Introduction

Email has become critically important to many businesses, and the security landscape surrounding Exchange has come to reflect that importance. When Exchange 5.5 first shipped, spam was not a problem, most organizations had no need for antivirus software, and many took a rather casual approach to patch management and network security. Now, though, there are some baseline best practices that are very widely adhered to. Because this is a generalized Exchange cookbook, we can't go into exhaustive detail for all of them; the recipes in this chapter focus on the most important things that you should do to secure your Exchange servers.

Messaging security generally breaks down into three areas: confidentiality (keeping private material private), integrity (ensuring that message data isn't tampered with or accidentally damaged), and availability (ensuring that data is available when users need it). Most security solutions focus on providing confidentiality and integrity, and so will the recipes in this chapter.

Where to Learn More

To a greater extent than the other chapters in this book, this chapter assumes that you will do some outside readinga lot of it, in fact. That's because the semantics and implementation requirements for messaging security are fairly strict, and there's a ton of background material that you need to be familiar with to completely secure your Exchange environment against the particular threat model that your organization faces.

The first resource we recommend is the only book we know of written specifically on messaging security, Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press). The book was written by Paul Robichaux, one of the authors of the book you are now reading, and it deals with every aspect of Exchange security, including threat assessment, patch management, communications and message confidentiality, and providing secure mobile, remote, and wireless access to your Exchange servers. Sample chapters and other related materials are available at http://www.e2ksecurity.com.

Next is the Exchange TechCenter page that Microsoft maintains for Exchange security and protection:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/security.mspx

This page contains links to the wealth of security documentation that Microsoft has produced for Exchange, including:

• The Message Security Guide for Exchange Server 2003 (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx) describes how to set up and use S/MIME protection for Outlook clients talking to an Exchange Server 2003 server.

• The Security Hardening Guide for Exchange Server 2003 (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx) describes the process of hardening Exchange Server 2003 servers against attack by applying a set of pre-built security templates for domain controllers, member servers, and Exchange servers. This information is based on the guidance in the Windows Server 2003 Security Guide, which you should also plan on reading.

• The Exchange Server Intelligent Message Filter Deployment Guide (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy.mspx) tells you how to install, deploy, and monitor the Intelligent Message Filter antispam tool, a free Exchange Server 2003-only download from Microsoft.

• The Solution Accelerator for Exchange Consolidation and Migration (http://www.microsoft.com/technet/itsolutions/ucs/ecm/saecm/OverviewGuide_3.mspx) contains discussions and examples of using Exchange Server 2003 with ISA 2004.

• The Using ISA Server 2000 with Exchange Server 2003 (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/uisaex03.mspx) describes using ISA Server 2000 to securely publishing Outlook Web Access (OWA), Outlook Mobile Access (OMA), Exchange ActiveSync (EAS), SMTP, and Outlook interfaces to the outside world.

• The Working with Active Directory Permissions in Exchange Server 2003 Guide (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3ad.mspx) explains what Active Directory permissions are required to install, use, and maintain Exchange, and how you can (and when you should) change those permissions.

• The Working with Store Permissions in Microsoft Exchange 2000 and 2003 Guide (http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/storperm.mspx) details how Exchange evaluates and uses permissions on items in mailbox and public folder databases, and how Exchange evaluates Windows user credentials to make access control decisions.

These documents, taken together, provide several hundred pages of extremely detailed information about Exchange security. Unfortunately, if you really want to gain an understanding of how to best secure your Exchange organization, you'll have to read and absorb these documents, or hire people who have; there aren't any shortcuts.