Enhancing Exchange Security

    April 30, 2003

These days, it seems as if it’s almost impossible to do business without having access to an E-mail account. Because of this, Microsoft Exchange has quickly become a mission critical application for many businesses.

Unfortunately, Exchange is also one of the applications that’s most at risk of being attacked by hackers. In this article, I’ll address some of the many threats to your Exchange Servers and explain how to counteract those potential threats.

Protecting Against Viruses

One of the biggest Exchange related malice’s not only threatens Exchange Server, but your entire network. Of course I’m talking about viruses. Viruses have been a threat to computer systems for many years, but recently the wide spread use of E-mail has allowed viruses to spread at an alarming rate. Fortunately, there are ways to protect your Exchange server against viruses.

I recommend taking a client / server approach to virus protection. The first level of virus protection should be to install a reliable anti virus program on everyone’s workstation. This will prevent users from accidentally working with infected files and sending those files to others. I personally use and recommend the Hauri’s ViRobot Expert anti virus solution. Although Hauri is relatively unknown in the Untied States, they have been one of the top anti virus products in Asia for a number of years. In a recent benchmark test performed by Relevant Technologies (http://www.brienposey.com/kb/Anti_Virus_Software.asp) Hauri beat out Norton, McAfee, and Trend Micro in every benchmark test. You can learn more about Hauri by visiting the Hauri Web site at http://www.hauriusa.net .

Once you’ve protected the workstations, you need to protect the server. Using an anti virus program similar to the one that I recommended using on the workstations is a good start, but you can take things a step further. Several companies manufacture Exchange-aware anti virus software for your servers. These programs scan every inbound and outbound message for viruses. If someone should send an infected file to one of your users, the server level scanner can catch and isolate the virus before the message is ever placed in the user’s Inbox. I recommend using Hauri’s ViRobot for Exchange in conjunction with ViRobot Advanced Server at the server level. By doing, all inbound and outbound E-mail messages are automatically scanned for viruses. If a virus is detected, the software will automatically send an e-mail to the intended recipient, disinfect the virus, and place the infected file into a secure location. If the user needs the previously infected file, they may request it from the Administrator.

The first time that I saw this product, I wondered why the disinfected file wasn’t just automatically sent to the recipient. As it turns out, the disinfected files are quarantined as a security measure. Many of the more malicious viruses choose a random file from the infected person’s hard disk and use that file as a mechanism for spreading the infection. If someone in your company were to become infected, it’s possible that a file containing sensitive information could be E-mailed across the company. By quarantining attachments after disinfection, ViRobot for Exchange prevents a potential disclosure of sensitive information.

Protecting Against E-Mail Fraud and Interception

When it comes to protecting your Exchange Servers, the first thing that most people think of is guarding against fraudulent or stolen E-mail. There are several ways of doing this. The most effective step that you can take to keep hackers at bay is to always stay current with service packs and hot fixes.

Remember that Exchange piggybacks on Windows NT, so you need to install service packs and hot fixes for Windows NT Server as well as for Exchange Server. As you’re no doubt aware, service packs are designed to correct bugs and patch security holes in the program (in this case, Exchange or Windows NT). However, new security holes are constantly being discovered. This is where hot fixes come in. Hot fixes are patches designed to correct one specific security hole. Hot fixes are released much more often than service packs, and are later incorporated into the service packs. You can download all of the latest service packs and hot fixes from Microsoft’s FTP site.

As you download the necessary service packs, remember that Microsoft releases multiple versions of each service pack. If your company is located in the United States or Canada then you can download the 128 bit version of the service packs. These service packs offer 128-bit encryption as opposed to the 40 bit encryption offered by other service packs. Stronger encryption makes for better-protected data.
Another method of keeping hackers away from your Exchange Server is to organize your network in such a way that your Exchange Server is behind your firewall. Such an arrangement can prevent hackers from breaking into your Exchange server, or from stealing messages through the use of obscure TCP/IP calls. Of course this assumes that the firewall is set up to block all of the TCP/IP ports that aren’t in use.

