Chapter 24: Exchange Server Security

In July of 2000, Information Week stated that “The bill to 50,000 US firms this year for viruses and computer hacking will amount to $266 billion, or 2.5 percent of USA’s GDP.” These numbers are only going up. Security has become so central to the administrator’s role that we’ve decided to devote a large portion of this book to discussing it.

In this chapter, we offer ideas about how to add complexity and create hindrances to those who wish to attack your network over port 25. Unfortunately, when attempting to secure your system, you must accept the 80 percent rule: you can make your data only about 80 percent secure. If someone really wants to get at your server, given enough time and effort, he or she will succeed. However, if you have good strategies in place and sophisticated tools to assist you, you can anticipate and thwart most attacks.

The Scope of Security

We’ve all heard the old phrase “a chain is only as strong as its weakest link.” You can easily apply that thinking to security: “a network is only as secure as its least secured link.” You should always consider e-mail to be one of those “weakest links” on your network because it is an obvious entry point. Attackers use e-mail to wreak havoc because it’s easy: no matter how well you secure your network, chances are good that you have port 25 open on your firewall and that a Simple Mail Transport Protocol (SMTP) server is ready to work with e-mail when it comes in.

When you begin thinking about security strategies, you should always answer the following question: “What am I securing Exchange Server 2003 against?” The answers to this question are varied and can be grouped into six categories:

• Social security

• Physical security

• Administrative security

• SMTP security

• Platform security

• IIS security

We discussed the first category, social security, in depth in Chapter 23, “Security Policies and Exchange Server 2003.” In this chapter, we’ll touch on the other five security categories.