W H I T E P A P E R : T E C H N I C A L Enterprise Vault 8.0 Security Model for Microsoft Exchange Archiving Rob Forgione Technical Field Enablement March 2009
White Paper: Symantec Technical Contents Purpose... 3 Enterprise Vault Services and Tasks... 4 Exchange Server Security... 5 Enterprise Vault System Mailboxes... 5 Journal Mailboxes... 5 Client Access... 6 Access to items via Outlook... 6 Outlook on Terminal Services and Citrix... 7 Outlook 2003 Script Permissions... 7 Vault Cache security... 8 Accessing items via Enterprise Vault Outlook Web Access (OWA)... 8 Forms based Authentication... 11 Enterprise Vault Anonymous Account for OWA... 11 Configuring the Enterprise Vault Anonymous user on the Enterprise Vault server... 11 OWA 2007 and ISA 2006... 13 OWA 2000/2003 and ISA 2004... 14 Accessing items via RPC over HTTP... 15 Exchange 2007 RPC over HTTP and ISA 2006... 15 Exchange 2003 RPC over HTTP and ISA 2004... 15 Conclusion... 16 If you have any comments on this Whitepaper please email EV-TFE-Feedback@Symantec.com
Purpose The purpose of this document is to detail how Enterprise Vault: Can securely access data to be archived Provides security surrounding end-user access Provides a means for administrators to securely manage Exchange data This document will give readers a better understanding of how the Enterprise Vault (EV) solution integrates with security features already built into Exchange and Active Directory and provide insight as to how to change some of the settings to be configured in line with organizational preferences. This whitepaper assumes the reader has already read the Security Model for Enterprise Vault 8.0 and SQL server whitepaper and is familiar with the security concepts of Enterprise Vault. The Security Model series consists of: Security Model Enterprise Vault 8.0 and SQL server Enterprise Vault 8.0 Security Model for Microsoft Exchange Archiving Enterprise Vault 8.0 Security Model for Lotus Domino Archiving Enterprise Vault 8.0 Security Model for File System Archiving Enterprise Vault 8.0 Security Model for Microsoft SharePoint Archiving Enterprise Vault 8.0 Security Model for SMTP Archiving Enterprise Vault 8.0 Security Model for Discovery Accelerator 8.0 Enterprise Vault 8.0 Security Model for Compliance Accelerator 8.0 Enterprise Vault 8.0 Security Model for Automatic Classification Engine 8.0 Enterprise Vault 8.0 Security Model for Secure Messaging 8.0 This whitepaper is intended to train the reader the concepts behind Enterprise Vault 8.0 security for Microsoft Exchange servers and users of Microsoft Outlook, Outlook Web Access, and RPC over HTTP. 3
Enterprise Vault Services and Tasks Enterprise Vault s Exchange archiving solution uses the following Enterprise Vault Tasks: Exchange Provisioning Task Exchange Mailbox Archiving Task Exchange Journaling Task Exchange Public Folder Task PST Locator Task PST Collector Task PST Migrator Task Exchange archiving tasks are run within the context of the VSA by default. If required, administrators can change the tasks to run under different accounts. This may be useful if they have different Exchange Server environments. However, the chosen account must have the following permissions: Act as part of the operating system Log on locally Log on as a service Replace a process level token 4
Exchange Server Security The Vault Service Account (VSA) needs to be able to access mailboxes on the Exchange Servers that Enterprise Vault is to archive. For the optimal security, Full Control permissions should be set explicitly on each Exchange Server that will be archived. If an additional Exchange Server is added to the environment at a later time, this procedure needs to be performed again on the new server to enable access to its mailboxes for the VSA. If desired, to save configuration time, permissions at the Organization or Administrative Group level can be added in the Exchange hierarchy, provided these permissions flow down to the individual Exchange servers. Microsoft Knowledge Base Article 883381 describes in more detail how to achieve this. This will enable the permissions to be propagated automatically to any new Exchange Servers added below the level at which the permissions are assigned. The VSA should not be a member of the Domain Administrators group, as Domain Admin accounts, by default, inherit specific Deny permissions which prevent the ability to archive from mailboxes. It is therefore better to assign Exchange Server permissions explicitly. Enterprise Vault System Mailboxes