Protecting Against A Denial Of Service Attack

A denial of service attack consists of a malicious user flooding your Exchange server with bogus E-mail until the server either can’t keep up or until the server’s hard disk fills up. In either case, this type of attack prevents users from being able to send or receive E-mail because the server is either busy or down (thus the name denial of service attack).

The best thing that you can do to prevent a denial of service attack is to limit the maximum allowed attachment size of inbound messages. If you limit inbound messages to very small attachment sizes, it will be much more difficult for a malicious user to tie up your server. Before you limit everyone’s attachment size though, you need to get a feel for the way that everyone uses his or her E-mail. Some users may have a legitimate business need for large attachments. If you find this to be the case in your organization then I recommend setting a maximum inbound attachment size on a per user basis.

Preventing Mail Relaying

One of the biggest security threats facing Exchange administrators is mail relay. Spammmers are known to look for Exchange Servers with open relay ports and relay SPAM through these servers. They do this as a way of obscuring the SPAM’s origin. Unfortunately, to the recipients, the SPAM appears to come from you. Often times this will result in an Exchange organization being blacklisted by an ISP from sending SMTP mail. Even if an organization is never blacklisted, all of that SPAM consumes excessive bandwidth. There is a way to disable mail relay though.

To do so, open the Exchange System Manager and navigate to Administrative Groups | your administrative group | Servers | your server | Protocols | SMTP | Default SMTP Virtual Server. Now, right click on the default SMTP virtual server and select the Properties command from the resulting context menu. When you do, you’ll see the Default SMTP Virtual Server Properties sheet. Next, select the Access tab and click the Relay button. You’ll now see the Relay Restrictions dialog box.

The Relay Restrictions dialog box gives you a choice of blocking relay traffic from everyone except for the domains or IP addresses listed on the exceptions list or only for the domains that are listed on the exceptions list. Which ever option that you choose, click the Add button to display the Computer dialog box. This dialog box allows you to enter an IP address or DNS name for a single computer, or an entire subnet address or domain name, which would apply to an entire group of computers.

By using that technique, you can block relaying completely. However, there may be times when you have a legitimate need to allow relaying. In such situations, you can allow authenticated users to relay messages while preventing non-authenticated users from relaying by simply building on the technique that I’ve already shown you. The Relay Restrictions dialog box contains a check box, which says Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above. By selecting this option, you may control relaying on a user basis rather than on a computer or domain basis.

Guarding The Service Account

Perhaps the most critical step to protecting your Exchange server is guarding the service account. Exchange assigns the service account permissions that are well beyond those of the Administrator Unlike the administrator account, the service account can function as a part of the operating system. If a hacker gets their hands on your service account password, they can do anything to your Exchange server that they want. Therefore, it’s extremely important to safeguard the service account password.

The first step in doing so is to pick out a complicated password. Use a combination of numbers, upper case letters, lower case letters, and symbols. Second, change the password often. However, you must remember that simply changing the password in the User Manager for Domains isn’t enough. You must also make the individual Exchange services aware of the change through the Service Control Manager. Another technique that you can use is to disguise the service account’s name to make it look like a normal user account. For example you might name your service account John_Smith or some other name. Just make sure that the name that you choose is in a format that blends in with your other service accounts. Finally, don’t use the same service account for each every server application. I’ve seen a lot of cases in which an administrator will use the same service account for Exchange Server and another application such as SQL. However, this means that if a hacker does figure out the service account password, they will be able to access all of your server applications instead of just one.

As you can see, there are several things that you can do to make Exchange Server less vulnerable to hackers and viral infections. In this article, I’ve explained some of the most common threats to Exchange Server security and shown you how to protect against those threats.

Brien Posey has written thousands of technical articles on a variety
topics. You can access many of them by signing up for a free membership
to Brien’s personal Web site at http://www.brienposey.com. Brien’s Web site
also contains a forum area where you can post your most difficult
technical questions and a live chat area where you can talk directly to
the experts!