Transcript Document
Microsoft Exchange Server 2013 Security Mick Tomlinson– Technical Instructor New Horizons • Introducing Exchange 2013 New features • Exchange 2013 Role Based Access Control Security Introducing Exchange 2013 • Exchange 2013 Top Features • Exchange Admin Center • Architecture Changes • Policy and Compliance • New Recipient Types • Some Other Stuff Exchange Top Features • Remain in Control • Move to the Cloud on your terms • Decrease the amount of time spent on management • Keep important data in one place • Do More, On Any Device • A clean, intuitive inbox experience • Working better together • Customize using OWA Apps Exchange Top Features • Keep Your Organization Safe • Protect sensitive data and enforce compliance policies • In-Place Discovery across Exchange, SharePoint and Lync from a single interface Exchange Admin Center • A single unified management console that allows for ease of use and is optimized for management of on-premises, online, or hybrid deployments • Replaces the Exchange 2010 Exchange Management Console and the Exchange Control Panel Exchange Admin Center • List View • Secure the Virtual Directory • Public Folder Management • Notifications • Role Based Access Control User Editor • Unified Messaging Tools Exchange Admin Center Architecture Changes • Exchange 2007 and 2010 •Five server roles primarily due to CPU limitations • Mailbox Server, Client Access Server • Hub Transport Server, Edge Transport Server • Unified Communications Server •Had several restrictions • Version Dependency • Geo Affinity • Session Affinity Architecture Changes • New Architecture in Exchange 2013 •Only Two Server Roles • Mailbox Server Role • Includes all the traditional server components: the Client Access protocols, Transport service, Mailbox databases, and Unified Messaging • Handles all activity for the active mailboxes on that server • Client Access Server Role • Provides authentication, limited redirection, and proxy services • Doesn’t perform any data rendering • No data is cached or stored on the CAS Architecture Changes • Some Benefits of the New Design • Version upgrade flexibility • Session indifference • Deployment simplicity • CAS is no longer limited to same site access • Three More Things • RPC is no longer a supported direct access protocol • Outlook clients no longer connect to FQDN but a new GUID address learned from Auto Discover • Exchange 2013 only supports Outlook 2007 and later Policy and Compliance • Data loss prevention (DLP) is a new feature in Exchange 2013 • Helps protect your sensitive data by either using built-in or custom policies • Helps to keep your organization safe from users mistakenly sending sensitive information to unauthorized people Policy and Compliance • In-Place Hold • In-Place eDiscovery • Simultaneous searches across primary and archive mailboxes • Archive Lync content • Retention Policy Improvements • Calendar and Task Retention Tags New Recipient Types • In addition to the recipient types Exchange 2013 carries over from previous versions, a few new ones have either been added or modified: •New Public Folders •Site Mailboxes •Shared Mailboxes New Recipient Types • New Public Folders •No more public folder databases •Public Folder hierarchy and content is now stored in special mailboxes •Public Folder replication is now handled by continues replication model used by the mailbox databases • This also means Exchange is moving away from a multi-master replication model towards a singlemaster replication model New Recipient Types • Site Mailboxes •Email and documents are traditionally kept in two unique and separate data repositories. This usually results in a reduction in user productivity and a degraded user experience •Site Mailboxes try to rectify this problem by providing a single interface to access mail stored in Exchange and documents stored in SharePoint New Recipient Types • Shared Mailboxes •Shared Mailboxes are mailboxes that are accessed by multiple users •Did exist in Exchange 2010 but had to be created in a separate multi step process •In Exchange 2013, Shared Mailbox is a type of recipient that can be created by a single step from the EAC Some Other Stuff • New OWA interface designed for smartphones tablets • Batch mailbox moves • Improved and simplified setup process • Built-in Anti-Malware Protection • Includes Anti-Spam, Anti-Virus and Anti-Spyware • High Availability Enhancements • Automatic reseed • Automatic recovery and Exchange 2013 RBAC Security • What is RBAC • What are the components of RBAC • What are Scopes? RBAC Role Based Access Control • The permissions to perform certain tasks are granted to roles • Users are assigned roles based on their job functions. • Permissions are based on the task, rather than the resource. RBAC is the permissions model used by Exchange 2013 Three ways to assign permissions • Direct user role assignment • Management Role Assignment • Management Role Groups Policies Direct User Role Assignment • Assigning management roles directly to users or groups without using a role group or a role assignment policy. • NOT RECOMMENDED! Management Role Assignment Policies • Collections of one or more end-user management roles. • Enable admins to specify how end-users can manage their own mailboxes and associated settings. • All users are assigned a Default Role Assignment Policy • Most organizations will choose to use the built in Default Role Assignment Policy Management Role Groups • universal security groups used in RBAC permissions model in Exchange 2010 • Simplifies the assignment of management roles to users • Assigned administrator and specialist user roles • Includes several built-in Role Groups, or uses custom Role groups created by Exchange Admins Adding or removing users and groups to Management Role Groups is how you most often assign permissions to administrators or specialist users Role Holders • Mailboxes that have been added as members of a Role Group Management Role Group • Universal Security Group that contains Role Holders. • Is assigned one or more Management Roles. • Is located in the “Microsoft Exchange Security Groups” OU in the forest root domain. Role Group Management Role • Container for one or more Management Role Entries • Logical grouping of cmdlets • Used to define specific tasks associated with a job duty Role Management Role Entries • One or more cmdlets the role holder will be allowed to run • Role Entries can limit the parameters a cmdlet is allowed to touch • Role Entries can also reference scripts the role holder is allowed to execute. RBAC Scopes • Scopes are used to control WHERE a role can be exercised. • Scopes are part of the Management Role Assignment that binds a Role to a Role Group Types of Scopes • Scopes can be Implicit or Explicit • Scopes can be Regular or Exclusive • Custom scope types: •OU Scope •Recipient Filter Scope •Configuration Scope Thanks for Coming Mick Tomlinson [email protected]