Microsoft Exchange Server 2007: A Beginner s Guide in Visual Studio .NET

Drawer UPC-A Supplement 2 in Visual Studio .NET Microsoft Exchange Server 2007: A Beginner s Guide

Because it is possible for someone to send data claiming to be someone else, a digital signature is used to allow the recipient to verify that the data actually came from the sender The signature is only considered valid because it is validated by a trusted source: a certificate authority (CA) You can t just create your own digital signatures; they have to be created by a certificate authority and then assigned to the service requiring encryption It is this third party, trusted by both parties, which ensures you that senders are really who they say they are For instance, if a close friend introduced you to someone you had never met before and said the stranger s name was Bob Johnson, would you believe your friend Of course you would, because the source of that information is trusted In a similar way, a digital signature is valid because the recipient trusts its source Within an organization, the authority can be a Windows 2003 server running certificate services, but communications between two separate organizations will require either a trusted third party or the importing of each other s certificates to establish that each party trusts the other as an authority

Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) encrypt communications to prevent the reading, tampering, or forgery of the secured data The encryption (and decryption) is usually accomplished at the endpoints of the communication, but can sometimes be handled by a proxy server, such as ISA Server SSL is commonly used to provide secure Web browsing (as in the case of Outlook Web Access, Outlook Anywhere, and Exchange ActiveSync and its related functionalities), Post Office Protocol version 3 (POP3), and Internet Message Access Protocol version 4 (IMAP4) sessions Exchange auto-generates an SSL certificate for all Web-based traffic, so out of the box, you have SSL capabilities But it is recommended that you utilize a certificate from a trusted authority for permanent security

While Transport Layer Security (TLS) is a newer implementation of SSL, the terms are not necessarily interchangeable; there are many protocols, such as Simple Mail Transfer Protocol (SMTP), that do not support SSL but do support TLS Some of the differences between TLS and SSL are: TLS has more secure encryption using a more up-to-date hashing method TLS does not require certificates to trace back to the root CA (which is the actual trusted party); TLS can use intermediary certificates

Windows uses authentication as a simple means of identifying each party as part of the communication process Authentication is used in addition to securing a channel;

12:

even though a certificate used to help secure communications has a digital signature, that signature usually does not identify the specific user initiating the communications Four methods of authentication can be used with Exchange: plain-text, NT LAN Manager (NTLM), Kerberos, and forms-based authentication

This is the least secure (well, actually, completely insecure) method of authentication Using plain-text means that you are literally sending the user name and password across the communications channel in plain text For example, anyone with a packet sniffer watching a POP3 client not using security can see the user name and password in the traffic (I ve done it myself for clients) And in the case of a POP3 client connecting to Exchange, that means you d be using the same user name and password as you would to log on to Windows VERY scary TIP Anytime you must use plain-text authentication, ensure that you have a secure channel, such as SSL, implemented to secure the user name and password, as well as the data that follows