Guy Recommends
Beat spammers with anti-spam software for Exchange
Server – GFI MailEssentials.
Download FREE
trial
Introduction to Exchange 2003 Server Security
With Exchange 2003 security, the depressing fact of life is that you are only as good
as your weakest link. In order to keep a sense of proportion and
sanity, decide on whether you are a high, medium or low
security organization. Clue: only the Banks, MI5, FBI and the military,
rate high security. I advise caution against too high a security
rating, because of another truism: the more security you have the more work
there will be for you.
Topics for Security in Exchange 2003
What you need is a list of all possible security areas. In particular, investigate what protection the underlying Windows 2003 operating system has to offer.
As you browse though the topics ask yourself these 3 questions:
- Do I understand this particular threat to my system?
- What are we doing already to minimise the security threat.
- What more should we do (if anything).
How could worms, Trojan horses or viruses enter your system? Could
they arrive as email attachments, disks or internet downloads. Maybe
you block some or all of those paths, or maybe you will be after reading
this!
To what extent do you rely on user education or Outlook to block
attachments? To what extent do you rely on the Exchange server to
prevent delivery of attachments? Alternatively, do you move the
solution back to email scanners on the firewall? Perhaps you pay
extra and have your ISP take care of cleaning the email of viruses and spam?
When you choose server based anti-virus software be aware that some brands
fight with Exchange and slow down the system, while other products are
designed to integrate with Exchange VSAP1 2.5 (Virus Scanning APIs).
If you believe that prevention is better than cure then, then put SUS and WUS security update services on your virus protection agenda. Also investigate what Exchange 2003's built-in wizards have
to offer ,for example ExMerge to repair infected mailboxes.
 Exchange Server 2007 is a complex topic, do you need practical hands on training? As an MCT trainer, I can thoroughly recommend
TrainSignal. In particular, I like the way
that TrainSignal cover all learning methods, instructor lead, video and of course text
material. You can either take one module, for example Exchange 2007 or go for a combination of modules.
Learn more about Microsoft Exchange Server 2007 here
The secret of Junk Mail Filtering is getting the balance between blocking spam while allowing through legitimate email. Perhaps I can offer an insight into the problem from the perspective of an editor
of an ezine. At least 10% of my subscribers do not receive the newsletter because they have over sensitive Junk Mail filters. The reason that I know is that I get the undeliverable newsletters
returned.
As the registered owner of computerperformance.co.uk, I am able to filter
my email based on a 1-10 scale. With a setting of 8 the email has to
have 8 indications of spam before it is discarded. I set my filter at
a more aggressive 5. Outlook 2003 provides a similar Junk Mail filter.
Block-lists for your Exchange 2003 Server
Another solution is to configure block-lists (blacklists) on your Exchange 2003 server. Navigate to, Global Settings, Message Delivery tab. Then apply connection filters on SMTP Virtual server and SMTP
connectors. The point to remember with block-lists is that you need the URL of the good guys, the people who provide the IP addresses of known spammers. Unless you have a top provider who is
constantly on the ball, you are unlikely to beat the spammers who will vary their sending points to beat the block-lists (and the police).
Along-side the block-lists are white-lists. These are your friends, people you want to receive email from. The reason for taking this step is that your friends may inadvertently get on
block-lists because they innocently, if foolishly, allow open relay on their own mail servers.
Another good idea is to setup recipient filtering. What this does is to only allow email to be accepting email for people who have Active Directory accounts. This prevents delivery of all
that spam for root@yourdomain and similar accounts that spammers try.
DNS reverse lookup would appear to be a great idea. The principle is that it checks the domain name against the WHOIS registered server IP, thus thwarting spoofers. Unfortunately it slows down the
server so much, that everyone I know who tries reverse lookup soon turns it off again.