Enterprise Vault System Mailboxes (sometimes referred to as Service Mailboxes) are the primary mailboxes that Enterprise Vault archiving tasks use to establish MAPI connections to the target Exchange servers with. Every Exchange server that hosts mailboxes to be archived requires an EV system mailbox hosted locally on the Exchange server. If an environment has 14 Exchange server targets, the solution will require 14 EV system mailboxes. Each EV system mailbox requires an associated account in AD. This account only requires a mailbox. There are no additional AD or EV permissions needed for this account. Once the EV system mailbox has been created, it is a good idea to either log into windows using the EV system mailbox account or to send a message to the account s mailbox to activate it. This is because Enterprise Vault cannot log into the EV system mailbox until a prior MAPI connection has been established. The EV system mailbox is a dedicated mailbox for MAPI based archiving operations and cannot be enabled for archiving or journaling. It is recommended to keep these mailboxes empty and dedicated for use by Enterprise Vault and no other applications. Exchange Administrators may be tempted to hide the System mailbox from the GAL, however, this will cause EV login to fail thus breaking the archiving mechanism. Journal Mailboxes Journal Mailboxes are used specifically for Exchange to funnel copies of all of the message traffic to and from all journal enabled recipients to a specific mailbox. Enterprise Vault then archives all of these messages into a Journal archive. Organizations should feel free to grant Read permissions to the Journal archive for any accounts they feel should have access to search through all corporate e-mail. However, for organizations that take a more strict approach to access, only the Vault Service account (VSA) would require access for Enterprise Vault applications that require it, such as Compliance Accelerator or Discovery Accelerator. The Journal Mailbox should not be used as the EV system mailbox, and vice versa. As discussed previously, EV system mailboxes are used for MAPI based archiving operations and cannot be enabled for archiving. Sending all journaled emails to an EV system mailbox will result in MAPI errors and degradation of the system. 5
Client Access Access to items via Outlook Enterprise Vault uses Microsoft Internet Information Services (IIS) and web-based security when any access to archived items is requested. The EV server verifies the requesting user by either Integrated Windows Authentication (IWA), that is, their logged on user credentials, or through a Basic authentication prompt. Upon installation of the EV server, the Enterprisevault virtual directory is configured to accept both Basic and Integrated Windows authentication. The concept of user access to archived items in Exchange mailboxes is simple. The original items have been removed and most often have (optionally) been replaced by a shortcut. This shortcut is nothing more than a custom message that contains information such as the original item s metadata and (optionally) the body and/or links to the attachment. Double clicking the shortcut runs a VB Script in the background that calls the Enterprise Vault server and requests that a copy of the original item be temporarily delivered to the requestor. The Enterprise Vault server looks at the requesting user ID variables being sent and compares them to the Vault ID security ACL. If the requesting user does not have permissions to view the item, access will be denied. For SSL communications between Client workstations and Enterprise Vault, see the section titled Client Access Security in the prerequisite Security Model for Enterprise Vault 8.0 and SQL Database Server whitepaper. 6
Outlook on Terminal Services and Citrix The default installation of Outlook on Terminal Services or Citrix can cause difficulty for users accessing archived items. This is due to a security feature on Terminal Server and Citrix that blocks Visual Basic Scripting Support. As stated previously, the retrieval of archived items for viewing is done with VB Scripting. Without this, the call fails and the user is presented with the contents of the shortcut in Exchange, rather than the retrieved item. Refer to this Microsoft technical article to addresses this issue: http://support.microsoft.com/default.aspx?scid=kb;en-us;302003 Outlook 2003 Script Permissions Similar to the Terminal Server and Citrix issue, Outlook 2003 users that have been given delegate rights or otherwise granted access to another user s mailbox or Outlook folder will not be able to access archived items if mailbox owners do not override the Outlook security setting of restricting VB Script in shared folders. The same also holds true for shortcuts in Public Folders. Figure 1 shows the necessary settings in Outlook 2003 to address this. Figure 1 Outlook 2003: Advanced Options These options can also be forcibly enabled via an Outlook setting set in the Advanced properties of the Enterprise Vault Exchange Mailbox Policy. Reference Figure 2. Figure 2 - Exchange Mailbox Policy Advanced settings for Outlook 7
