Security best practices dos and don'ts, part 1

It's a fact that security issues are part of your everyday work life as an Exchange manager. While it is an ongoing challenge ensuring that your Exchange Server is protected from spammers and hackers and other security threats, there are some things that you can do to lay the base for security best practices.

I compiled a list of several of them and will explain some today and more tomorrow.

Best Practice #1: Do not expose a server containing mailboxes to the outside world

One of the worst things that you can do, from a security standpoint, is connect your primary Exchange server directly to the Internet. Even if a firewall stands between your mail server and the Internet, the configuration exposes your server to tremendous risks. Exchange Server requires you to open several different ports in your firewall. A hacker could potentially use any open port to gain access to your Exchange Server.

Rather than placing a server containing all your mailboxes or public folders directly in harm's way, it's better to use a front-end/back-end configuration. The idea is that the front-end server is the server found just beyond your firewall. This server should be running a minimal set of services and a copy of Exchange. However, this server should not be hosting any mailboxes or public folders.

The public folders should reside in the back-end server or servers. .You can then set up a secure communications link between the front-end server and the back-end server. When mail arrives, the front-end server passes the mail through the secure channel to the back-end server containing the appropriate mailbox. Likewise, if users need to access the system using Outlook Web Access (OWA) , they can log into Exchange through the front-end server, but securely access their mailboxes. On the other hand, if the front-end server were ever compromised, it is basically an empty box, so the hacker would not be able to get anything useful. You can find complete instructions for setting up a front-end/back-end configuration here.

Best Practice #2: Do use a two-tier approach for virus protection

We all know how many e-mail viruses float around the Internet, so it's obviously critical to protect your Exchange organization from those viruses. When it comes to protecting Exchange, though, it's important to take a two-tier approach to virus protection.

The bottom tier consists of standard file-level protection. You must configure the antivirus program so that it does not scan the databases, the transaction logs or the M: drive. Having an antivirus program scan these locations can destroy Exchange.

This is where the second tier comes into play. You need to have an Exchange-aware antivirus program running on the server. This program will be responsible for scanning user's mailboxes. Sure, your desktop antivirus software probably scans Outlook, but by scanning Exchange at the server level, you can get rid of viruses before they ever make it into a user's mailbox. Think of desktop antivirus programs that scan Outlook as your last line of defense rather than your first.

Best Practice #3: Keep Exchange up to date

This one should be obvious, but it is so important that I wanted to mention it anyway. As you probably know, Microsoft constantly releases new hot fixes for various security problems. On an Exchange Server, it is important to apply fixes that apply to Exchange Server and to the underlying Windows operating system.

Normally, keeping a system up to date is as simple as using Microsoft's Software Update Service (SUS). What you might not realize, though, is that although SUS does a great job of keeping Windows up to date, it does not attempt to keep Exchange up to date.

Microsoft will correct this problem in the next version of the Software Update Service, which will be renamed the Windows Update Service, or WUS. In the meantime, if you are looking for an automated patch deployment solution for Exchange, you will have to use a third-party product such as GFI's LANguard Network Security Scanner.

For Part 2 of Security Best Practices for Microsoft Exchange, click here

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Security Tips Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Create a journal rule in Exchange 2007 to secure journaling mailboxes How to protect an Exchange journaling mailbox from email spoofing Lock down Microsoft Outlook 2007 to prevent .PST file access Using Exchange Server journaling as an email-archiving solution Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Email Policy Management Setting up email disclaimers and signatures in Exchange Server Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? Customizing Outlook Web Access (OWA) in Exchange Server 2007 Managing Microsoft Outlook search folder functionality Moving mobile user mailboxes from Exchange 2003 to Exchange 2007 How to set up Exchange 2007 message classifications Exchange Server email compliance guide Set up Exchange to receive email for multiple domains Troubleshooting a Microsoft Outlook group policy Antivirus Software and Virus Protection Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts How effective is tracking the IP address of an email hacker? Minimize remote and mobile Outlook Web Access (OWA) security risks Secure Edge Transport servers using the Security Configuration Wizard The six-layered secret of effective Exchange Server email filtering Microsoft Outlook and Exchange Server 2003 Email Security Guide How to install and configure an Edge Transport server for Exchange 2007 Process, compress and block Microsoft Outlook email attachments How to configure attachment blocking in Outlook Web Access RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary email bankruptcy  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.