what will happen to messages if you have implemented any of the following:

·         Event sinks

·         Antivirus software

Event Sinks and Digitally Signed Messages

Event sinks can perform actions on e-mail messages when the Exchange Server handles them. For example, some event sinks alter the content and headers of an e-mail message for the purpose of filtering the message. A valid digital signature indicates that a message has not been altered in transit. An event sink that alters the e-mail message invalidates digital signatures. When the recipient receives the message and processes the digital signature, the digital signature will be invalid because the event sink changed the message after the sender signed it.

Antivirus Software and S/MIME Messages

When using a server-based antivirus solution, encryption that helps protect the confidentiality of the message body and any attachments from unauthorized users also prevents server-based antivirus software from inspecting the message and attachments for viruses. Because the antivirus software cannot inspect the message, an encrypted message could include a virus as an attachment. You should determine how to address this risk in accordance with your security policy.

Also, if an antivirus program detects a virus in a digitally signed e-mail message and cleans the message, this action can render the digital signature invalid, because the antivirus program has altered the message while in transit. Although the alteration is not malicious, from the perspective of the digital signature, the message is changed, and the message will be identified as altered.

How to Configure Exchange Server 2003 to Help Provide E-Mail Confidentiality

When Exchange Server stores S/MIME e-mail messages, the only requirement is that the message store is configured to handle S/MIME signatures. Because S/MIME messages can be held in user mailboxes and in public folders, both public stores and mailbox stores can be configured to hold messages with S/MIME signatures.

1.       Log on by using an account that is a member of both of the following:

·         The Administrators group on the local computer

·         A group to which at least the Exchange View Only Administrators role has been applied at the Administrative Group level

2.       Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager. The Exchange System Manager (shown in the following screen shot) will display.

3.       Click Servers, click <servername> , click Storage Group, right-click the Mailbox Store, and then click Properties.

On the Properties page, select the Clients support S/MIME signatures check box as shown in the following screen shot.

How to Deploy Digital Certificates for S/MIME Using Autoenrollment

Autoenrollment allows clients to automatically submit certificate requests to a certification authority (CA) and retrieve and store issued certificates. Microsoft Windows® XP and Windows Server™ 2003 clients can participate in autoenrollment for both user and computer certificates. Autoenrollment reduces the total cost of ownership (TCO) by reducing the costs associated with the certificate enrollment and renewal process.

To enable autoenrollment settings

1.       Log on with Administrator rights.

2.       From Administrative Tools, open Active Directory Users and Computers.

3.       In the console tree, right-click the domain where you want to implement the autoenrollment settings, and then click Properties.

For autoenrollment, the Group Policy object (GPO) must be linked to either the domain or the organizational unit where the user or computer accounts exist.

4.       In the DomainName Properties dialog box, on the Group Policy tab, click Open to open the Group Policy Management Console.

5.       Create a GPO linked to the domain.

6.       In the Group Policy Object Editor, in the console tree, expand User Configuration.

7.       In the console tree, expand Windows Settings, expand Security Settings, and then click Public Key Policies as shown in the following screen shot.

8.       In the details pane, double-click Autoenrollment Settings. In the Autoenrollment Settings dialog box, ensure that the following settings are selected as shown in the following screen shot:

·         Enroll certificates automatically. This setting enables autoenrollment of certificates for the organizational unit where the GPO is linked.

·         The Renew expired certificates, update pending certificates, and remove revoked certificates check box. This setting enables certificate autoenrollment for certificate renewal, issuance of pending certificates, and removal of revoked certificates from the subject's certificate store.

·         The Update certificates that use certificate templates check box. This setting enables autoenrollment for superseded certificate templates.

9.       Click OK.

Autoenrollment is now enabled for the organizational unit where the GPO is linked.

The autoenrollment settings are applied the next time that the GPO is applied to the user. User autoenrollment is triggered when the user performs an interactive log on and at Group Policy refresh intervals.

You can manually refresh the GPO settings at a client running Windows XP or Windows Server 2003 by forcing Group Policy update. You can refresh the GPO settings by running GPUpdate /force at a command prompt on the target workstation.

How to Configure Outlook 2003 to Help Provide E-Mail Confidentiality

To successfully send an encrypted e-mail message, the recipient must already have a digital certificate. If you attempt to send an encrypted e-mail message to a user who does not have a digital certificate, you will receive an error. Make sure that you have followed the instructions in the "How to Deploy Digital Certificates for S/MIME Using Autoenrollment" topic earlier in this paper for all your test users before sending e-mail messages to them.

To configure Outlook for e-mail confidentiality

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

3.       Click Tools, and then click Options. The following dialog box will display.

4.       Click the Security tab, and then click Settings.

5.       Outlook populates the Change Security Settings dialog box with default information. Click OK to accept the default values as shown in the following screen shot.

6.       Click OK to close the Options dialog box.

At this point, you have configured Outlook for e-mail confidentiality.

To send a digitally signed message using Outlook

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

3.       To compose a new message, click New.

4.       Add a recipient for the test message and fill out the message fields.

5.       Ensure that the Add digital signature to this message button is selected. Because you want to test only digital signing, ensure that that the Encrypt message contents and attachments button is not selected.

6.       Click Send.

At this point, your digitally signed message has been sent to the recipient, who can then verify the digital signature.

To send an encrypted message using Outlook

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

3.       To compose a new message, click New.

4.       Add a recipient for the test message and fill out the message fields.

5.       On the toolbar, ensure that the Encrypt message contents and attachments button is selected. Because you want to test only encryption, ensure that the Add digital signature to this message button is not selected.

At this point, your encrypted message has been sent to the recipient, who can open and read it.

