Built-In Security Features
Topic Last Modified: 2008-08-06
This topic provides information about how the different technologies compare with regard to Built-in Security Features.
| Technology | What are the built-in authentication / authorization mechanisms? |
|---|---|
Active Directory Services Interfaces (ADSI) |
ADSI and the Active Directory directory service fully support the entire Windows authentication and authorization features, including item-level permissions within Active Directory. |
Collaboration Data Objects for Windows 2000 (CDOSYS) |
CDOSYS uses the underlying Microsoft Windows 2000 Server or Windows Server 2003 security features. |
CDOSYS SMTP/NNTP Event Sinks |
SMTP event sinks provide no built-in security features. If an event sink changes a message after the user has digitally signed it, the accompanying digital signature will be invalid. SMTP event sinks cannot apply disclaimers or access the body of S/MIME and other encrypted messages when the encryption keys are unavailable. |
Collaboration Data Objects for Exchange 2000 Server (CDOEX) |
CDOEX uses the underlying Windows 2000 Server or Windows Server 2003 security features. |
Collaboration Data Objects for Exchange Management (CDOEXM) |
CDOEXM uses the underlying Windows 2000 Server or Windows Server 2003 security features. Most operations require that the application user security context have Exchange administrative permissions. |
Collaboration Data Objects for Exchange Workflow (CDOWF) |
Workflow processes always run as the Workflow System Account. Workflow events can log entries in the workflow audit log. |
Exchange OLE DB Provider (ExOLEDB) |
ExOLEDB uses the underlying Windows 2000 Server or Windows Server 2003 security features. |
Exchange Store Event Sinks |
Exchange store event sinks run under the security context of the user account set for the COM+ application. COM+ role-based security can be used to control access and specify the security context of the event sink process. |
Exchange Web Forms |
Exchange Web forms leverage the security model of Outlook Web Access. Access to the folders and items that the Web form uses is controlled by permissions set on the Exchange store items. |
Exchange Web Services |
Exchange Web Services can use NTLM, Kerberos, or Basic authentication. It is recommended that XML requests and responses be sent via SSL. |
HTTP/Web Distributed Authoring and Versioning (WebDAV) |
WebDAV virtual servers by default use Basic or NTLM authentication, and anonymous access is disabled. Because WebDAV transmits data in plaintext across the network, it is also recommended that Exchange WebDAV virtual servers that transmit sensitive data use SSL/TLS. |
WebDAV Notifications |
WebDAV virtual servers by default use Basic or NTLM authentication, and anonymous access is disabled. Because WebDAV transmits data in plaintext across the network, it is also recommended that Exchange WebDAV virtual servers that transmit sensitive data use SSL/TLS. |
Incremental Change Synchronization (ICS) |
None. |
Lightweight Directory Access Protocol (LDAP) |
Information about this is not yet available here. |
Messaging Application Programming Interface (MAPI) |
MAPI profiles can be password protected on most platforms. |
Outlook Object Model (OOM) |
The OOM communicates with Exchange by using MAPI and with Active Directory by using ADSI. The current security context of the user running the application is used to determine what resources the script can access. |
Outlook Web Access |
Outlook Web Access by default uses SSL/TLS and basic authentication. |
Exchange Rules |
None. |
SMTP Event Sinks |
SMTP event sinks provide no built-in security features. If an event sink changes a message after the user has digitally signed it, the accompanying digital signature will be invalid. SMTP event sinks cannot apply disclaimers or access the body of S/MIME and other encrypted messages when the encryption keys are unavailable. |
Windows Management Instrumentation (WMI) providers for Exchange |
WMI scripts pass a user security context to the WMI provider. This can either be supplied in the script as a user name and password, or obtained from the user running the script. The Exchange WMI providers allow only Exchange administrators to perform actions that affect the Exchange system. |
Exchange Backup and Restore API |
None. |
Exchange writer for the Windows Volume Shadow Copy Service |
VSS requestor applications can use CoInitializeSecurity to set a process-wide permission check of default COM access. VSS writers can also be set to allow all process access to call into the requestor processes or set to allow only specific processes access to call into the requestor process. Additional registry settings can be configured to allow access to specific applications. |