To me, firewall says - filter. Firewalls allow through the good packets and drop the risky or bad packets. Naturally, you need to be a minor expert on port numbers to get the most from your
firewall. People will tell you that being able to recite port numbers is an obsession rather like train-spotting. Yet without knowing that OWA needs port 80, and SMTP relies on opening
port 25 ,you will never get your firewalls working correctly. Yes I do mean the plural, because what you need is 2 firewalls working in harmony to produce a perimeter network or a de-militarized
(computer) zone.
Whilst filter sums up firewall in one word, as an expert you will want to integrate the firewall with a proxy server and possibly an email scanner. Perhaps you would go down the Microsoft route and
use an ISA (Internet Security and Acceleration) server to control your security and protect your Exchange server? Alternatively you may choose a Linux server as the guardian of your email gateway.
Service
|
Port
|
|
SMTP |
25 |
|
DNS |
53 |
|
HTTP |
80 |
|
Kerberos |
88 |
|
POP3 |
110 |
|
NNTP |
119 |
|
RPC EndPoint Mapper |
135 |
|
IMAP4 |
143 |
|
LDAP |
389 |
|
Global Catalog |
3268 /9 |
|
| Secure Sockets Layer (SSL) |
| HTTP (SSL) |
443 |
SSL |
| LDAP (SSL) |
636 |
SSL |
| IMAP4 (SSL) |
993 |
SSL |
| POP3 (SSL) |
995 |
SSL |
RPC over HTTP
removes the need for your Outlook 2003 clients to create VPN's. They can to Exchange 2003 and read their emails over the internet. The clever idea with RPC over HTTP is that you can just open up port 80
or 443 for your Outlook 2003 clients.
Previously VPN connections meant opening up port 135 for RPC. The problem was this EndPoint Mapper port (135) was a magnet for hackers. Now Exchange 2003, solves the problem by encapsulating RPC calls in HTTP, so the only ports you need to open on the external firewall connection is port
443. The only downside to SSL is that you may need extra processing power on the server. See more on configuring RPC over HTTP
When ever you deal with PKI (Public Key Infrastructure) and
certificates, always ask your self, 'Is this feature concerned with encryption
or authentication?'
Certificates rely on a pair of keys, the private key which stays with
user and the public key which is freely available in the address book.
At first, I thought it strange that the certificate stays with the public
key, but on reflection this makes perfect sense.
The idea behind digital signatures is that you need to be sure who the email is coming from. You want there to be no chance of an impostor faking the email address.
Should a hacker alter a digitally signed signature, then the
email self destructs or at least displays gobbledegook.
Installing certificates goes one of two ways, smoothly, no problem; or an impenetrably jungle where you cannot see any pattern or any daylight.
The principles are straight forward enough, The Outlook family, including OWA, can install S/Mime certificates and so encrypt digital signatures. Should you wish to encrypt emails or deploy
digital signatures then in Outlook, open the Tools, Options menu, then select Security (tab).
Windows 2003 install a server certificate on behalf of Exchange 2003, alternatively buy a certificate from Verisign or a similar commercial organization.
Permissions.
1) Administrative roles within the Exchange System Manager, who is an Exchange Administrator, and who has just View Only permissions.
2) Mailbox permissions, Send as, also, Send on Behalf of.
Physical security
Depending on your location, you may need to lock your server room. One site that I visited had their server stolen by two men in white coats. The men brazenly walked in with a trolley and loaded the
Exchange servers into a van. They even had fake paper work explaining that the servers were being fitted with new mother boards.
Logon security
Strong passwords, smart cards. This really is an extension of your Windows 2003 Active Directory security.
Disable unnecessary services
Identify services that are not needed. For example do you require FTP and Telnet? Front-end servers do not need mailstores.
You security is only as good as your weakest link. Installing Exchange 2003 will give you a chance to have a fresh look at your network security. In addition, Exchange has its own special needs for
immunising against viruses and junk mail. A good place to start would be to review if you are a high, medium or low security organization.
See Also
| 
