Owner of the content within this article is Written by Marc Grote

Similar documents
Owner of the content within this article is Written by Marc Grote

In this article I will show you how to enable Outlook Web Access with forms based authentication in Exchange Server 2007 Beta 2.

Owner of the content within this article is Written by Marc Grote

Certification Authority

Owner of the content within this article is Written by Marc Grote

Windows Smart Card Logon Use Case

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Designing and Managing a Windows Public Key Infrastructure

SECARDEO. certbox. Help-Manual. Secardeo GmbH Release:

Owner of the content within this article is Written by Marc Grote

CERN Certification Authority

Owner of the content within this article is Written by Marc Grote

You can use ClusDiag to diagnostics clusters on the following platforms:

Implementing and Administering Security in a Microsoft Windows 2000 Network Course 2820 Five days Instructor-led Published: February 17, 2004

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

How to Configure S/MIME for WorxMail

Install and Issuing your first Full Feature Operator Card

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Cryptography and Network Security. Sixth Edition by William Stallings

Logon to Windows Vista using smartcard and CertiID in a Windows 2008 environment.

midentity midentity Basic KOBIL midentity Basic Mobile, Secure and Flexible

Owner of the content within this article is Written by Marc Grote

CipherMail encryption. CipherMail white paper

Implementing Security in Windows 2003 Network (70-299)

1. from the Start menu (figure 1.) or 2. from the System tray, by right-clicking on the icon (Golden key) (figure 2)

Owner of the content within this article is Written by Marc Grote

Owner of the content within this article is Written by Marc Grote

Installation Guide for Android Revision v4.02, November 29th 2016

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

SSH Communications Tectia SSH

KNOWLEDGE SOLUTIONS. MIC2823 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 5 Day Course

Owner of the content within this article is Written by Marc Grote

Overview! Automated Certificate Management (ACME) Protocol! IP-NNI Task Force! Mary Barnes - iconectiv!

ROYAL INSTITUTE OF INFORMATION & MANAGEMENT

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation


The Device Has Left the Building

PGP Desktop Version 10.2 for Windows Maintenance Pack Release Notes

SC-1 Smart Card Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

IRP - the Identity Registration Protocol L AW R E N C E E. HUGHES CO- F O U N D E R AND C TO S I X S CAPE C O M M U N I C ATIONS, P TE. LTD.

Certificate Enrollment for the Atlas Platform

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

KeyA3 Certificate Manager

Integration Guide. SafeNet Authentication Client. Using SAC CBA with BitLocker

NoSpamProxy 12.2 Outlook Add-In User Manual. Protection Encryption Large Files

Endpoint Protection with DigitalPersona Pro

CSCE 813 Internet Security Secure Services I

Indeed Card Management Smart card lifecycle management system

Microsoft PRO- Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

CSE 565 Computer Security Fall 2018

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Security. White Paper. Version: 1.2 Date: Classification: öffentlich/public

Configuring Funk Odyssey Software, Avaya AP-3 Access Point, and Avaya

PKCS #15: Conformance Profile Specification

BEST PRACTICES FOR PERSONAL Security

Pulseway Security White Paper

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

CoSign Hardware version 7.0 Firmware version 5.2

USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Using digital certificates in Microsoft Outlook

Workshop on Windows Server 2012

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

Mobile: Purely a Powerful Platform; Or Panacea?

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Contents KAS-WEB: MANUAL IDG OPERATOR

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Set Up with Microsoft Outlook 2013 using POP3

Course Outline 20742B

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4

Configuring EAP for Wireless Network Connectivity By Victor Zapata

SafeNet Authentication Client

Microsoft Exam

PKI Contacts PKI for Fraunhofer Contacts

Java Card Technology-based Corporate Card Solutions

XenApp 5 Security Standards and Deployment Scenarios

EXAM - MB Microsoft Dynamics CRM Installation. Buy Full Product.

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

CCH Marketing. Version Release Notes

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

PGP Viewer for ios. Administrator s Guide 1.0

PKI is Alive and Well: The Symantec Managed PKI Service

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

VMware Boxer Comparison Matrix for IBM Notes Traveler Compare the features supported by VMware Boxer and AirWatch Inbox

QUICK SET-UP VERIFICATION...3

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Introduction to the DANE Protocol

Module 9. Configuring IPsec. Contents:

Using Windows Server 2003 in a Managed Environment: Controlling Communication with the Internet

Key Management and Distribution

Transcription:

