Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 2007

Securing Microsoft Exchange Server 2007

Start with a hardened Windows server and hosted filtering
From the November 2007 Edition
of Windows IT Pro
Brien Posey
Required Reading
InstantDoc #97079
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Antivirus Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Steps to Protect Your Exchange 2007 Organization

Executive Summary:
Securing Microsoft Exchange Server 2007 includes everything from creating a high-level architectural design to tweaking dozens of obscure settings deep within the product. Start by considering fundamental practices such as limiting yourself to one version of Exchange and using the different Exchange server roles wisely. You'll greatly increase the chances that the security settings you implement later on will be effective.


Exchange Server 2007 is designed to be much more secure than its predecessors, but it would take a thick book to tell you all you need to know about Exchange 2007 security. After all, securing Exchange 2007 includes everything from creating a high-level architectural design to tweaking dozens of obscure settings deep within the product.

My personal philosophy has always been that security must be applied in layers. Tweaking a bunch of security settings won’t do you much good if you have gaping security holes throughout your Exchange organization. That being the case, I’ll focus this article on designing a secure Exchange Server organization, discussing fundamental, big-picture practices such as limiting yourself to one version of Exchange and using the different Exchange roles wisely. If you start with a secure design, you greatly increase the chances that the security settings you implement later on will be effective.

Harden Windows and Use Firewalls
The majority of the security steps that I talk about in this article have to do with the design of your Exchange organization rather than the deployment process. I want to quickly mention, though, that when it does come time to deploy Exchange, one of the most important things to do from a security standpoint is to harden Windows before you ever even install Exchange.

Exchange Server is completely dependent upon the Windows OS. If your Windows implementation has weak security, then your Exchange implementation will also have weak security. Therefore, it’s extremely important that you remove all unnecessary Windows components and services, install all the latest Windows patches, and follow the various security best practices for Windows. You can get more specific information from the Windows Server 2003 Security Guide, which you can download at www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx You can also use the Security Configuration Wizard to help you to harden your servers and reduce their potential attack surface. You can download the Security Configuration Wizard at www.microsoft.com/downloads/details.aspx?familyid=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=en.

Furthermore, it’s extremely important that your organization use a solid firewall configuration. My personal recommendation is to take a layered approach to firewalls. Your network perimeter should be protected by a firewall appliance, but I also recommend placing a Microsoft ISA Server system just inside your perimeter network. ISA Server was developed with Exchange Server in mind and makes an effective application firewall. Even with ISA Server in place, though, you should use the Windows firewall on each of your servers as a way of preventing attacks that may occur from within your organization.

Use Only 1 Exchange Version
In my opinion, one important aspect of developing a secure Exchange Server organization is maintaining strict control over both Exchange and Windows server versions. For example, if you’re getting ready to move to Exchange Server 2007, then I think it’s better from a security (and, certainly, management) standpoint to deploy Exchange 2007 on all your Exchange servers than to have a mixture of Exchange 2007 and Exchange Server 2003.

A lot of you are probably having a fit after reading that last statement. After all, Microsoft fully supports coexistence between Exchange 2007, Exchange 2003, and Exchange 2000 Server. Hear me out, though.

One reason why I recommend trying to limit your organization to one Exchange version is that by doing so, you reduce management complexity. For example, Exchange 2003 requires the use of sites, routing groups, and administrative groups. These features were removed from Exchange 2007, but Exchange 2007 can emulate these features to remain backward-compatible with the earlier version. By removing Exchange 2003 from your organization, you eliminate Exchange Server 2007’s need to emulate these features, thus reducing the complexity of the code that’s running.

My general rule of thumb when designing an Exchange Server organization is that you should reduce complexity anywhere possible. Doing so often improves security and makes troubleshooting any problems easier.

Another reason why I believe that staying with one Exchange version is important is that it helps eliminate the “what if” factor. Imagine, for example, that you’re running Exchange 2007 and Exchange 2003. Now suppose that someone discovers a huge security flaw related to the way Exchange 2007 interacts with the server’s transport stack. (This isn’t a real problem, it’s just an example.)

In a situation like this, it’s appropriate to wonder whether the vulnerability is unique to Exchange 2007 or also exists in Exchange 2003. If all your Exchange servers were running Exchange 2007, you simply focus your attention on patching the known bug, rather than trying to determine whether another version of Exchange has a similar bug.

Put Only 1 Exchange Server Role on Each Server
The concept of server roles isn’t new to Exchange 2007, but this version takes the role concept much further than Exchange 2003 does. The only roles that formally exist in Exchange 2003 are those of front-end and back-end Microsoft Outlook Web Access (OWA) servers. Many administrators “define” their own Exchange 2003 roles, such as mailbox servers and public folder servers. In fact, Microsoft introduced other roles in the Microsoft Exchange Server 2003 Security Hardening Guide (www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en) but didn’t implement them in Exchange 2003 itself.

Exchange 2007 has five server roles and requires you to select the ones that you want to use during the initial Exchange installation. Of course, you also have the option of adding and removing server roles as your needs change.

The five roles are Mailbox, Client Access, Hub Transport, Edge Transport, and Unified Messaging. A single server can host multiple roles. The only roles that can’t work with other roles are the Edge Transport role, and the Mailbox role if the server is clustered. I discuss the Edge Transport server role in more detail later. Right now, though, I want to focus attention on the other four roles and how to design a secure Exchange environment with these roles in mind.

The Edge Transport role aside, a single Exchange server can run any combination of the various server roles. In fact, if you aren’t using the Edge Transport role, it’s possible to have one Exchange 2007 box that runs all the Exchange server roles simultaneously. However, for both security and performance reasons, I recommend that each Exchange server host only one role.

   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For more guidance on Exchange 2007 server roles
"Exchange 2007 Server Roles and You"

"Fight Spam Using Exchange 2007's Edge Server Role"


For more information about hosted filtering
"Antispam Solutions for Business"

"FrontBridge Gets a Makeover"


To publish Exchange 2007 on ISA Server 2006
"Securing Exchange Server 2007 Services with ISA Server 2006"

"Publishing Exchange Server 2007 with ISA Server 2006"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Microsoft Delivers Service Pack 2 Beta 2 for Vista, Server 2008

Microsoft on Tuesday announced the availability of the Beta 2 version of Service Pack 2 (SP2) for Windows Vista and Windows Server 2008. Since both operating systems were developed from the same code base, they have a common servicing structure and thus ...
Related Articles Hosted Services and Exchange

Securing Exchange Server 2007 Services with ISA Server 2006

Fight Spam Using Exchange 2007's Edge Server Role

Antispam Solutions for Business
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Storage Consolidation for Your Microsoft Applications: Reducing Cost and Complexity

How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing