Security best practices dos and don'ts, part 1

While there is no magic formula for keeping Exchange totally secure, these best practices lay the groundwork for the start of a solid plan.

You probably spend more time on security-related issues than you plan to. According to a recent SearchExchange.com

poll, 52% of respondents said they spend between 25% to 50% of their work time on security-related issues. Another 23% said that they spend more than 50% of their day on security-related challenges.

It's a fact that security issues are part of your everyday work life as an Exchange manager. While it is an ongoing challenge ensuring that your Exchange Server is protected from spammers and hackers and other security threats, there are some things that you can do to lay the base for security best practices.

I compiled a list of several of them and will explain some today and more tomorrow.

Best Practice #1: Do not expose a server containing mailboxes to the outside world

One of the worst things that you can do, from a security standpoint, is connect your primary Exchange server directly to the Internet. Even if a firewall stands between your mail server and the Internet, the configuration exposes your server to tremendous risks. Exchange Server requires you to open several different ports in your firewall. A hacker could potentially use any open port to gain access to your Exchange Server.

Rather than placing a server containing all your mailboxes or public folders directly in harm's way, it's better to use a front-end/back-end configuration. The idea is that the front-end server is the server found just beyond your firewall. This server should be running a minimal set of services and a copy of Exchange. However, this server should not be hosting any mailboxes or public folders.

The public folders should reside in the back-end server or servers. .You can then set up a secure communications link between the front-end server and the back-end server. When mail arrives, the front-end server passes the mail through the secure channel to the back-end server containing the appropriate mailbox. Likewise, if users need to access the system using Outlook Web Access (OWA) , they can log into Exchange through the front-end server, but securely access their mailboxes. On the other hand, if the front-end server were ever compromised, it is basically an empty box, so the hacker would not be able to get anything useful. You can find complete instructions for setting up a front-end/back-end configuration here.

Best Practice #2: Do use a two-tier approach for virus protection

We all know how many e-mail viruses float around the Internet, so it's obviously critical to protect your Exchange organization from those viruses. When it comes to protecting Exchange, though, it's important to take a two-tier approach to virus protection.

The bottom tier consists of standard file-level protection. You must configure the antivirus program so that it does not scan the databases, the transaction logs or the M: drive. Having an antivirus program scan these locations can destroy Exchange.

This is where the second tier comes into play. You need to have an Exchange-aware antivirus program running on the server. This program will be responsible for scanning user's mailboxes. Sure, your desktop antivirus software probably scans Outlook, but by scanning Exchange at the server level, you can get rid of viruses before they ever make it into a user's mailbox. Think of desktop antivirus programs that scan Outlook as your last line of defense rather than your first.

Best Practice #3: Keep Exchange up to date

This one should be obvious, but it is so important that I wanted to mention it anyway. As you probably know, Microsoft constantly releases new hot fixes for various security problems. On an Exchange Server, it is important to apply fixes that apply to Exchange Server and to the underlying Windows operating system.

Normally, keeping a system up to date is as simple as using Microsoft's Software Update Service (SUS). What you might not realize, though, is that although SUS does a great job of keeping Windows up to date, it does not attempt to keep Exchange up to date.

Microsoft will correct this problem in the next version of the Software Update Service, which will be renamed the Windows Update Service, or WUS. In the meantime, if you are looking for an automated patch deployment solution for Exchange, you will have to use a third-party product such as GFI's LANguard Network Security Scanner.

For Part 2 of Security Best Practices for Microsoft Exchange, click here


Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and numerous other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have a useful Exchange tip to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

This was first published in June 2004

Dig deeper on Email Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close