I recently attended DEF CON 10 in Las Vegas. One of the sessions I attended spent quite a bit of time on Exchange Server security vulnerabilities. Although I found the session's content to be rather poor and severely outdated, it did raise the visibility of deploying a secure messaging infrastructure. In a rather timely (but totally coincidental) move, Microsoft released "Security Operations Guide for Exchange 2000 Server," which you can download from the first URL below. This week, I want to provide an overview of this guide and point out some highlights that might help you make your Exchange deployments more secure.
"Security Operations Guide for Exchange 2000 Server," which is a supplement to "Security Operations for Microsoft Windows 2000 Server," takes a Microsoft Operations Framework approach to securing Exchange. This process-focused approach examines four operations quadrants: Changing, Operating, Supporting, and Optimizing. The majority of the guide deals with two specific Exchange 2000 server scenarios: front-end servers and back-end servers. The guide doesn't provide much coverage of other Exchange server types (e.g., POP3, IMAP), nor does it provide much information about antivirus or antispam measures—two topics about which Microsoft should provide more guidance for customers.
One of the guide's core chapters, the excellent "Securing Exchange 2000 Servers Based on a Role," highlights two Exchange 2000 roles: Outlook Web Access (OWA) front-end server and back-end Exchange 2000 server. For each role, the guide provides a Group Policy template that defines settings for services and file ACLs. For example, the policy for OWA front-end servers disables the Store service and several other services that can expose vulnerabilities on an OWA front-end server. The policy for Exchange back-end servers disables services such as IMAP4 and POP3 to provide high security for back-end servers. You must import these templates into your Group Policy settings container before you can apply them to your Exchange 2000 servers. For an OWA front-end server, apply the baseline.inf template, then add the OWA front-end incremental.inf template and the Microsoft IIS incremental.inf template for IIS servers. For back-end Exchange 2000 servers, apply the baseline.inf template and the Exchange back-end incremental.inf template. The guide also explains how to use tools such as IISLockDown and URLScan to add security measures to your OWA servers.
Another core chapter, "Securing Exchange Communications," involves securing connections between Exchange 2000 servers and between the servers and Exchange clients. This chapter also discusses how to set up the remote procedure call (RPC) application filter with that comes with Microsoft Internet Security and Acceleration (ISA) Server 2000 and points you to some additional resources about the subject. Overall, I don't recommend this approach or the use of ISA Server 2000 on your Internet firewall or internal firewall perimeter. (The product isn't proven yet, in my opinion, and after all, how many of you run it? That's what I thought.) However, the chapter also devotes a significant amount of text to using IP Security (IPSec) to set up secure communications between front-end OWA servers in the demilitarized zone (DMZ) and back-end Exchange servers on which mailboxes reside. Despite IPSec's performance and management overhead, this approach is a good one for securing front-end/back-end communications.
Overall, the guide provides some good information about securing your Exchange 2000 servers. (For additional information, see the second, third, and fourth URLs below.) However, I found myself left with too many questions. For example, what about managing those servers in the DMZ? How do I lock down my Exchange SMTP gateways? What do I do about antispam and antivirus measures? What if I don't want to use ISA Server 2000? In my opinion, the guide falls a little short of providing "everything an Exchange administrator needs to know about securing Exchange" but maybe that isn't its target (although I think it should be). "Using the Microsoft Operations Framework and Group Policy Objects to Secure Exchange 2000 Servers" might be a more accurate title for this guide.
"Security Operations Guide for Exchange 2000 Server"
"Configuration and Security Update Recommendations for Exchange 2000"
"Configuring Microsoft Exchange 2000 Server for the Internet"