How to Configure Outlook Express to Help Provide E-Mail Confidentiality

To successfully send an encrypted e-mail message, the recipient must already have a digital certificate. If you attempt to send an encrypted e-mail message to a user who does not have a digital certificate, you will receive an error. Make sure that you have followed the instructions in the "How to Deploy Digital Certificates for S/MIME Using Autoenrollment" topic earlier in this paper for all your test users before sending e-mail messages to them.

To send a digitally signed message using Outlook Express

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, and then click Outlook Express.

3.       If prompted, type the user's password.

4.       To compose a new message, click Create Mail.

5.       To add a recipient from Active Directory, click To.

6.       Under Type name or select from list, click Find. The following dialog box will display.

7.       In the Look in list, click Active Directory, in the Name box, type the name of the recipient, and then click Find Now.

8.       Select the name, and then click To.

9.       Click OK to close the Select Recipients box.

10.   On the toolbar, there are two new icons: one to encrypt messages, and one to sign messages. Ensure that the Sign button is selected as shown in the following screen shot. Because you want to test only digital signing, ensure that the Encrypt button is not selected.

11.   Click Send.

At this point, your digitally signed message has been sent to the recipient, who can verify the digital signature.

To send an encrypted message using Outlook Express

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, and then click Outlook Express.

3.       If prompted, type the user's password.

4.       To compose a new message, click Create Mail.

5.       To add a recipient from Active Directory, click To.

6.       Under Type name or select from list, click Find.

7.       In the Look in list, click Active Directory, type the name of the recipient in Name, and then click Find Now.

8.       Select the name, and then click To.

9.       Click OK to close the Select Recipients box.

10.   On the toolbar, ensure that the Encrypt button is selected as shown in the following screen shot. Because you want to test only encryption, ensure that the Sign button is not selected.

11.   Click Send.

At this point, your encrypted message has been sent to the recipient, who can open it and read it.

How to Verify That a User Has a Digital Certificate for S/MIME in Active Directory

You can use Active Directory Users and Computers to verify that an Active Directory user account has a digital certificate for S/MIME.

To verify that the certificate has been added to a user's Active Directory account

1.       Log on to your domain as a member of the Certification Authority Administrators group.

2.       Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

3.       Click View, and then click Advanced Features as shown in the following screen shot.

4.       In the left pane, click the Users folder.

5.       In the right pane, double-click one of the test users.

6.       Click the Published Certificates tab.

7.       In the List of X509 certificates published for the user account list (shown in the following screen shot), you will see the user's digital certificate from the Windows CA along with any other digital certificates stored for this user in Active Directory.

At this point, you have verified that the certificate has been added to the Active Directory user account.

How to Verify That Exchange Server Is Configured to Help Provide E-Mail Confidentiality

You can use Exchange Server System Manager to verify that your Exchange Server has been configured to support clients that use S/MIME.

1.       Log on using an account that is a member of both of the following:

·         The Administrators group on the local computer.

·         A group to which at least the Exchange View Only Administrators role has been applied at the Administrative Group level.

2.       Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

3.       Click Servers, click <servername> , click Storage Group, right-click either the Mailbox Store or the Public Folder Store, and then click Properties.

4.       On the Properties page, verify that the Clients support S/MIME signatures check box on the General tab is selected as shown in the following screen shot.

At this point, you have verified that Exchange Server is configured to support e-mail confidentiality.

How to Verify That Outlook 2003 Can Receive E-Mail Configured to Help Provide Confidentiality

You can use Outlook 2003 to verify that you can receive e-mail messages configured for digital signatures and encryption.

To view a digitally signed message using Outlook

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

3.       In the Inbox, locate the digitally signed test message, and then double-click it.

4.       When the message opens, click the Verify signature button (shown in the following screen shot) to verify the signature.

After you click the Verify signature button, the Digital Signature dialog box displays (shown in the following screen shot), indicating that the digital signature is valid.

At this point, you have verified the digital signature of the message.

To view an encrypted message using Outlook

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

3.       In the Inbox, locate the encrypted test message, and double-click it.

4.       When the message opens, click the Verify encryption button (shown in the following screen shot) to verify the encryption.

5.       After you click the Verify encryption button, the following Message Security Properties dialog box displays, indicating that the encrypted message is valid.

At this point, you have verified the encryption of the message.

After you complete these steps, you will have tested all elements of using S/MIME in Outlook 2003. This information lets you see how an S/MIME system that uses Outlook will function for your users.

How to Verify That Outlook Express Can Receive E-Mail Configured to Help Provide Confidentiality

You can use Outlook Express to verify that you can receive e-mail configured for digital signatures and encryption.

To view a digitally signed message using Outlook Express

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, and then click Outlook Express.

3.       If prompted, enter the user's password.

4.       In the Inbox, locate the digitally signed test message and double-click it.

5.       When the message opens, Outlook Express displays the following message explaining digital signatures. Select the Don't show me this Help screen again check box, and then click Continue.

6.       To verify the signature, click the Verify signature button.

After you click the Verify signature button, the following Testing Digital Signature dialog box displays, indicating that the digital signature is valid.

At this point, you have verified the digital signature of the message.

To view an encrypted message using Outlook Express

1.       Log on to your domain as a member of the Domain Users group.

2.       Click Start, point to All Programs, and then click Outlook Express.

3.       When prompted, type the user's password.

4.       In the Inbox, locate the encrypted test message and double-click it.

5.       When the message opens, Outlook Express displays the following message explaining encryption. Select the Don't show me this Help screen again check box, and then click Continue.

6.       To verify the signature, click Verify encryption.

After you click the Verify encryption button, the following Testing Encryption dialog box displays, indicating that the encrypted message is valid.

At this point, you have verified the encryption of the message.

After you complete these steps, you will have tested all elements of using S/MIME in Outlook Express. This information lets you see how an S/MIME system that uses Outlook Express will function for your users.