Securing the Mail: Lock Down Exchange

By Dee-Ann LeBlanc | Jul 26, 2002 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/1433441/Securing-the-Mail-Lock-Down-Exchange.htm

As you might have noticed, there are constant security warnings involving Microsoft's Internet Information Server (IIS) and Exchange Server. Both of these products have a reputation for security holes, and are a favorite target for virus makers.

A big part of this problem is the perception that anyone should be able to run a Microsoft product. If you're running any server on the Internet, regardless of the operating system or software, you should be sure to at the very least pick up some good books on how to do so properly, and follow the Web sites that discuss your particular software so you can be up on the latest issues.

Securing IIS
Right here, right now, the first thing to do if you're using IIS on Windows 2000 is to get the patch related to the Microsoft Security Bulletin MS01-037, which will ensure that the SMTP service through IIS requires proper authentication by people trying to send mail through it. This bug was reported back in July of 2001, and yet quite a number of people have never bothered to patch it. Please, folks, patch your servers! No matter what operating system and software you're running, you're playing with fire if you don't keep these machines up to date.

Also, don't forget that you can utilize Microsoft Exchange Server as a smart host for IIS. Don't let IIS just do its thing blindly. Put the Exchange brains behind it.

Locking Spammers out of Exchange Server
Ensuring that you have Microsoft Exchange set up to only allow the people who you've authorized to relay, rather than the world at large, follows a different process depending on which version of Exchange you're running. For Microsoft Exchange 5.5 and 2000, proceed to Microsoft's TechNet database for a full set of instructions on how to ensure that you're not leaving holes open for spammers to abuse your servers.

Even if you already knew about this, make sure that if you've taken over administration from another person that you go over the settings and ensure there are no surprises lurking.

Blocking Incoming Spam with Exchange Server
The rising tide of spam is enough to make anyone a bit cranky. Trying to deal with spam as a user is a nightmare even if that user is savvy enough to build filters: most mail programs just can't hold enough filters, or you start getting unexpected behaviors and losing legitimate mail. As a mail administrator, one option you have is to build a spam dam right at the source: your mail server.

Some of the anti-spam solutions overlap with the anti-virus solutions, which are covered in the next section, so if you're interested in both types of software you might want to give these a closer look. Some of the programs on the menu here are Mailwasher, at www.mailwasher.net, and MIMESweeper, at www.mimesweeper.com/.

If you're not using Exchange Server but are running mail services under Microsoft Windows, take a look at all of the solutions mentioned in this article. A number of them will run in conjunction with any Microsoft-based SMTP server.

Stopping Viruses with Exchange Server
Why leave your users to have to decide whether to click on that virus attachment or not? Install a virus scanner that checks all of your incoming and outgoing mail for the little buggers. Imagine the amount of time such an installation could save you from having to clean up user workstations and explain to management why an executive's files have all been corrupted. It shouldn't take too much creative talking to convince those who control the purse strings to pay for this one.

You can't just use an end-user virus scanner. You'll need software that can reach in between the mail server and its mail. This might sound a bit like Big Brother, but you are only scanning for viruses, not the actual content of the mail--an important distinction in the privacy circuit. Some of the scanners actually do look at content, so be sure to read up on what each of the packages does before you make your decision.

There are a wide range of scanner choices, and some work with any SMTP server under Microsoft Windows: Norton AntiVirus Corporate Edition with the Symantec AntiVirus/Filtering 3.0 for Exchange add-on (http://enterprise security.symantec.com/), Sophos Sweep (http://www.sophos.com/), Trend Micro ScanMail (http://www.antivirus.com/), and CAI's eTrust InoculateIt (http://www3.ca.com/Solutions/ProductFamily.asp?ID=128).

Wrapping Up
Don't leave your users to get buried under spam and viruses. Do your part to help cut down on the number of servers out there that offer open relays to spammers, and put some spam and virus filtration on your company's email servers so that the users can have more time to do their paying work and keep your company going. Lost work hours add up with all of the time spent deleting spam these days, and it's not only the user that gets a headache when they activate a virus on their system. You get to clean it up.

Even if you only take the time to make sure your server's locked down, you're doing a huge service to the Internet community. Once you've done that, talk to your peers and make sure they've got their servers locked down, and get them to talk to theirs. We can't completely stop the spam deluge this way, but we can make life a lot harder for the spammers.

Bone up on your local laws, too. In some states and cities, you can actually sue spammers for damages or lost time. The best way to stop unethical business practices is often to hit the business where it hurts: in the pocketbook.