At its basic components, a Microsoft Exchange Server environment can be reduced to four main components:
Server operating system—
Microsoft’s latest server operating system (OS), and the one that
Exchange Server 2010 is designed to run on, is Microsoft Windows Server
2008 R2.
Server messaging system—
Exchange Server 2010 is the current messaging system from Microsoft.
Exchange Server 2010 provides messaging, calendaring, mobile access, and
unified communications for the enterprise.
Client operating system—
Microsoft’s latest client operating systems are Microsoft Windows 7 or
Windows Vista. Although Exchange Server 2010 can work with older
versions of client software.
Client messaging application—
Microsoft’s latest client messaging application is Microsoft Office
Outlook 2007, though Outlook 2010 is scheduled for completion shortly
after publication of this book. Again, although Exchange Server can work
with older versions of Outlook.
Both the
server messaging system and the client messaging application are only as
secure as their underlying operating systems. Fortunately, Microsoft
Windows Server 2008, Windows 7, and Windows Vista are very secure by
default, and with a little knowledge and experience can be made
exceptionally secure.
Windows Server 2008 Security Improvements
Even from the default
installation, Windows Server 2008 and the latest version Windows Server
2008 R2 are significantly more secure than their predecessors. Previous
versions installed with most features defaulting to an enabled state,
counting on the administrator to disable them if they were not going to
be used. This left a lot of openings for malicious intruders, especially
in an environment where the administration staff was not well versed in
hardening an underlying operating system.
In Windows Server
2008, all features and roles are disabled by default and must be
manually turned on, making it more difficult for unauthorized users to
exploit vulnerabilities. This is one way of improving server security,
known as “reducing the attack surface.”
Some of the changes in Windows Server 2008 include the following:
After a default installation, many services are disabled, rather than enabled.
Internet
Information Services (IIS), the built-in web server, has been
completely overhauled and is no longer installed by default. In
addition, group policies can be implemented that prevent the
unauthorized installation of IIS in your environment.
Access control lists (ACLs) have been redefined and are stronger by default.
Security can be defined by server and user roles.
Public
Key Infrastructure (PKI) Active Directory Certificate Services (AD CS)
has been enhanced and includes advanced support for automatic smart card
enrollment, certificate revocation list (CRL) deltas, and more.
Wireless security features, such as IEEE 802.1X, are supported.
The
Security Configuration Wizard included with Windows Server 2008 can
further lock down security based on server role and function.
Windows 7 Security Improvements
Windows
7 complements Windows Server 2008 R2 from the client perspective by
supporting the security features embedded in Windows Server 2008 R2. The
following are among the more notable security features in Windows 7:
Core system files and kernel data structures are protected against corruption and deletion.
Software policies can be used to identify and restrict which applications can run.
Wireless security features, such as IEEE 802.1X, are supported.
Sensitive or confidential files can be encrypted using Bitlocker encryption as well as Encrypting File System (EFS).
Communications can be encrypted using IP Security (IPSec).
Kerberos-based authentication is integrated in the core logon process.
Enhanced security devices such as smart cards and biometric devices are supported.
All of the security
improvements are supported with Group Policy enhancements to the
Windows 7 operating system, providing centralized policy setting and
management.
Windows Firewall Protection
In today’s messaging
environments, users often have to be able to access their emails from
noncorporate locations. Gone are the days of accessing email only from
the office computer; many users now access their mail from hotels,
client sites, or wireless network “hot spots” such as the local coffee
house.
Supporting this
“anytime, anywhere” availability is important, but organizations must
work to minimize potential security risks that can come with enhanced
functionality.
Because remote users are
often utilizing equipment that is not configured by their organization’s
security administrators, this equipment can be more susceptible to
viruses and intrusions. To minimize security risks, client computers
should have the Windows Firewall installed and operating.
Windows Firewall
provides a protective boundary that monitors information traveling
between a computer and a network (including the Internet). Windows
Firewall blocks “unsolicited requests,” which are often the result of
external users located on a network trying to access your computer.
Windows Firewall also helps protect you by blocking computer viruses and
worms that try to reach your computer through a network connection.
