Email has become critically important to many businesses, and the security landscape surrounding Exchange has come to reflect that importance. When Exchange 5.5 first shipped, spam was not a problem, most organizations had no need for antivirus software, and many took a rather casual approach to patch management and network security. Now, though, there are some baseline best practices that are very widely adhered to. Because this is a generalized Exchange cookbook, we can't go into exhaustive detail for all of them; the recipes in this chapter focus on the most important things that you should do to secure your Exchange servers. Messaging security generally breaks down into three areas: confidentiality (keeping private material private), integrity (ensuring that message data isn't tampered with or accidentally damaged), and availability (ensuring that data is available when users need it). Most security solutions focus on providing confidentiality and integrity, and so will the recipes in this chapter. Where to Learn MoreTo a greater extent than the other chapters in this book, this chapter assumes that you will do some outside readinga lot of it, in fact. That's because the semantics and implementation requirements for messaging security are fairly strict, and there's a ton of background material that you need to be familiar with to completely secure your Exchange environment against the particular threat model that your organization faces. The first resource we recommend is the only book we know of written specifically on messaging security, Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press). The book was written by Paul Robichaux, one of the authors of the book you are now reading, and it deals with every aspect of Exchange security, including threat assessment, patch management, communications and message confidentiality, and providing secure mobile, remote, and wireless access to your Exchange servers. Sample chapters and other related materials are available at http://www.e2ksecurity.com. Next is the Exchange TechCenter page that Microsoft maintains for Exchange security and protection:
This page contains links to the wealth of security documentation that Microsoft has produced for Exchange, including:
These documents, taken together, provide several hundred pages of extremely detailed information about Exchange security. Unfortunately, if you really want to gain an understanding of how to best secure your Exchange organization, you'll have to read and absorb these documents, or hire people who have; there aren't any shortcuts. |