Vault Cache security One of the benefits of the Enterprise Vault client add-in is the use of Vault Cache. Vault Cache files reside on the local user s PC or laptop which allows for access to archived items when not connected to the network, as well as a network bandwidth optimization benefit. Vault Cache security is typically left to the devices of the host operating system such as encryption methods and NTFS security on the folder (typically C:\Documents and Settings\<USER>\Local Settings). Accessing items via Enterprise Vault Outlook Web Access (OWA) The following figures will show how the Enterprise Vault works with different types of OWA deployments. Figure 3 - Enterprise Vault and OWA 2007 In Figure 3 above, the Exchange 2007 CAS server connects to the Enterprise Vault server using anonymous authentication. On the Enterprise Vault server, the Enterprise Vault Anonymous account manages the anonymous connections. When a user starts Archive Explorer or an archive search from the OWA client, the client will always try to connect directly to the Enterprise Vault Web Application on the Enterprise Vault server. If clients connect to the Exchange 2007 CAS server using Microsoft ISA Server, then the Enterprise Vault Web Access application must be published by the ISA Server in addition to the Exchange 2007 CAS server. 8
Figure 4 - EV and OWA 2000/2003 with a Front End Exchange server Figure 4 shows OWA 2000 and 2003 users connecting to the front-end server using basic authentication. Integrated Windows Authentication (IWA) is used for the connection between Exchange Servers. Anonymous authentication is used for the connection between the back-end Exchange Server and the Enterprise Vault server. On the Enterprise Vault server, the Enterprise Vault Anonymous account manages the anonymous connections. An Enterprise Vault Exchange Mailbox Policy setting can be used to enable OWA 2003 clients to connect directly to the Enterprise Vault server when users start Archive Explorer or an archive search from their OWA client. If clients connect to the OWA 2003 front-end server through an ISA Server, and direct connections are configured for Archive Explorer and archive search, then the OWA 2003 front-end server and the Enterprise Vault Web Access application must be published to clients. If direct connections are not configured (default for OWA 2003) then only the OWA 2003 front-end server needs to be published. 9
Figure 5 - EV and OWA 2000/2003 Back End only Figure 5 illustrates how users connect to one of two Back-end Exchange Servers directly. This configuration can provide more security, as it could force users to use IWA authentication instead of basic authentication when connecting to the OWA servers. Anonymous authentication is used for the connection between the Exchange Server and the Enterprise Vault server and the Enterprise Vault Anonymous account manages the anonymous connections. As in previous configurations, an Enterprise Vault Exchange Mailbox Policy setting can be used to enable OWA 2003 clients to connect directly to the Enterprise Vault server when users start Archive Explorer or an archive search from their OWA client. If clients connect to the OWA 2003 back-end server through an ISA Server, and direct connections are configured for Archive Explorer and archive search, then the OWA 2003 back-end server and the Enterprise Vault Web Access application must be published to clients. If direct connections are not configured (default for OWA 2003) then only the OWA 2003 back-end server needs to be published. 10