The Windows
Firewall uses stateful packet inspection to monitor all communications
to and from the computer and records the outbound connections made from
the protected system. Windows Firewall can also be customized to allow
exceptions based on an application or port as well as to log security
events.
Utilizing Security Templates
Security
templates are a practical and effective means to apply standardized
security policies and configurations to multiple systems in an
environment. These security templates can be customized to meet the
minimum security requirements of a particular organization, and can be
applied to client computers as well as to servers using the Security
Configuration and Analysis Microsoft Management Console (MMC) snap-in.
By utilizing the
automatic deployment of security templates to client PCs, administrators
can ensure that computers are identically configured and utilize
available security measures, even if the system is not able to be
managed by Group Policy Objects (GPOs).
Tip
Microsoft
provides several security templates based on functional roles within a
network environment. These can easily be applied to client computers and
servers alike. However, organizations often have unique needs that are
not met completely by these default templates so, as a best practice,
administrators should always customize the security template to address
particular application and access needs.
Using the Security Configuration and Analysis Tool
The Security
Configuration and Analysis tool is a utility that can apply security
templates to computers. It compares a computer’s security configurations
against an administrator-defined security template, and reports any
differences found between the two. Furthermore, when the security
configuration on the computer does not match the settings specified in
the template, you can use the tool to update the system accordingly.
This utility has two
modes of operation: analysis and configuration. An often-overlooked
best practice is to analyze the system prior to making any changes so
that you have a baseline frame of reference.
To run the Security Configuration and Analysis tool and analyze a computer, perform the following steps:
1. | Start the Microsoft Management Console by selecting Start, Run, typing MMC in the Open text box, and then clicking OK.
|
2. | Select File, click Add/Remove Snap-in.
|
3. | In the Add or Remove Snap-in window, select Security Configuration and Analysis, click Add, and then click OK.
|
4. | In the MMC, right-click the Security Configuration and Analysis snap-in, and select Open Database.
|
5. | Type a database name, select a location to store the database, and then click Open.
|
6. | Select a security template from those listed, or navigate to C:\Windows\inf and select one of the files starting with deflt, as shown in Figure 1. After you have selected the appropriate .inf file, click Open.
|
7. | Back in the MMC, right-click the Security Configuration and Analysis snap-in, and choose Analyze Computer Now.
|
8. | Enter a path to store the generated log file, and click OK to continue.
|
After the System
Security Analysis has completed, the utility displays the security
settings that are configured in the template you selected, and what is
currently configured on the computer. Items for which the computer is
not in compliance with the policy appear with a red “x” beside them.
If you want to configure the system with the security settings in the template, you can do so by performing a few extra steps:
1. | In the MMC, right-click the Security Configuration and Analysis snap-in.
|
2. | Select Configure Computer Now.
|
3. | Enter a path for the error log to be written to, and then click OK.
|
Customizing Security Templates
An administrator might
want to use custom security templates for several reasons. The
organization might want a simple method of ensuring that attached
computer systems meet with defined minimum security criteria. They might
desire to ensure configured security settings that work for a
particular application can be replicated to other servers of the same
nature.
Larger organizations
often have the need for customized security templates. For example, a
member of the Internal Auditing department might need to regularly
connect to employee hard drives, whereas the receptionist is only
allowed basic Internet access. By applying different security settings
to each of these machines, you can help the company ensure people have
access to the data they need, and not to the resources they don’t.
Tip
You
can download and implement security templates provided by Microsoft,
the National Security Agency (NSA), or the National Institute of
Standards and Technology (NIST). These templates can be used as
baselines, and can be customized to meet the needs of your particular
environment. After being customized, you can distribute them to
appropriate systems in your organization with minimal effort.
Windows Server
2008/2003, Windows 7/Vista, and Windows XP Professional are equipped
with the Security Templates MMC snap-in that enables administrators to
quickly and easily customize settings on individual systems. Loading
this tool is similar to the Security Configuration and Analysis tool
discussed previously. To add the snap-in, follow these steps:
1. | Start the Microsoft Management Console by selecting Start, Run, typing MMC in the Open text box, and then clicking OK.
|
2. | Select File, click Add/Remove Snap-in.
|
3. | In the Add or Remove Snap-in window, select Security Templates, click Add, and then click OK.
|
When the Security
Templates snap-in is expanded, it displays the default search path to
the security templates folder in the current user’s profile. Other paths
can be opened to display other security templates that might reside on
the system. Expand the default template storage directory
(C:\windows\inf\deflt*.inf) to see the available default templates.
