< Day Day Up > |
Exchange Server 2003 forms part of the core infrastructure for any organization that deploys it. Threats to Exchange Server 2003 security must be taken extremely seriously if only because few administrators would want to explain to the CEO that the server that has just been compromised would have been safe if a patch issued earlier in the year had been correctly applied. Email is the most likely way for viruses to infect an organization. Although worms were prevalent in the past, the advent of firewalls means that the most likely way for malicious code to enter the organization is via an email message. Viruses that send out copies of themselves via user address books can quickly bog down an unprotected server, consuming processor cycles and filling up the mail queues. This section deals with patching vulnerabilities, Exchange's new antivirus features, and closing of mail relays. Searching for VulnerabilitiesThe Microsoft Baseline Security Analyzer (MBSA) is a free tool that can be downloaded from the Microsoft Web site at www.microsoft.com/mbsa. The MBSA tool can be used to scan the local and remote computers to determine what security vulnerabilities exist and which hotfixes and service packs need to be applied. The MBSA tool replaces the HFNetChk tool, a command-line utility for Windows NT 4.0 and Windows 2000 Server that performed a similar function. The MBSA tool not only scans the operating system looking for vulnerabilities, but also scans certain applications, such as Exchange and SQL Server. Scans can cover an entire subnet or can be limited to specific computers on the network. Before a scan begins, the MBSA tool connects to the Windows Update servers to retrieve the latest list of hotfixes and service packs. Using this list as a guide, the MBSA tool scans each computer to determine which hotfixes and service packs have been installed. After the scan is complete, the administrator will be informed of any hotfixes or service packs that are available for the products checked. The MBSA tool does not automatically install such hotfixes. This must be done at a later time by the administrator. We discuss hotfixes and service packs in the next section. The next version of the MBSA tool, most likely released by the time you read this book, will include full Exchange Server 2003 support. Version 1.1.1 of the tool, current at the time of this writing, only supports Exchange Server 5.5 and Exchange 2000 Server. To use the MBSA tool, the account that you use must be a member of the local admins group on both the computer on which you run the MBSA tool and on the computer you are scanning. This is to ensure that nefarious third parties cannot remotely scan a network of which they are not an administrator, searching for vulnerabilities that could be used to gain illicit access. Product UpdatesIn a perfect world, products would be released that contained absolutely no security vulnerabilities. However, the world is not perfect, and few products are released without requiring patching at a later stage. In the preceding section, we discussed the MBSA tool, which can be used to audit all computers on the network to determine which ones require hotfixes to be installed. Currently, Software Update Services (SUS), a free add-on that can be used to manage updates for Windows 2000 Server, Windows XP, and Windows Server 2003, does not support Exchange or SQL Server. SUS can be used to keep the Windows Server 2003 or Windows 2000 Server host platform up to date with service packs and hotfixes, ensuring that only Exchange Server 2003 needs to be kept up to date. Microsoft updates come in two forms, hotfixes and service packs. Hotfixes are released as issues arise. For example, if an exploit has been found that allows a user to take control of a server, it is likely that exploit will be patched very quickly with a hotfix. On a less regular basis, service packs are released. Service packs are huge collections of hotfixes. Rather than having to install every hotfix ever released, an administrator can install the latest service pack and then only those hotfixes that have been released since then. Hotfixes cannot be installed via software installation services in Active Directory. Hotfix deployment can be managed by using startup scripts. The same thing applies to service packs. In general, you should prepare a shared folder hosting the relevant hotfixes or service packs and then write a logon script to verify that these hotfixes and service packs have been deployed correctly. You should only need to do this for Exchange-specific updates. Updates to the operating system are best managed automatically via the SUS product. SUS is a free add-on to Windows 2003 that can be used to automatically deploy updates to Windows XP Professional and Windows Server 2003 computers on the network. Windows 2000 clients are supported if special client software is installed. Another alternative is to use Systems Management Server (SMS). SMS provides far more options with regard to managing and deploying updates to computers on a network. SMS includes support for earlier versions of Windows than SUS does (such as Windows NT 4.0) and provides many other network management options. SMS is a full product and is not freely available as SUS is. Protecting Against VirusesYou can protect against viruses at three layers. For the best protection, a solution should be implemented at each layer. The layers are as follows:
To assist at the mail server layer, Microsoft has updated the virus scanning API (VSAPI 2.5), a programming interface. At the mail server layer, three types of virus scanners are available. Each type of scanner has its benefits and its drawbacks.
Ensuring Exchange Does Not Relay MessagesThe vast majority of unsolicited commercial email is sent via mail servers that have been unintentionally configured as open relays. An open relay is a mail server that allows email to be sent or forwarded from it, regardless of the domain and IP address of the person sending the message. Open relays are often blacklisted. This means that many other servers on the Internet will refuse to accept even email that is legitimate if it is sent from a known open relay. On Exchange Server 2003, all users and computers are blocked from relaying messages except those that are able to properly authenticate. To edit the relaying restrictions, you need to navigate to the SMTP virtual server of each Exchange Server computer and edit the properties. To edit the properties, navigate to the Access tab, and under Relay Restrictions, click Relay, as shown in Figure 9.11. From here, you can add particular hosts from which you will allow relaying. In some cases, such as when organizations are merging, you will want to allow relaying from a very specific set of hosts. Figure 9.11. The Relay Restrictions dialog box. |
< Day Day Up > |