I recently highlighted 5 Reasons Why Hackers Want to Break into Your Email Server to underscore how enticing a target the humble email server is to hackers. The least damaging repercussions of a hacked email server range from the loss of bandwidth to being leveraged for the distribution of spam; meanwhile, the leaking of company secrets, extortion are some of the more serious consequences that could result.
To help email administrators along this vein, I’ve compiled a short list of excellent resources to help them better secure and protect the Microsoft Exchange servers under their charge.
Exchange 2010 Security Guide
Written by the Microsoft team, I consider the Exchange 2010 Security Guide to be a requisite read for Exchange Administrators. While a little dated, a large part of the comprehensive article covers ‘evergreen’ best practices on topics such as security patching and enforcing of passwords. As such, I consider this a great place to get started. Other important aspects that are covered include suggestions to decouple Windows usernames with SMTP addresses, as well as how to create a new Exchange Server role with the Security Configuration Wizard. [Exchange 2010 Security Guide]
Securing Exchange 2010 with Forefront TMG
The Forefront Threat Management Gateway (TMG) by Microsoft helps businesses protect themselves from Web-based threats using an integrated solution that is configured and monitored from a single management interface. To help those not already familiar with Forefront, Alexander Weiß of 4sysops has written a couple of comprehensive articles on how it can be used to protect an Exchange Server deployment, specifically focusing on the use of preauthentication and protecting the Web interface of an Exchange Server. [Part 1 and Part 2]
Exchange Server’s Client Access: Securing Your Servers
Rather than taking a generic approach to the topic of security for Exchange Server, Ken St. Cyr of Windows IT Pro focuses instead on three tips in order to “greatly increase” the base security of an Exchange deployment. To help administrators understand what they are doing, he elaborates at length on the use of digital certificates, the need to harden the underlying server OS and the advantages offered by a reverse proxy. As a solution architect at Microsoft with more than 10 years of industry experience, Ken St. Cyr has an impressive list of credentials to his name, which includes being the author of Exchange Server 2010 Administration Instant Reference (Sybex). [Exchange Server's Client Access: Securing Your Servers]
Configuring Security for IIS 7
Exchange Server aside, there is also a need to protect the underlying IIS or Internet Information Server web server. The reason is due to the fact that Exchange makes use of IIS for Outlook Web App (OWA), a feature which is enabled by just about every company these days. Hosted on the official IIS web site, this guide is essentially a compilation of separate articles by team members on various aspects of securing IIS. Personally, I feel that even the content page is a goldmine on how to secure the latest version of IIS. [Configuring Security for IIS 7]
Know of any other good resources on how to secure Exchange Server 2010? Feel free to chip in below, or if you have any comments pertaining to any of the above resources.