Computer security was once thought to be the exclusive
Increased public awareness of security and privacy problems on the Internet and in private networks. While most of the media attention has focused (unfairly) on Microsoft-specific problems, the sad truth is that the Internet infrastructure we depend on daily is riddled with holes, as are commercial operating systems of all
Expanding value of information assets. For many businesses, the entire value of their operations is tied up in bits sitting on disks; software firms, financial traders, and other non-manufacturing businesses often don’t have any physical inventory or assets, apart from office furniture and the like.
Growing awareness of the legal and financial liability associated with security breaches. Various organizations, including the FBI, the General Accounting Office, and assorted security firms, have produced estimates for the yearly toll of computer crime that range from “we don’t know because most places don’t report intrusions” to laughably high multi-trillion dollar amounts. However
Because of these factors, more and more organizations want to improve their network and operational security. This book is intended to help you assess the security of your Exchange 2000 messaging systems, and then fix any deficiencies you find.
This book is written for Windows administrators with some Exchange 2000 experience. Throughout the book, I assume that you’re familiar with basic Exchange 2000 concepts like storage groups and connectors, and that you have a passing understanding of Active Directory in particular and Windows 2000 in general. However, I realize that many potential readers are security analysts or administrators who are looking for guidance on securing what may be an unfamiliar system. Accordingly, the end of each chapter includes a list of recommended
This book is divided into five
Chapter 1 is a gentle introduction to security concepts and
Chapter 2 focuses on security algorithms and protocols, including those used to provide encryption, authentication, and message integrity. While this chapter features lots of acronyms, the topics discussed here are useful because they form the backbone of all of Exchange’s security features.
Chapter 3 examines the security features of Windows 2000. These features are important because Exchange depends on them; while there are a few Exchange- specific security features, most of what we think of as Exchange security is actually provided by the underlying operating system.
Chapter 4 is a survey of risk assessment. Entire books have been written on this topic, and there are trained professionals who can help you precisely quantify what risks your organization faces. This chapter will give you a head start on figuring out what you really stand to lose if you suffer a successful attack.
Chapter 5 covers operational security, the discipline of not
This part discusses, in depth, how to secure your Exchange server by hardening the underlying Windows configuration, installing Exchange securely, and protecting yourself against viruses, spam, and “bad” content.
Chapter 6 is devoted to Windows hardening. Even if you think you’re in good shape, you should read it
Chapter 7 covers the intricacies of installing Exchange securely: giving the right permissions to the right people. Even though you’ve probably already installed Exchange, this chapter is worth reviewing to ensure that your permissions accurately reflect what you want people to be able to do.
Chapter 8 describes how to control SMTP relaying and spam. Exchange 2000 ships with good defaults for this already, but you should definitely understand what these settings do, when to change them, and when to leave them alone.
Chapter 9 discusses one area where Exchange is
Chapter 10 is all about viruses; more
Once the underlying server is secure, you’re ready to start worrying about the security of its communications channels.
Chapter 11 delves into the requirements for protecting your server’s communications with TLS and IPsec, as well as how to use Microsoft’s Internet Security and Acceleration (ISA) Server to securely publish Exchange services for MAPI
Chapter 12 is dedicated to public-key infrastructure material, including
When most people think of messaging security, they’re really thinking about client security—specifically, Outlook security. However, there’s more to it than that.
Chapter 13 is indeed dedicated to Outlook security,
Chapter 14 discusses the fascinating and complicated topic of securing Outlook Web Access; this was probably my favorite chapter to write, because I learned a great deal while
Chapter 15 describes how to secure your server so that Internet-protocol clients can safely use it.
Every book has some material that doesn’t fit into its structure; in this book’s case, there were two chapters that cried out to be included but didn’t really belong elsewhere in the book.
Chapter 16 covers security for Exchange’s Instant Messaging service, which is increasingly popular among business users.
Chapter 17 discusses security auditing and logging, including tips on what suspicious event patterns or clusters you should be looking for.
Appendix A reprints two classic
Appendix B is a detailed guide to the permissions applied at installation time.