Advanced Security Featuring Key Management
Service
Microsoft Exchange Advanced Security in Microsoft Exchange 2000
Server creates and manages the public
key infrastructure (PKI) for Exchange in your
organization. This Exchange PKI enables message content security in
the form of data encryption and digital
signatures. It also sets up a centralized management of
keys and certificates within your administrative
groups for all enrolled users.
In System Manager, there are two components within the
Advanced Security object: Encryption Configuration
and Key Manager. Together, they provide secure messaging
through cryptographic key pairs.
Key pairs consist of a public key
and a private key. Advanced Security is a dual key pair
system, so users are provided with separate key pairs
for encryption and digital signatures.
Encryption Configuration specifies the encryption
algorithm used by your PKI, as well as the secure message format
used by your organization. This is also where you can select a
Key Management server for administrative
groups.
Use Key Manager to access the Exchange Key Management Service (KMS) and manage your
Key Management servers. For each public key there is a
corresponding private key, available only to the enrolled user.
Each private encryption key is securely archived on a Key
Management server.
Note Before you can install
KMS on an Exchange 2000 server, you must install Windows 2000
Server Certificate Services. Certificate Services allows your
Exchange organization to act as its own certification authority (CA). Certificates
issued by Certificate Services bind an Exchange Advanced Security
user to his or her public key. For complete information on
Certificate Services, see the Windows 2000 documentation.
If an enrolled user loses their private key, such as through a
hard drive failure, or by forgetting the password, administrators
can use KMS to recover the key. Due to increased integration with
Windows 2000 Active
Directory, KMS offers more organizational flexibility
than previous versions of Exchange, as well as new administrative
features, like bulk enrollment and the ability to export and import
users from other Key Management servers.
Note To enroll in KMS, users'
computers must use Microsoft Outlook. Outlook 98 or later versions
support Secure/Multipurpose Internet Mail Extensions (S/MIME), but
compatibility with the Exchange 4.0/5.0 security message format is
also available. For information specific to Outlook security, see
the Microsoft Outlook documentation.
No. Clients running Outlook 98 or later
support S/MIME. Through certificates issued by a
third-party certification authority, Outlook clients can use S/MIME
to send secure messages across the Internet, even if Advanced
Security has not been implemented in the organization, or if a
client is not enrolled in Advanced Security. For more information
on configuring client security, see the Outlook
documentation.
Yes. Exchange Advanced Security provides users
with two key pairs, one for digital signatures and one for message
encryption. Many non-KMS clients using S/MIME through a third-party
CA use a single key pair for both functions. While Outlook 98 and
Outlook 2000 support interoperability between KMS and non-KMS
users, older e-mail clients may have difficulty with KMS's dual-key
S/MIME messages. Consult your e-mail client's documentation if you
are unsure about support for dual-key messaging.
KMS must use Windows 2000 Certificate Services
as its CA. However, if your organization uses a third-party CA,
Certificate Services can act as a subordinate to that CA. Your
internally generated certificates will be trusted outside of your
organization. More.... Note: For a listing of third-party CAs, in Internet
Explorer, on the Tools menu, click Internet Options.
Click the Content tab, click Certificates, and then
click the Trusted Root Certification Authorities tab. For
more information, see the Internet Explorer documentation.
In certain situations, such as a partnership
between two companies, it is possible to have some or all of your
Advanced Security users automatically trust another organization's
certificates. This is known as cross-certifying. Add the partner
organization's root certificate to your domain controller, and the
certificate will be published to your internal Certificate Trust
Lists (CTL). More....
Windows 2000 Certificate Services, the
certification authority for KMS, issues only X.509
version 3 (X.509v3) certificates. However, for compatibility with
older Exchange systems, KMS will continue to issue X.509 version 1
(X.509v1) certificates and act as the certification authority for
those older clients. More...
In Exchange 2000, if one Certificate Services
server is busy, KMS can request and receive a certificate from any
other enterprise Certificate Services server in the organization.
Also, KMS can enroll users through any enterprise Certificate
Services server. Note that if all Certificate Services servers in
your organization are busy, requests are queued for up to 24 hours.
After that time, the request will have to be reissued. Also, the
necessary certificate
templates must be installed on the enterprise Certificate
Services server.