Introduction to Exchange 2003 Server Security
With Exchange 2003 security, the depressing fact of life is that you are only as good as your weakest link. In order to keep a sense of proportion and sanity, decide on whether you are a high, medium or low security organization. Clue: only the Banks, MI5, FBI and the military, rate high security. I advise caution against too high a security rating, because of another truism: the more security you have the more work there will be for you.
Topics for Security in Exchange 2003
What you need is a list of all possible security areas. In particular, investigate what protection the underlying Windows 2003 operating system has to offer. As you browse though the topics ask yourself these 3 questions:
- Do I understand this particular threat to my system?
- What are we doing already to minimise the security threat.
- What more should we do (if anything).
- Virus protection. Anti-virus strategies
- Junk Mail Filtering
- Firewalls and Port configurations
- RPC over HTTP – New in Exchange 2003
- Certificates. Digital signatures and encrypted email
- Permissions. Administrative roles, send as
- Summary
♠
Virus protection and Anti-virus strategies
How could worms, Trojan horses or viruses enter your system? Could they arrive as email attachments, disks or internet downloads. Maybe you block some or all of those paths, or maybe you will be after reading this!
To what extent do you rely on user education or Outlook to block attachments? To what extent do you rely on the Exchange server to prevent delivery of attachments? Alternatively, do you move the solution back to email scanners on the firewall? Perhaps you pay extra and have your ISP take care of cleaning the email of viruses and spam?
When you choose server based anti-virus software be aware that some brands fight with Exchange and slow down the system, while other products are designed to integrate with Exchange VSAP1 2.5 (Virus Scanning APIs).
If you believe that prevention is better than cure then, then put SUS and WUS security update services on your virus protection agenda. Also investigate what Exchange 2003’s built-in wizards have to offer ,for example ExMerge to repair infected mailboxes.
Guy Recommends: The SolarWinds Exchange Monitor
Here is a free tool to monitor your Exchange Server. Download and install the utility, then inspect your mail queues, monitor the Exchange server’s memory, confirm there is enough disk space and check the CPU utilization.
This is the real deal – there is no catch. SolarWinds provides this fully-functioning freebie, as part of their commitment to supporting the network management community.
Free Download of SolarWinds Exchange Monitor
Junk Mail Filtering
The secret of Junk Mail Filtering is getting the balance between blocking spam while allowing through legitimate email. Perhaps I can offer an insight into the problem from the perspective of an editor of an ezine. At least 10% of my subscribers do not receive the newsletter because they have over sensitive Junk Mail filters. The reason that I know is that I get the undeliverable newsletters returned.
As the registered owner of computerperformance.co.uk, I am able to filter my email based on a 1-10 scale. With a setting of 8 the email has to have 8 indications of spam before it is discarded. I set my filter at a more aggressive 5. Outlook 2003 provides a similar Junk Mail filter.
Block-lists for your Exchange 2003 Server
Another solution is to configure block-lists (blacklists) on your Exchange 2003 server. Navigate to, Global Settings, Message Delivery tab. Then apply connection filters on SMTP Virtual server and SMTP connectors. The point to remember with block-lists is that you need the URL of the good guys, the people who provide the IP addresses of known spammers. Unless you have a top provider who is constantly on the ball, you are unlikely to beat the spammers who will vary their sending points to beat the block-lists (and the police).
Along-side the block-lists are white-lists. These are your friends, people you want to receive email from. The reason for taking this step is that your friends may inadvertently get on block-lists because they innocently, if foolishly, allow open relay on their own mail servers.
Another good idea is to setup recipient filtering. What this does is to only allow email to be accepting email for people who have Active Directory accounts. This prevents delivery of all that spam for root@yourdomain and similar accounts that spammers try.
DNS reverse lookup would appear to be a great idea. The principle is that it checks the domain name against the WHOIS registered server IP, thus thwarting spoofers. Unfortunately it slows down the server so much, that everyone I know who tries reverse lookup soon turns it off again.
Firewalls and Port Configurations
To me, firewall says – filter. Firewalls allow through the good packets and drop the risky or bad packets. Naturally, you need to be a minor expert on port numbers to get the most from your firewall. People will tell you that being able to recite port numbers is an obsession rather like train-spotting. Yet without knowing that OWA needs port 80, and SMTP relies on opening port 25 ,you will never get your firewalls working correctly. Yes I do mean the plural, because what you need is 2 firewalls working in harmony to produce a perimeter network or a de-militarized (computer) zone.
