Part 1 of 2 parts
By its very nature, Microsoft Exchange Server is one of the applications that is the most prone to security breaches.
But it isn't so much that there are more security holes in Exchange than there are in other products. Instead, the problem resides in Exchange's basic architecture.
For example, we all know that there are security vulnerabilities in Windows Server and in Internet Information Server. Exchange rides on top of Windows and requires the server to also have IIS installed. As such, any vulnerabilities that exist in Windows or IIS could potentially effect Exchange as well.
The other reason why Exchange is inherently insecure is because of its purpose. Exchange is designed to receive packets from the Internet. Sure, there are a lot of techniques that you can use to shield Exchange from being directly connected to the Internet. Setting up a firewall and a front end/back end configuration goes a long way toward helping Exchange be less prone to attack. Even so, an attacker can still get malicious code into your Exchange server by simply e-mailing it to someone who has an account on the server.
Although Microsoft is making strides to help make Exchange more secure, the fact is that Exchange is not secure by itself.
Fortunately, there are an abundant number of third-party products that can help make your Exchange Server a much less dangerous place.
The third-party software
- Patch management
This article will look at some products in the anti-spam area. Part 2 tomorrow will look at anti-virus and patch management products.
I've selected these products because I am familiar with them and think they do a good job. This article does not represent an endorsement of these products and doesn't mean that there aren't others out there that also are good selections for you.
There are about as many anti-spam products on the market as there are anti-virus products, and it's really tough to find a good one. I personally like GFI's Mail Essentials.
Mail Essentials works primarily on the basis of checking the message header and checking for key phrases in the message's subject and body. Since keyword checking has become less effective over the last year or two, GFI has also incorporated Bayesian analysis. Bayesian analysis works by comparing an inbound message against known spam and known legitimate mail. The comparison yields a statistical probability of whether or not the message is considered to be spam.
Any time that you have a program automatically weed out the spam, you alwasy run the risk that legitimate messages will be deleted. One of the things that I especially like about Mail Essentials is the way that it makes use of black lists and white lists. Just about every anti-spam software package lets you black list known spammers or create a white list of the E-mail addresses of friends, family and co-workers. With Mail Essentials, any time that you send an e-mail to someone, the recipient's address is automatically added to the white list. The benefit of this is that the recipient's reply to your message will not be flagged as spam.
Microsoft is currently working on its own anti-spam filter for Exchange Server 2003, called Exchange Intelligent Message Filter. The filter will reportedly compare each in-bound message against almost half a million different criteria to determine whether or not the message is spam or not. It remains to be seen whether or not this product will get the job done, but I have been hearing very good things about it from insiders at Microsoft. You can read more about this upcoming product at http://www.microsoft.com/exchange/techinfo/security/imfoverview.asp
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies, and numerous other technology companies. You can visit Brien's personal Web sites at http://www.brienposey.com and http://www.relevanttechnologies.com.
This was first published in March 2004