Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Shannal L. Thomas
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

Is your Exchange 2000 Server Secure?
Page 1 | Page 2 | Page 3 | Page 4

Security is not a sexy topic, bit things can get downright ugly when the executive's password is found out or someone attacks and cripples your mail server. Often, a company is unable to prioritize security until something terrible happens and the payroll summary mysteriously appears in the break room or your server is getting constantly bombarded with mail or packet bombs. More often, it is this pain that provides the security "wake up call" for many companies.

The purpose of this paper is to provide a short list of things you can do to protect your servers and messaging environment from attacks.

  • Physical Server Security - As simple as this may seem, you would be surprised as to how many mail servers I have seen in someone's cubicle or in a general area of the building. All production servers should be logged off and behind a locked door of some kind. Do not underestimate the curiosity of your co-workers especially around review time. Depending on the account that is currently logged on, every mailbox could potentially be accessed by anyone who could walk up to the server and use the keyboard.

  • Network Security - In a word, Firewall.

  • Password Security - By enforcing strong passwords and regular change intervals you can make it more difficult for hackers to collect passwords. Also, by using SSL to encrypt the usernames and passwords for your HTTP, POP, IMAP and (outgoing user) SMTP authentication.

  • AntiVirus - This area has shifted into the security model as an outbreak or malicious attack could cripple your systems. There are three areas of major concern we will discuss; SMTP, the Exchange Store and the client machines.

  • SMTP Relay - An open relay invites SPAM, jeopardizes the stability of your environment and could potentially get you blacklisted from other domains as an open relay server.

Physical Security
As we mentioned earlier, there should be physical security between your Exchange servers and the rest of the population. This means a locked door of some kind that restricts access to the machines. Also, there should be some type of monitoring system in place to track changes to the server and access. Perhaps this simply means a clipboard that each administrator uses to record the time and day when they use the server console or reboot the server. Auditing should be turned on and each administrator should be using their own account and not a shared account. If you do not adhere to these "rules" then you will have no idea who rebooted the computer in the middle of the day or if someone is intentionally or accidentally crashing the systems.
 

Is your Exchange 2000 Server Secure?
Page 1 | Page 2 | Page 3 | Page 4

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008