Disable unneeded mail services (IMAP, POP, OWA) – If you will not be using any outside mail services, disable them from your Exchange servers. If you will only be using specific ones, disable the ones you will not be using. If only certain users will need to access these resources, disable them on the users that will not be using them. Doing this will greatly reduce your possible external attack surface.


Develop an update strategy – You must keep up with not only Microsoft’s patches for Exchange, but also for your underlying Windows operation system and for any third party add-ons that you’ve installed on Exchange. While turning on Automatic Updates in a production environment is not recommended (unless they are coming from an internal SUS server, and have been tested), you can subscribe to Microsoft’s security bulletins to be appraised when new patches are released so that you can test and deploy them.


SSL on OWA – Make sure you use SSL with Outlook Web Access (OWA). This can even be done without the expense of buying a certificate. You can use Microsoft’s Certificate Services to generate one. While it will not be by a verifiable third party certificate, it will still encrypt all communication transmitted over OWA.


URL Scan on OWA – URL Scan (part of the IIS Lockdown Tool) has a default configuration for an OWA server on Exchange. This will filter out requests to your OWA server that it deems to be improper, whether they be attacks or malformed files. One caveat is that with the default settings users will not be able to open some mail that has certain characters in the subject. This default behavior can be changed by editing the urlscan.ini file in the %windir%\system32\inetsrv\urlscan folder.


Enforce password security – A mailbox is only as secure as the password on the account associated with it. There is a risk not only of hacking, but also of users sharing passwords. This is especially dangerous if you have Outlook Web Access installed because users can log onto OWA with the shared username and password. You should make sure there is a strong password policy in place in your organization and it should outlaw the sharing of passwords between users.


Secure Windows and Active Directory – Exchange runs on Windows and requires Active Directory (for Exchange 2000 and above). If these base elements of your Exchange infrastructure have not been secured, then any lock down of Exchange can be undermined. You can find the

Microsoft security templates – Use Security templates to manage Exchange 2003 and Exchange 2000, you can get these from the Microsoft website FREE. These templates, along with their associated guides, will help you create a hardened Exchange environment. One warning though, be very careful when deploying these, as an improper configuration can keep important parts of your Exchange environment from functioning. Whenever possible, try them out in a testing environment first.


Firewall – If your Exchange server is used to receive incoming mail, or to allow users access to their mail remotely, make sure it is properly secured behind a firewall. Only allow the ports needed for your environment to be exposed to the Internet. If possible, set up a second Exchange server in your firewall’s DMZ, and use it for your external mail needs.


Secure SMTP RelayAlways make sure all of your SMTP services on all of your Exchange servers are locked down. You can find the setting in Exchange System Manger | Administrative Groups | Site | Servers | %Servername% | Protocols | SMTP | %Your SMTP Virutal Server%. Go to Properties on the Virtual Server | Relay. Verify that the radio button “Only the list below” is checked. Also enable “Allow all computers which successfully authenticate to relay, regardless of the list above,” unless you have a static group of systems that will be the only ones needing SMTP Relay capability.

Use Windows 2003 Server – Running your Exchange environment on Windows 2003 Server technology will improve your security by default, based upon the security enhancements in the OS itself. Windows 2003 was designed with security in mind.

For further information on Exchange Servers go to: www.bisnerconsulting.com