11.8 Risk management

Security is all about risk management. The most secure system is the one installed in an ultra-secure room and disconnected from any network, preferably without any user access. You will never see a problem with this system, because it never does any real work, so it is unrealistic to consider such a situation. Therefore, securing Exchange servers means that you have to understand where potential risk comes from and prioritize it, so that you avoid risks while allowing people to work. The aim here is not to close down a system totally; instead, you need to know where you can open up in a secure manner—for example, how to enable firewall ports to allow clients to access Exchange in a secure manner.

All computers face attacks through the network. They also face internal penetration, where people use permissions that they should not have to access information they should not see. A discussion about Windows and network security (including wireless) is beyond the scope of this book, so we assume that you have applied basic security on all servers and that you install the latest service packs and security advisories. With this foundation, we can then look at Exchange-specific issues, such as:

• IIS weaknesses that may expose access to mailboxes or public folders through OWA

• Spam attacks that may cause denial of service

• Email viruses

• Administrative attacks, including unauthorized restores of Mailbox Store backup sets to recovery servers and elevating permissions to access other users' mailboxes

Microsoft's Baseline Security Analyzer (MBSA) is an excellent tool for system administrators to check Windows and Exchange servers for potential security weaknesses. You should download the latest version of MBSA from Microsoft's Web site and run it against all servers. The current version covers Windows 2000 and Exchange 2000, and even though Windows 2003 delivers a more secure out-of-the-box environment, it is likely that you will need MBSA or an equivalent tool to review server configurations, simply because there are just too many places to check manually.

Email systems have always been open to administrative probing, and the only way to stop a determined administrator who wants to read items in a mailbox is to encrypt all messages. Given that only a small percentage of Exchange deployments protect email in this manner, it is accurate to assume that your administrators have this ability. Some companies have a policy that users should never transmit confidential information via email, but this is unrealistic in today's world. Indeed, vast quantities of confidential data flow across the Internet daily, open to anyone who cares to read the SMTP traffic. To prevent unauthorized access by administrators, you need a policy that clearly states that breaking into a mailbox is unacceptable behavior, which will potentially lead to dismissal, and then back up the policy with monitoring.