Rather than editing these default templates, it is recommended that you
select the one you are going to use as a baseline, right-click it, and
save it as a new template.
After you have created
the new template, expand it to display all of the modifiable security
settings. From here, you can configure the template to apply the
security settings you want, as shown in Figure 2.
After you
have completed customizing the template, it is an easy process to save
the file to an accessible network share, and then use the Security
Configuration and Analysis tool to apply it to the appropriate systems.
Keeping Up with Security Patches and Updates
Applying service packs,
updates, and hotfixes in a timely manner is critical to maintaining the
security of an environment. Whether you are talking about a server
operating system, an application such as Exchange Server 2010, a client
operating system, or even client applications, keeping your systems up
to date with the latest releases ensures that you are protected against
known vulnerabilities.
Organizations often
underestimate the importance of these updates, so let’s look at them in a
different light. These updates are released to protect against known
vulnerabilities. That means that there is a good possibility that
malicious users in the hacker community already know how to exploit
them. So, there the system sits, not only does it have an unlocked door,
but the criminals know it is unlocked.
In
the past, updates often had to be manually implemented on a
system-by-system basis and, for companies with hundreds (or thousands)
of workstations, it proved to be a monumental task. These manual
processes still exist, but rarely need to be used today.
With Windows Server
2008/2003, Windows 7/Vista, and Windows XP, utilities exist that allow
you to automate this process and simplify the distribution of updates.
Microsoft has provided several options: Windows Update, Microsoft
Update, Microsoft Windows Server Update Services (WSUS), and Microsoft
System Center Configuration Manager (SCCM). In addition, there are a
variety of third-party applications that can assist you with this
endeavor.
Note
In today’s
environments, distribution of updates is often considered the “easy”
part. Automated methods of deployment have made the process fairly
simple. However, one of the most important steps, and one of the most
often overlooked, is the thorough and complete testing of updates in a
lab environment before the release to a production environment. Strongly
consider implementing a patch management system that includes adequate
time and resources for testing.
Windows Update
Windows Update, located at http://www.microsoft.com/windowsupdate,
is a website that scans a local system and determines whether it has
the latest updates applicable to the operating system. Windows Update is
a very useful tool when dealing with a small number of systems. One
shortcoming of Windows Update is that it only addresses updates to the
operating system—not to any applications installed on the computer.
Windows Update was designed for Microsoft Windows 2000 SP2 and earlier.
Those using later versions of the operating system (including Windows
2000 SP3 and higher, Windows Server 2008/2003, Windows 7/Vista, and Windows XP) can instead use the Microsoft Update discussed in the following section.
Microsoft Update
For other Microsoft applications on your system, including Microsoft Outlook, use Microsoft Update, located at http://update.microsoft.com.
This website offers the same downloads available on the Windows Update
site, plus the latest updates for Microsoft Office and other Microsoft
applications.
When you visit the
website, it scans your computer and allows you to review a list of
available updates and select the ones you want to implement.
The site breaks
down the available updates into categories, identifying those that are
critical to the security and reliability of your computer as
high-priority updates.
One other feature of
the Microsoft Update website is the ability to review your update
history. By selecting this link, you can see the update, the product it
applied to, the status of the implementation, the date it was applied,
and the method used to apply the patch—for example, Windows Update or
Automatic Updates, which is discussed in the next section.
Like Windows Update,
Microsoft Update is intended for managing one system at a time. As
useful as it is for individual users and small environments, other
alternatives should still be considered for larger organizations.
Note
You can remove an
update by using the Programs and Features (previously known as
Add/Remove Programs) applet in Control Panel. When this feature first
appeared, it had the reputation of being somewhat unreliable. Sometimes,
updates were removed and the system experienced problems afterward.
However, this process has been greatly improved over the past several
years and is significantly more stable and reliable now.
