Chapter 9: Locking Down Mission-Critical Exchange Servers


Overview

For many Exchange deployments, proactive planning of security measures and protections for users, data, servers, and infrastructure are an afterthought. As we deploy Exchange, we focus on getting the messaging functionality in place and often do not have the extra cycles needed to properly investigate security issues. In addition, security is a very complex topic, and many do not have the training or expertise required to provide a secure Exchange environment. In some cases, a separate group or department from the Exchange deployment manages organizational security. This can create either a competitive environment or a knowledge gap in which Exchange system managers and security managers compete for resources, resulting in a lack of cooperation or knowledge transfer. Overall, this results in the security needs of the Exchange deployment being overlooked, improperly specified, or ignored altogether. Without going too far down this path (it is highly political in nature), it is safe to say that the users and the organization suffer the end consequences.

Because every organization’s architecture and security requirements are different, there are many approaches you can take. Over the course of this chapter, I will discuss threats to Exchange security and the countermeasures available. You may choose to apply all or part of the topics covered depending on your scenario. Since the topics discussed will have a definite impact on the overall design of your organization’s security infrastructure, you should read this chapter with this in mind and in conjunction with the big picture plan for your organization’s security. Also keep in mind that Exchange security is paramount to a mission-critical service, but the subject of securing our Exchange deployment deserves an entire book dedicated to the subject (in fact, I will provide some excellent references at the end of the chapter). My objective in this chapter is to introduce you to some key threats and measures that you should consider to protect your Exchange deployment. However, this effort will pale in comparison with the wealth of knowledge available to Exchange administrators on this subject.

I begin this chapter by providing an overview of the threats to our Exchange servers, the users they service, and the data with which these servers are entrusted. These concepts are generic enough in nature, but will be applied specifically to an Exchange environment. Next, I will discuss Windows security features and how they greatly enhance our capabilities to keep Exchange 2000/2003 secure through advanced authentication (Kerberos), directory services (AD), and group policies. I will complete the overview of Windows security with a discussion of some of the key best practices for securing core Windows services such as IIS, upon which Exchange is extremely dependent and which also makes it vulnerable.

The remainder of the chapter will be focused on locking down our Exchange environment. Three key areas will be discussed—Exchange permissions and policies; network security, antivirus, and spam/UCE protection; and message content security and authenticity. Within these “buckets,” it is possible to gather all the things that ail our Exchange servers, users, and data from a security point of view. Network security addresses such topics as how Exchange authenticates users, protocols, firewalls, and SMTP virtual server security. The section on antivirus and spam protection discusses the virus/ spam threat, a three-perimeter approach, and how to select and implement an antivirus solution. Message content security deals with the deployment of a PKI and using Certificate Services to provide an architecture that allows users to encrypt and digitally sign messages.

As your Exchange deployment matures and its uses become more diverse and business critical, successfully guarding against theft, tampering, unauthorized access, or data destruction involves, first, understanding the threats. In the next sections, I will discuss four such threats: denial of service, viruses, unauthorized access, and forgery.




Mission-Critical Microsoft Exchange 2003. Designing and Building Reliable Exchange Servers
Mission-Critical Microsoft Exchange 2003: Designing and Building Reliable Exchange Servers (HP Technologies)
ISBN: 155558294X
EAN: 2147483647
Year: 2003
Pages: 91
Authors: Jerry Cochran

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net