Whilst filter sums up firewall in one word, as an expert you will want to integrate the firewall with a proxy server and possibly an email scanner. Perhaps you would go down the Microsoft route and use an ISA (Internet Security and Acceleration) server to control your security and protect your Exchange server? Alternatively you may choose a Linux server as the guardian of your email gateway.
Service | Port | |
SMTP | 25 |
|
DNS | 53 |
|
HTTP | 80 |
|
Kerberos | 88 |
|
POP3 | 110 |
|
NNTP | 119 |
|
RPC EndPoint Mapper | 135 |
|
IMAP4 | 143 |
|
LDAP | 389 |
|
Global Catalog | 3268 /9 |
|
| Secure Sockets Layer (SSL) | ||
| HTTP (SSL) | 443 | SSL |
| LDAP (SSL) | 636 | SSL |
| IMAP4 (SSL) | 993 | SSL |
| POP3 (SSL) | 995 | SSL |
See more on firewall browsers »
RPC over HTTP – New in Exchange 2003
RPC over HTTP removes the need for your Outlook 2003 clients to create VPN’s. They can to Exchange 2003 and read their emails over the internet. The clever idea with RPC over HTTP is that you can just open up port 80 or 443 for your Outlook 2003 clients.
Previously VPN connections meant opening up port 135 for RPC. The problem was this EndPoint Mapper port (135) was a magnet for hackers. Now Exchange 2003, solves the problem by encapsulating RPC calls in HTTP, so the only ports you need to open on the external firewall connection is port 443. The only downside to SSL is that you may need extra processing power on the server. See more on configuring RPC over HTTP
When ever you deal with PKI (Public Key Infrastructure) and certificates, always ask your self, ‘Is this feature concerned with encryption or authentication?’
Certificates rely on a pair of keys, the private key which stays with user and the public key which is freely available in the address book. At first, I thought it strange that the certificate stays with the public key, but on reflection this makes perfect sense.
The idea behind digital signatures is that you need to be sure who the email is coming from. You want there to be no chance of an impostor faking the email address. Should a hacker alter a digitally signed signature, then the email self destructs or at least displays gobbledegook.
Installing certificates goes one of two ways, smoothly, no problem; or an impenetrably jungle where you cannot see any pattern or any daylight.
The principles are straight forward enough, The Outlook family, including OWA, can install S/Mime certificates and so encrypt digital signatures. Should you wish to encrypt emails or deploy digital signatures then in Outlook, open the Tools, Options menu, then select Security (tab).
Windows 2003 install a server certificate on behalf of Exchange 2003, alternatively buy a certificate from Verisign or a similar commercial organization.
Guy Recommends : SolarWinds’ Free VM Monitor
The best feature of this new this new version of SolarWinds VM Monitor is that it checks Windows Hyper-V. Naturally, it still works with virtual machines on VMware ESX Servers. VM Monitor is a clever desktop tool that not only tests that your server is online, but also displays the CPU and memory utilization for each node.
It’s easy to install and to configure this virtual machine monitor, all you need the host server’s IP address or hostname and the logon info. Give this virtual machine monitor a try – it’s free.
Download your free copy of SolarWinds VM Monitor.
Other Security Considerations.
Permissions.
1) Administrative roles within the Exchange System Manager, who is an Exchange Administrator, and who has just View Only permissions.
2) Mailbox permissions, Send as, also, Send on Behalf of.
Physical security
Depending on your location, you may need to lock your server room. One site that I visited had their server stolen by two men in white coats. The men brazenly walked in with a trolley and loaded the Exchange servers into a van. They even had fake paper work explaining that the servers were being fitted with new mother boards.
Logon security
Strong passwords, smart cards. This really is an extension of your Windows 2003 Active Directory security.
Disable unnecessary services
Identify services that are not needed. For example do you require FTP and Telnet? Front-end servers do not need mailstores.
Summary
You security is only as good as your weakest link. Installing Exchange 2003 will give you a chance to have a fresh look at your network security. In addition, Exchange has its own special needs for immunising against viruses and junk mail. A good place to start would be to review if you are a high, medium or low security organization.
If you like this page then please share it with your friends