Automatic Updates
One of the most
reliable, and least time consuming, methods of implementing updates from
Microsoft is built in to Windows Server 2008/2003, Windows 7/Vista, and
Windows XP. Known as Automatic Updates, this feature allows your system
to automatically download and install high-priority updates, without
manual intervention. Optional updates, however, still need to be
implemented using other methods.
With Automatic
Updates, you can configure the utility to automatically download and
install updates on a daily or weekly basis, at the time of day of your
choice (for example, every Saturday at 2:00 a.m.).
Alternatively, you can select one of the following options:
Download Updates for Me, But Let Me Choose When to Install Them.
Notify Me But Don’t Automatically Download or Install Them.
Turn Off Automatic Updates.
When
connecting to Microsoft Update or Windows Update, this method has a few
drawbacks that must be mentioned. First, by automatically downloading
and applying hotfixes, you are not afforded the opportunity to download
and implement them in a test lab prior to deployment. Second, some
high-priority updates require a reboot and might automatically restart
your system without your prior approval.
To mitigate these
shortcomings, you can configure Automatic Updates to not download and
install updates directly from Microsoft, but can instead receive updates
from a Microsoft Windows Server Update Services (WSUS) server,
discussed next.
Windows Server Update Services (WSUS)
Realizing the
increased administration and management efforts that challenge
administrators of larger environments, Microsoft created the Microsoft
Software Update Services (SUS), and the newer version called Windows
Server Update Services (WSUS). This no-charge add-in component is
designed to simplify the process of keeping computers in your
organization up to date with the latest updates and service packs. WSUS
communicates directly and securely with Microsoft to gather the latest
security updates for a variety of Microsoft products, including Exchange
Server, and enables administrators to manage the distribution of these
updates to clients and servers in their environment. By utilizing WSUS,
administrators can download updates, test them, and schedule the
deployment to additional systems.
Utilizing
Background Intelligent Transfer Service (BITS), the application allows
administrators to download updates in the background, using available
network bandwidth, to minimize the impact on their user community.
WSUS version 3.0 includes a new MMC-based user interface and has the following features:
Advanced filtering and reporting
Improved performance and reliability
Branch office optimizations and reporting rollup
System Center Operations Manager Management Pack
Client-Based Virus Protection
One of the primary
reasons why the installation of service packs and software updates in a
timely manner is so important is the prevalence of computer viruses.
Many viruses are written to exploit specific vulnerabilities that are
found in computer operating systems and applications—both on clients and
servers. Because Microsoft products are used so widely throughout the
world, those who create viruses generally write them specifically to
attack Microsoft products. This has resulted in the creation of an
entire industry focused solely on protecting businesses and individuals
from attack.
Companies
truly concerned with protecting their environment from attack should
use a multilayer approach to virus protection. By including antivirus
applications on gateways, Exchange servers, and on the desktop,
outbreaks can be prevented, or quickly detected and dealt with.
There are many ways
to distribute viruses, and one of the most effective is by installing
unauthorized software on a workstation and turning it into a
distribution point. This method might (or might not) utilize an existing
messaging system. If it does not, gateway and Exchange server-level
antivirus methods might not be able to help at all. By implementing a
separate antivirus solution on the desktop itself, you can minimize your
exposure to attack.
An aggressive plan should
be in place to keep antivirus signature files and engines up to date.
Virus outbreaks that once took days (or weeks) to become widespread can
now travel around the globe in a matter of hours. Antivirus updates
(often referred to as “signature files”) should be updated daily at a
minimum and more often if your product supports it.
Windows Lockdown Guidelines and Standards
Microsoft has gone
to great lengths to provide secure and reliable products. This endeavor
was not accomplished in a vacuum—Microsoft has worked closely with
companies, government agencies, security consultants, and others to
identify and address security issues in the computer industry. Through
this concerted effort and teamwork, security standards and guidelines
have been developed that are applicable to not only Microsoft products,
but also to the computing industry as a whole.
In addition to
researching and implementing Microsoft recommended security standards
and guidelines, responsible administrators can also use recommended best
practices that have been compiled by the National Institute of
Standards and Technologies (NIST) and the National Security Agency
(NSA).
Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their websites (www.nist.gov and www.nsa.gov, respectively).
