At its basic components, a Microsoft Exchange environment can be reduced to four main components:
Server operating system—
Microsoft’s latest server operating system (OS), and the one that
Exchange Server 2007 is designed to run on, is Microsoft Windows Server
2003 R2.
Server messaging system—
Exchange Server 2007 is the current messaging system from Microsoft.
Exchange 2007 provides messaging, calendaring, mobile access, and
unified communications for the enterprise.
Client operating system—
Microsoft’s latest client operating systems are Microsoft Windows Vista
and Microsoft Windows XP Service Pack 2 (SP2). Although Exchange Server
2007 can work with older versions of client software.
Client messaging application—
Microsoft’s latest client messaging application is Microsoft Office
Outlook 2007. Again, although Exchange can work with older versions of
Outlook
Both
the server messaging system and the client messaging application are
only as secure as their underlying operating systems. Fortunately,
Microsoft Windows Server 2003, Windows Vista, and Microsoft Windows XP
are very secure by default, and with a little knowledge and experience
can be made exceptionally secure.
The
concept of securing Windows Vista and Windows XP can best be grasped if
it is broken down into smaller components.
Authentication
Access control
Patch management
Communications
Windows Server 2003 Security Improvements
Even
from the default installation, Windows Server 2003 is significantly
more secure than its predecessors. Previous versions installed with
most features defaulting to an enabled state, counting on the
administrator to disable them if they were not going to be used. This
left a lot of openings for malicious intruders, especially in an
environment where the administration staff was not well versed in
hardening an underlying operating system.
In
Windows Server 2003, many of the features and services are installed,
but disabled by default, making it more difficult for unauthorized
users to exploit vulnerabilities. This is one way of improving server
security, known as “reducing the attack surface.”
Some of the changes in Windows Server 2003 include the following:
After a default installation, many services are disabled, rather than enabled.
Internet
Information Services (IIS), the built-in web server, has been
completely overhauled and is no longer installed by default. In
addition, group policies can be implemented that prevent the
unauthorized installation of IIS in your environment.
Access control lists (ACLs) have been redefined and are stronger by default.
Security can be defined by server and user roles.
Public
Key Infrastructure (PKI) Certificate Services has been enhanced and
includes advanced support for automatic smart card enrollment,
certificate revocation list (CRL) deltas, and more.
Wireless security features, such as IEEE 802.1X, are supported.
The
Security Configuration Wizard, included in Windows Server 2003 Service
Pack 1 (SP1), can further lock down security based on server role and
function.
Windows Vista Security Improvements
Windows
Vista complements Windows Server 2003 from the client perspective by
supporting the security features embedded in Windows Server 2003. The
following are among the more notable security features in Window Vista:
Core system files and kernel data structures are protected against corruption and deletion.
Software policies can be used to identify and restrict which applications can run.
Wireless security features, such as IEEE 802.1X, are supported.
Sensitive or confidential files can be encrypted using Bitlocker encryption as well as Encrypting File System (EFS).
Communications can be encrypted using IP Security (IPSec).
Kerberos-based authentication is integrated in the core logon process.
Enhanced security devices such as smart cards and biometric devices are supported.
All
of the security improvements are supported with Group Policy
enhancements to the Windows Vista operating system, providing
centralized policy setting and management.
Windows Firewall Protection
In
today’s messaging environments, users often have to be able to access
their emails from noncorporate locations. Gone are the days of
accessing email only from the office computer; many users now access
their mail from hotels, client sites, or wireless network “hot spots”
such as the local coffee house.
Supporting
this “anytime, anywhere” availability is important, but organizations
must work to minimize potential security risks that can come with
enhanced functionality.
Because remote
users are often utilizing equipment that is not configured by their
organization’s security administrators, this equipment can be more
susceptible to viruses and intrusions. To minimize security risks,
client computers should have the Windows Firewall installed and
operating.
Windows Firewall provides a
protective boundary that monitors information traveling between a
computer and a network (including the Internet). Windows Firewall
blocks “unsolicited requests,” which are often the result of external
users located on a network trying to access your computer. Windows
Firewall also helps protect you by blocking computer viruses and worms
that try to reach your computer through a network connection.
The
Windows Firewall uses stateful packet inspection to monitor all
communications to and from the computer and records the outbound
connections made from the protected system. Windows Firewall can also
be customized to allow exceptions based on an application or port as
well as to log security events.
