Hardening Microsoft Exchange 2007

Page content

Microsoft Exchange

Microsoft Exchange is the de facto standard for email services. Email servers are the heart of communications for all small businesses and the protection of these servers is critical.

With Exchange Server 2007 some of the most important changes take place at the protocol level. Default settings in Exchange Server 2007 are that no unencrypted sessions are allowed to be transmitted. This server uses its own self signed certificate (This certificate should be replaced with a trusted certificate from a Certificate Authority) to secure individual messages that are in transit.

This security is one of the most important ways to protect individual messages traveling across the internet. This protocol PoP3 should be set to automatically start up. This type of encryption will require that a secure connection be made to the Exchange Server. This configuration must be configured through the Exchange Management Shell known as EMS. Service Pack One includes the Exchange Management Console.

Management of IMAP4 should follow the aforesaid configuration regarding the rule to no pass sessions that are unencrypted.

The most important knowledge of networking is the open holes (ports) on all services being used on your network. PoP3 by default uses 110 whereas IMAP uses 143. With the given encryption and certificate uses, ports 993 will be used on IMAP and PoP3 uses 995. This information plays a critical role in setting up both your software and hardware firewalls.

Any implementation of Outlook Web Access (known as OWA) should be made over https (SSL) with a certificate from a CA and to make sure that a trusted third party certificate authority is used to implement your certificate. You should also look at Exchanges’ new security features which are included during installation and customization:

· Sharepoint integration

· Controlling file shares

· File control and access restrictions

· User access and control restrictions

· Security and Exchange Active Sync for mobile users on Phones and PDAs

All servers require patch management and service pack installation and monitoring. With the implementation of any email server, these basics are required. (See WSUS information Article).

Another hardening and security measure is to use the anti-spam software included with HTS, which can be activated upon installation. This implementation can help to prevent malware and spyware. With filtering and quarantine, this plays a critical role in your server’s security.

With Hub Transport, Mailbox, Client Access, Unified Messaging, and Edge Transport server being key roles, you can mix and match and uses these roles to make your server more secure.

The most important feature that should be used to enforce security is the SCW (Security Configuration Wizard) and placement of the server in the network infrastructure. Microsoft recommends placement of the server behind an ISA server and ironically not in a perimeter in your firewall.

In summary, patch management, service packs, user and file control, firewall/port protection, encryption and placement of Microsoft’s Exchange server in your network are critical steps in protecting your servers.