Forms based Authentication When using forms-based authentication, OWA 2003 and OWA 2007 client users are prompted to re-enter login credentials when starting the Enterprise Vault Search or Archive Explorer features in the OWA client. This is because the request accesses a different IIS virtual directory which requires different authentication. The authentication is valid for the session. The View mode setting, which can be controlled in the Advanced Exchange Mailbox Policy settings, controls what happens when a user clicks the Open the original item banner in the shortcut. If OWA is set, then the original item is rendered by OWA (and looks like an OWA message). If Enterprise Vault is set, then the item is rendered by Enterprise Vault (and looks like a Web browser page). When View mode is set to Enterprise Vault, users are prompted to re-authenticate when they first open an archived item. Enterprise Vault Anonymous Account for OWA The EV OWA Anonymous Account was created to allow OWA users the ability to access archived items without having to use clear text Basic Authentication to verify the requesting user s identity to Enterprise Vault. The EV OWA Anonymous Account in its simplest definition is an account that is leveraged by Enterprise Vault behind the scenes to request items on behalf of the user. Because the Anonymous account is only used with specific commands and tasks, and the fact that it is not able to access any network resources except the designated EV virtual directories and files, makes it technically impossible for any data to be compromised through any possible misuse of the account. Configuring the Enterprise Vault Anonymous user on the Enterprise Vault server The Anonymous user account must be created with the intention that it is only used for EV OWA access. The account must be a domain user account (a local machine account cannot be used). When the owauser.wsf script runs to configure the EV OWA Extensions, it assigns the following user rights to the Anonymous user: Access this computer from the network (SeNetworkLogonRight) Log on as a service (SeInteractiveLogonRight) Log on as a batch job (SeBatchLogonRight) Bypass traverse checking (SeChangeNotifyPrivilege) For OWA 2003/2007, owauser.wsf creates (or updates) the EVAnon virtual directory on the Enterprise Vault server. EVAnon points to the Enterprise Vault\WebApp folder and assigns anonymous access permissions to the Enterprise Vault Anonymous user. It also grants any customer specified back-end OWA servers access to EVAnon. Figure 6 shows how the script protects the EVAnon virtual directory. 11
Figure 6 - EVAnon virtual directory properties In Figure 6 above, the EVAnon virtual directory will only accept calls from Exchange server 192.168.128.47. The EVAnon virtual directory will not accept calls from any other servers. For OWA 2000, owauser.wsf updates the IIS settings for the OWARDR.asp file in the EnterpriseVault virtual directory, so that requests for OWARDR.asp are run under the context of the EV OWA Anonymous user. Access to OWARDR.asp is only granted to specified back-end OWA servers in a fashion similar to Figure 6 above. The owauser.wsf script also creates (or updates) the following two Registry values: 12
AnonymousUser o Located under HKEY_CURRENT_USER\Software\KVS\Enterprise Vault o The value of this setting is the full name, including the domain, of the Anonymous user. For example, mydomain\ev_owa OwaWebAppAlias (OWA 2003 only) o Under HKEY_LOCAL_MACHINE\SOFTWARE\KVS\Enterprise Vault\Install o The value of this setting is EVAnon To complete the configuration, a restart of the Enterprise Vault Admin service and synchronization of the mailboxes is required. Restarting the Enterprise Vault Admin service loads the Enterprise Vault Anonymous User account into the EV server so EV will recognize it. Synchronizing the mailboxes reads the value of the OWAWebAppAlias registry key and loads it into the hidden settings of the mailbox so the mailbox knows how to contact the EV server when a user requests to view an item. OWA 2007 and ISA 2006 Microsoft ISA Server 2006 can be used to secure access to OWA 2007 servers by using Web publishing rules to make Exchange 2007 OWA Web site available on the Internet. Figure 7 shows how ISA Server 2006 can provide access to Enterprise Vault. Figure 7 - ISA 2006, Exchange 2007, EV 2007 In addition to publishing the OWA 2007 Web site, organizations also need to publish the Enterprise Vault Web Access application to their clients as Archive Explorer and archive search client requests attempt to connect to the Enterprise Vault server directly. Organizations should also reference technote http://support.veritas.com/docs/292893 which details a known ISA 2006 issue in which users can not open attachments via OWA 2003 and RPC client using connection set to 'Use Proxy'. 13
