Security Documentation

Just as with any other aspect of the Exchange environment, security documentation also includes policies, configurations and settings, and procedures. Administrators can easily feel that although documenting security settings and other configurations are important, it might lessen security mechanisms established in the Exchange Server 2003 environment. However, documenting security mechanisms and corresponding configurations are vital to administration, maintenance, and any potential security compromise. Security documentation, along with other forms of documentation ”including network diagrams and configurations ”should be well guarded to minimize any potential security risk.

A network environment might have many security mechanisms in place, but if the information ”such as logs and events obtained from them ”isn't reviewed, security is more relaxed . Monitoring and management solutions, described in the performance documentation section, can help consolidate this information into reports that can be generated on a periodic basis. These reports are essential to the process of continuously evaluating the network's security.

In addition, management should be informed of any unauthorized access or attempts to compromise security. Business policy can then be made to strengthen the environment's security.

Change Control

Although the documentation of policies and procedures to protect the system from external security risks is of utmost importance, internal procedures and documents should also be established. Developing, documenting, and enforcing a change control process helps protect the system from well-intentioned internal changes.

In environments where there are multiple administrators, it is very common to have the interests of one administrator affect those of another. For instance, an administrator might make a configuration change to limit mailbox size for a specific department. If this change is not documented, a second administrator might spend a significant amount of time trying to troubleshoot a user complaint from that department. Establishing a change control process that documents these types of changes eliminates confusion and wasted resources. The change control process should include an extensive testing process to reduce the risk of production problems.

Procedures

Although security policies and guidelines comprise the majority of security documentation, procedures are equally as important. Procedures include not only the initial configuration steps, but also maintenance procedures and more important procedures that are to be followed in the event of a security breech.

Additional areas regarding security that can be documented include, but are not limited to, the following:

• Auditing policies including review

• Service packs (SPs) and hotfixes

• Certificates and certificates of authority

• Antivirus configurations

• Encrypting File System (EFS)

• Password policies (such as length, strength, age)

• GPO security- related policies

• Registry security

• Lockdown procedures