How to Secure Exchange 2010 Client Access Server (CAS)?

Tej Pratap Shukla | Modified: November 9, 2016 | Exchange Server 2010, General Info | 5 Minutes Reading

This article is completely targeting discussion about ‘how to secure Exchange 2010 client access server?’. As you might know that Exchange server is one of the extensively organized mail servers in the present arena. Its portfolio of features such as social collaboration, intelligent message filter, and connection filtering act as a feather in cap. Along with this, security as well authentication is the main concern for almost all the users who are using MS Exchange Server on their system and has client access control installed on their system. It offers an access to Outlook Anywhere, POP3 (Post Office Protocol version 3), IMAP4, MS Exchange ActiveSync, and OWA. Moreover, it also supports autodiscovery and availability service. All protocols & services have need of security. In the following section, we will discuss how to Secure Exchange 2010 Client Access Server?
Secure Exchange 2010 Client Access Server

Managing Authentication in CAS

The essential security-related tasks can be performed for the CAS (Client Access server) is to configure the method for authentication. CAS is installed by default self-signed digital certificate. There are two main things, which are done by digital certificate as mentioned:

  • Authenticates the holder.
  • Protect online Exchanged data from tampering.

Although the default, self-signed certificate is supported in Exchange ActiveSync as well as Outlook Web App, which is not the safest way for authentication. Moreover, it is not supported for Outlook Anywhere. For more security, it is considered to configure Exchange 2010 Client Access server is to utilize a trusted certificate from a certification authority (CA) or from PKI CA. Users can configure authentication separately for Outlook Web App, IMAP4, Exchange ActiveSync, POP3, and Outlook Anywhere.

Ways to Improve Secure Communications in CAS

Once the secure communications are optimized between clients and the Exchange 2010 Client Access server (CAS), users must optimize the security communications between Exchange 2010 CAS and other servers, which are there in an organization. However, by default POP3, HTTP, IMAP4, and Exchange ActiveSync, communication between CAS and other servers are encrypted.

Exchange Active Security

There are numerous of security-related tasks that can be performed on the server, which is running Exchange ActiveSync. Out of which, one of the most important way to configure an authentication method, which runs on a system having Exchange 2010 that has CAS role installed. This server role is installed by default self-signed digital certificate. While the self-signed certificate is supported for Exchange ActiveSync, it is not the most secure way of authentication.

Device Security: Secure Exchange 2010 Client Access Server

In addition, of improving Exchange ActiveSync server security, users must consider enhancing the security of their mobile phones. There are numerous of ways, which can help to enhance the mobile phones security.

#1 Exchange ActiveSync Mailbox Policies

Exchange ActiveSync for Exchange 2010 allows users in creating Exchange ActiveSync mailbox policies to apply the settings of common set of security to user’s collection, which includes:

  • Password requirement
  • Identifying minimum length of password
  • Needs special characters in password
  • Describe the period of inactive of mobile phone and it is needed to re-enter the password
  • Identifying the mobile device can be spread if incorrect password is entered more than the specified times.

#2 Remote Device Wipe

Mobile phones can save sensitive data, which fits to the organization and gives an access to the organization’s resources. If it all a mobile phone is lost then, that data can be compromised.

Security for Outlook Web App

OWA for MS Exchange Server 2010 provides a variety of features of security that users can configure to suit the security needs of their organization.

#1 Authentication

Users can configure the mentioned types of authentication ways on the Exchange 2010 CAS:

  • Standard authentication ways are:
    • Basic authentication
    • Integrated Windows authentication
    • Digest authentication
  • Forms-based authentication

#2 Segmentation

Segmentation gives a feature to allow or disable, which is available for users in Exchange 2010 OWA. However, by default, if any email is enabled in Exchange 2010 organization can utilize their mailbox by using OWA. It depends upon the requirements organization; users can utilize segmentation to configure the following:

  • Restrict access to OWA for particular users.
  • Control access to certain OWA features.
  • Disable an OWA feature.

#3 Web Beacons

Web beacon is an object file like transparent graphic or an image that is there on a Web site or message. These are typically utilized together via HTML cookies to monitor the behavior on a Web site or to validate a recipient’s mail address.

#4 Access File and Data

There are a numerous of features, which allows users to utilize files and data in OWA. Each of these features includes options for directing access to files and data.

  • WebReady Document Viewing
  • Direct File Access
  • Windows File Share Integration

Security for IMAP and POP3 in CAS

For the secure communications between clients POP3 and IMAP4 as well as Exchange 2010 CAS, we strongly commend to utilize SSL (Secure Sockets Layer) or TLS (Transport Layer Security). By default, Exchange Setup gives a self-signed certificate for testing environments.  There various default ports for protocols such as IMAP4 with SSL has 993 TCP, POP3 with SSL has 995 TCP, IMAP4 with or without TLS has 143 TCP, POP3 with or without TLS has 110 TCP. It is one the most important to secure Exchange 2010 Client Access Server.

Security for Outlook Anywhere in CAS

There are numerous of ways that makes easy to help safe and secure Outlook Anywhere. In Exchange, 2010 messaging is enabled and users utilize Exchange from Internet.

#1 Select SSL Deployment

There are various ways to utilize SSL (Secure Sockets Layer) to help safe and secure communication between Outlook 2007 and Outlook 2010 clients the Autodiscover service.

Configuring Authentication

When users utilize enable OWA to configure their Client Access server to provide Outlook anywhere access, they must choose an authentication way for their Outlook clients for utilization.

Conclusion: Secure Exchange 2010 Client Access Server

Security of the data is the main concern of almost all the users while working. Similarly, it is there in the case of Exchange Server. In the above discussion, we have discussed Secure Exchange 2010 Client Access Server that makes easy for users to provide the security in a better way.