OWA 2000/2003 and ISA 2004 When configuring ISA Server 2004 for basic or forms-based authentication, the Mail Server Publishing Rule will typically reference 3 standard paths, which are the Exchange, Public and Exchweb virtual directories. For Enterprise Vault support, the extra path of EnterpriseVaultProxy needs to be added. Figure 8 shows the process of end user access via OWA using and ISA Firewall. Figure 8 - ISA 2004, Exchange 2003/2000, EV To add the EnterpriseVaultProxy path in ISA, an administrator needs to add and publish /EnterpriseVaultProxy/* to the list of paths in the ISA Firewall Policy. 14
Accessing items via RPC over HTTP Outlook users can access mailboxes on Exchange Server 2007 (Outlook Anywhere) and 2003 using Remote Procedure Calls (RPC) over HTTP. With this protocol, MAPI protocol is used to tunnel Outlook RPC requests inside an HTTP session. This allows remote Outlook users to connect to their Exchange Server mailbox without the requirement for Outlook Web Access (OWA) or a virtual private network (VPN) connection. The HTTP session terminates at a server running Internet Information Services (IIS) that has the Microsoft Windows Server 2003 RPC over HTTP Proxy networking component installed. This server is called an RPC proxy server. To support user access to Enterprise Vault using OWA and/or RPC over HTTP, the OWA & RPC Extensions EV component needs to be installed and configured on the Exchange and Enterprise Vault servers. The steps for configuring OWA access are different from the steps for configuring RPC over HTTP access; however, the security model does not change. The EV client will attempt to connect directly to the EV server using HTTP. If successful, the client will use that method for EV requests. If the direct connection attempt fails, then it will connect in a fashion similar to OWA in the previous section, which means that connections between RPC target Exchange Servers and Enterprise Vault servers will use EV Anonymous authentication. Exchange 2007 RPC over HTTP and ISA 2006 Microsoft ISA Server 2006 can be used to secure RPC over HTTP access to Exchange 2007 Servers by using Web publishing rules to make the RPC Web site available on the Internet. To configure the ISA 2006, organizations need to: Configure an RPC firewall policy that publishes the \rpc virtual directory on the Exchange 2007 CAS server through ISA Server 2006. Configure an Enterprise Vault firewall policy on ISA 2006 that publishes the \EnterpriseVault virtual directory on the Enterprise Vault server. Exchange 2003 RPC over HTTP and ISA 2004 Microsoft ISA Server 2004 can be used to secure access to RPC Exchange Servers by using Web publishing rules (reverse proxy), to make RPC proxy servers available on the Internet. To configure the ISA 2004, organizations need to: Configure an RPC firewall policy that publishes the \rpc virtual directory on the RPC proxy server through ISA Server 2004. Configure an Enterprise Vault firewall policy that publishes the \EnterpriseVaultProxy virtual directory on the RPC proxy server through ISA Server 2004. Procedures for configuring RPC and Enterprise Vault firewall policies for can be found in the Configuring ISA Server 2004 for Exchange Server 2003 RPC over HTTP access to Enterprise Vault section of the Setting_up_Exchange_Server_Archiving.pdf that ships with Enterprise Vault 8.0. 15
Conclusion In this whitepaper we have discussed the security aspects of archiving Exchange servers with Enterprise Vault 8.0. We have discussed the necessity for an Enterprise Vault service mailbox and the security around Journal archives and Vault Cache. We discussed end-user access to archived items from Outlook, OWA, and RPC over HTTP as well as the additional security provided with the use of ISA servers. Below is a list of the other Security Model topics in this series that may be of interest. Enterprise Vault 8.0 Security Model for File System Archiving Enterprise Vault 8.0 Security Model for Microsoft Sharepoint Archiving Enterprise Vault 8.0 Security Model for SMTP Archiving Enterprise Vault 8.0 Security Model for Discovery Accelerator 8.0 Enterprise Vault 8.0 Security Model for Compliance Accelerator 8.0 Enterprise Vault 8.0 Security Model for Automatic Classification Engine 8.0 Enterprise Vault 8.0 Security Model for Secure Messaging 8.0 Enterprise Vault 8.0 Security Model for Lotus Domino Archiving 16
About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com Copyright 2009 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.