About Security

Microsoft Exchange Server runs on Windows NT Server platform and is using Windows NT security features. In addition to this it is using a custom mechanism to control access to its MAPI public folders. Also, Exchange offers advanced security on top it by providing means of encryption and digital signatures for messages. These advanced features require installation of Key Management Server (can be installed from Microsoft Exchange Server CD). It provides its features to end users via Exchange client programs such as Outlook. Key Management Server does not expose any documented API. Because of this it will not be discussed here, as well as advanced security features offered through it.

When describing Exchange server security the following topics need to be addressed:

How logon to Exchange server is secured? What exactly protects user's mailboxes against attacks?
How the Directory is protected? How can one observe and change security attributes associated with Directory objects?
How access to public folders is controlled?

Windows NT Security is not a trivial thing. Briefly, Windows NT security allows for authentication of users, sophisticated protection of securable objects such as files, and auditing of the system usage. For example, you can set up the system in a way that events are written to the security event log when certain things occur (reading from a file, etc.).

Windows NT Security is integrated into MS Exchange server product by providing secure logon to mailboxes and protecting access to its Directory. This is accomplished through access control with security descriptors, which are associated with objects. Each security descriptor may have a discretionary access control list (DACL), where users are listed with their access masks. An access mask is a collection of individual access rights such as the right to delete an object, the right to read its contents and so on.

Microsoft Exchange Server is using Windows NT security features. Microsoft Exchange Server directory objects are securable, which means that a security descriptor may be associated with an object and protect it. If a user trying to access the object is not listed in its DACL with appropriate access rights, then access is denied by the operating system.

On top of this Microsoft had implemented an additional mechanism to protect Exchange public folders. The reason for this is unclear to me. It appears to be possible to protect public folders with regular DACLs. In fact, a folder object in Exchange Directory may have a security descriptor and it is possible to insert entries there. However, access to Exchange public folders is controlled by other means. A MAPI table is associated with a folder. This table contains rows, and each row is functionally similar to Windows NT Access Control Entry (ACE). There are significant differences, though. For example, while ACE allows access to Windows NT accounts, the MAPI folders operates with mailboxes. It may also allow access to a distribution list, which is a collection of mailboxes, potentially large.

All samples are implemented without any error handling for simplicity and readability.