S/MIME security and HTTPS over RPC for Outlook

Microsoft Outlook Address Book and object mode security

Outlook supports Office object mode so that you can write scripts and programs to automate those repetitive actions. This is actually a double-edged sword: it is useful to allow programs (such as synchroniza-tion tools such as personal digital assistants [PDAs] or Customer relationship management programs) to access contact information, but while users are using it, It can also be used by some viruses or other malicious executable files.

In fact, many large numbers of viruses invade the address Book of infected people to obtain addresses, they can also send letters to themselves; Because security updates make this difficult, some virus makers now become the operation to scan local files and get mail addresses from them.

To help resolve this issue, the Outlook version includes Outlook Security Update 2003, which opens the Object Mode Wizard, restricting external applications from triggering Outlook actions. Here are three types of object mode wizards. One type restricts the use of the Simple Messaging Application interface (Simple MAPI, do not confuse Simple MAPI with external MAPI, which is limited by the object mode mechanism) the second type type restricts the use of the Outlook object pattern, and the third uses the Collaboration data Object (CDO) method. In the following sections I will describe in detail the types you can access.

Microsoft Outlook 2002 and Outlook 2003 security zone changes

In Outlook 2002 and Outlook 2003, the default security zone is restricted by the site compared to Internet networks. In restricted site zones, Active Scripting is also not available by default. This security zone refuses to use most of the automatic scripts and refuses to turn on Microsoft ActiveX control without obtaining permission. This change is described as protecting the system from malicious software that is parasitic on HTML messages. Likewise you say the default Outlook area is set to a restricted site, and Outlook will not run scripts in HTML messages, and ActiveX controls in those messages will fail. You should make sure that you patch up all IE browsers on the computer that is running Outlook because Outlook uses IE to display HTML messages.

Secure Multifunction Internet Mail Extensions (S/MIME) security for Microsoft Outlook

Secure Multifunction Internet Mail Extensions (S/MIME) is one of the less important features of Outlook (I have written S/MIME security software, so I think this is a bit biased). Outlook supports secure multifunction Internet Mail Extensions (S/MIME) to protect users from terminal to terminal: The messages you create can be marked or encrypted on your computer, and in the process of their transmission, and transfer to the Exchange Mailbox server to which the recipient belongs, the entire process is under protection. Encryption, tagging, anti-encryption, and validation messages are easy, and in the detail book it is noted that Outlook gives a lot of control over security settings. The best thing about Outlook's secure multifunction Internet Mail Extensions (S/MIME) support is that it completely matches the cryptography characteristics of the system through the CryptoAPI (Cryptographic application interface). If you use a certificate or security card (smart cards) to access control or other functions, you will be able to use the same certificate in Outlook (just as their existing certificates are marked by publishers who use S/MIME).

Because MIME in S/MIME is a secure content in S/MIME messages, it actually constitutes a Multipurpose Internet Mail Extension (MIME) body part, as described in RFC1847. This means, for example, that a simple text message can still contain an attached signature. This is known as a plaintext signed message (clear-signed messages), because the message through the client does not need to be understood that the S/MIME signature can still be read. And it corresponds to the ciphertext signed message (opaque-signed), which contains a combination of messages and signatures in a separate section that cannot be read unless the signature is verified.

Standard Version 3 of S/MIME is supported and used by Outlook by default. is made up of a number of sections on how to create client and server-side, process, and process secure mail. Specifically as follows:

RFC 3369 describes cryptography's message writing syntax (CMS), which is the format of S/MIME messages. The CMS is derived from the early public key Encryption Standard (PKCS) #7格式 (RFC2315). This is why messages that are protected with S/MIME still display an attachment to the. p7m extension to represent a PKCS #7 mime section. This RfC attracts users primarily because it strictly describes how clients must tag, encrypt, decrypt, and validate messages, and how to build messages so that other clients can read them.

RFC 3370 determines the algorithms in standard Version 3 of all S/MIME, including: Secure Hash Algorithm 1 (SHA-1), hash method message Classification -5 (MD5), digital signature Algorithms (DSA), signed RSA algorithm, And the RC2 and three times-times Data Encryption Standard (3DES) for message secrecy. Execute it separately to add more algorithms to it, and if they fully identify the algorithm applied in a particular message, then the recipient can identify it.

RFC 2632 describes software that is compatible with S/MIME in the form of certificates. It details when and how the client checks for a certificate revocation and expiration, how they dispose of an unacknowledged specified digital signature (CA) extension, and so on.

According to its own description, RFC 2633 defines how to create a MIME body part, based on a PKCS #7标准的CMS进行加密. The memo also defines the application/pkcs7-mime MIME type, which can be used to transmit these body parts.

As an e-mail system administrator, you don't even want to read these RFCs, but they can provide you with some useful knowledge about why S/MIME clients choose that method in some cases.

3,outlook is fully supported for the standard version of S/MIME. Add additional features defined in some other RFC 2634, including digital symbol message reception, security tags (e.g. secret or top-secret), and other features that some users don't care about, such as the Defense Message System (DMS), which I will not repeat in this article.

HTTPS over RPC for Microsoft Outlook

Exchange and Outlook use the Remote Program Access (RPC) protocol to communicate. This is a good idea on the local network (LANS), but most system administrators are smart enough to block RPC traffic on their networks. There is no good reason to allow any Internet host to send your RPC packets. In fact, it is a good idea to not provide historical attacks in the Windows RPC stack.

This presents a dilemma for Exchange system administrators: which is the best way to allow remote users to access their mailboxes?

Here are some things to choose from: Microsoft OWA works well, but when users are offline, they are not allowed to access the saved messages; POP and IMAP are very useful protocols, but do not open fully-privileged Exchange services; virtual private networks (VPNs) allow secure access, but they also allow remote computers to be fully applicable to the join network, which is not always required by users, and when checking inbound RPC When communicating to determine its integrity and harmlessness, Internet and Security Acceleration (ISA) servers allow the release of RPC-based services.

In Outlook 2003, Microsoft has additional full support for RPC packages in Hypertext Transfer Protocol packages (or, more accurately, Secure Sockets Layer (SSL)-protected HTTP). With the correct configuration, a mobile user can start Outlook, connect to the network on port 443, and have an RPC communication channel to the Exchange server. Users are able to use all of the features of Outlook, and the system administrator is willing to block the protection of single RPC traffic on the network. However, this incredible feature requires some configuration on the top of Outlook, as I discussed in the following sections.