Owner of the content within this article is www.msexchange.org Written by Marc Grote www.it-training-grote.de Securing E-Mails with S/MIME and Smartcards in Exchange 2003 Written by Marc Grote - mailto:grotem@it-training-grote.de Abstract In this article I will give you a high level overview about the necessary steps how to secure E-Mails with Outlook 2003 and Smartcards. Let s begin I think we should start with some basic information about S/MIME and why to use Smartcards with S/MIME. What is S/MIME? S/MIME is short for Secure / Multipurpose Internet Mail Extension and provides two security services: Message encryption Digital signatures S/MIME is one of two industry wide accepted standards for encrypting and signing e- mails. The other Standard is PGP (Pretty Good Privacy) but of the scope in this article. The first version of S/MIME (S/MIME 1) was developed in 1995 and was not widely accepted. S/MIME 2 was introduced in 1998. S/MIME 2 was submitted to the IETF (Internet Engineering Task Force). The IETF created RFC2311 and RFC2312. Since S/MIME was an IETF standard it establishes as a standard for message security. The actual Standard is S/MIME 3 which was proposed by the IETF to enhance the S/MIME capabilities (RFC2632, RFC2633 and RFC2634). S/MIME version 3 is beside PGP the most used Standard. S/MIME version 3 is supported by the following Microsoft products: Microsoft Outlook Express 5.01 and later Microsoft Outlook 2000 SR1 and later Microsoft Exchange 5.5 and later Why S/MIME? Before S/MIME, administrators used unencrypted E-Mails which were transmitted via SMTP in clear text. As you know, the Single Mail Transfer Protocol (SMTP), transports data unencrypted over the wire. As a solution for this problem, you can use S/MIME which encrypts and/or signs e-mails carried over SMTP.

Why use S/MIME with Smartcards S/MIME deployment with Smartcards and S/MIME Deployment via Soft Token (Key and certificate stored on hard disk) are very similar. For both deployments certificates and Keys will be used for e-mail encryption and e-mail signing. The main difference is where private keys are stored. If you are using Smartcards the Private Key is stored on the Smartcard and can only be accessed through the Smartcard PIN. The Two Factor Authentication is more secure than the stored Private Key on the hard disk (which can be protected by a password and saved in the Protected Storage). Let's start with the demo For this demonstration you will need a Windows Server 2004 machine with installed IIS 6 and certificate services and at a minimum a Windows XP Client with Outlook 2003. First of all we will need a Certificate Authority which will issue the required certificates. Installing and maintaining a CA is out of the scope of this article. For this article we need a smartcard enrollment agent. The Smartcard enrollment Agent can issue Smartcard certificates to users which uses these Smartcards. The following picture shows the Certificate templates of a Windows Server 2004 Enterprise CA. Figure 1: Certificate Template of a Windows 2003 Enterprise CA If you issue a Smartcard User certificate you will automatically issue an S/MIME certificate for the user. To issue certificates you must give one or more users in your Enterprise the right to deploy certificates on Smartcards for ordinary users. This is accomplished by the Enrollment Agent certificate shown in the following picture. After the certificate is issued to the user, you can start requesting certificates for your users.

Figure 2: Enrollment Agent certificate To issue certificates for users start the Microsoft Certificate Services website (http://caservername/certsrv) and click the link Request a certificate for a smart card... Figure 3: using the Webinterface to issue certificates In our scenario we are issuing a Smartcard certificate for the users SMIME1 and SMIME2. The Cryptographic Service Provider is Kobil Smart CSP v1.0. Smartcard Service Providers depends on the CSP provided by the Smartcard manufacture. In this example we are using a Kobil Smartcard solution. Before you can use the Cryptographic Service Provider you must install the CSP into Windows because Windows comes with few Cryptographic Service Provider. Most Smartcard manufactures will install the required CSP by installing the software package from the Smartcard Provider.

Figure 4: Issuing a Smartcard Certificate for the user SMIME1 You must enter your PIN to write the Certificate to the Smartcard. Figure 5 Enter the PIN for Smartcard access After issuing the Smartcard User certificate have a look into the issued certificate and you can see the purposes of this certificate.

Figure 6: Certificate purposes Now it is time to give the smartcard to the user and to automatically configure Outlook 2003. One requirement for using S/MIME with Smartcards is that the user issuing the Smartcard must have an Exchange mailbox before issuing an S/MIME certificate so the certificate will be stored in the certificate store of the user. The Private Key is stored on the smartcard. Outlook will automatically take ower the settings from the S/MIME certificate. Start Outlook and navigate to the Security Options and you will see the correct Security settings for S/MIME. Figure 7: Certificate purposes

Try to send an encrypted E-Mail from SMIME1 to SMIME2 by activating the encryption setting in the mail that you would like to send or in the general settings in Outlook if you want to encrypt every E-Mail send by this user. If you click Send in Outlook you will be notified to enter the PIN to access the Smartcard certificate. Figure 8: Sending an encrypted E-Mail The message is now encrypted and can start its travel through the insecure Internet. Conclusion In this article I have shown you how to implement secure E-Mail Messaging with Outlook 2003 and Smartcards for your Exchange 2003 users. Related Links Public Key Infrastructure for Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx Configuring S/MIME Security with Outlook Web Access 2003 http://www.msexchange.org/tutorials/configuring-smime-security-outlook-web- Access-2003.html Implementing Email Security with Exchange Server 2003 http://www.msexchange.org/tutorials/email_security_with_exchange_2003.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback