Securing the Mail: Lock Down Exchange


As you might have noticed, there are constant security warnings
involving Microsoft’s Internet Information Server (IIS) and Exchange
Server. Both of these products have a reputation for security holes,
and are a favorite target for virus makers.

A big part of this problem
is the perception that anyone should be able to run a Microsoft
product. If you’re running any server on the Internet, regardless of the operating system or software, you should be
sure to at the very least pick up some good books on how to do so
properly, and follow the Web sites that discuss your particular
software so you can be up on the latest issues.


Securing IIS

Right here, right now, the first thing to do if you’re using IIS on
Windows 2000 is to get the patch related to the Microsoft Security
Bulletin MS01-037
, which will ensure that the SMTP service
through IIS requires proper authentication by people trying to send
mail through it. This bug was reported back in July of 2001, and yet
quite a number of people have never bothered to patch it. Please,
folks, patch your servers! No matter what operating system and
software you’re running, you’re playing with fire if you don’t keep
these machines up to date.


Also, don’t forget that you can utilize Microsoft Exchange Server as a
smart host for IIS. Don’t let IIS just do its thing blindly. Put the
Exchange brains behind it.


Locking Spammers out of Exchange Server

Ensuring that you have Microsoft Exchange set up to only allow the
people who you’ve authorized to relay, rather than the world at large,
follows a different process depending on which version of Exchange
you’re running. For Microsoft Exchange 5.5 and 2000, proceed to
Microsoft’s TechNet database for a full set of instructions on
how to ensure that you’re not leaving holes open for spammers to abuse
your servers.


Even if you already knew about this, make sure that if you’ve taken
over administration from another person that you go over the settings
and ensure there are no surprises lurking.


Blocking Incoming Spam with Exchange Server

The rising tide of spam is enough to make anyone a bit cranky. Trying
to deal with spam as a user is a nightmare even if that user is savvy
enough to build filters: most mail programs just can’t hold enough
filters, or you start getting unexpected behaviors and losing
legitimate mail. As a mail administrator, one option you have is to
build a spam dam right at the source: your mail server.


Some of the anti-spam solutions overlap with the anti-virus solutions,
which are covered in the next section, so if you’re interested in both
types of software you might want to give these a closer look. Some of
the programs on the menu here are Mailwasher, at www.mailwasher.net,
and MIMESweeper, at www.mimesweeper.com/.


If you’re not using Exchange Server but are running mail services
under Microsoft Windows, take a look at all of the solutions mentioned
in this article. A number of them will run in conjunction with any
Microsoft-based SMTP server.


Stopping Viruses with Exchange Server

Why leave your users to have to decide whether to click on that virus
attachment or not? Install a virus scanner that checks all of your
incoming and outgoing mail for the little buggers. Imagine the amount
of time such an installation could save you from having to clean up
user workstations and explain to management why an executive’s files
have all been corrupted. It shouldn’t take too much creative talking
to convince those who control the purse strings to pay for this one.


You can’t just use an end-user virus scanner. You’ll need software
that can reach in between the mail server and its mail. This might
sound a bit like Big Brother, but you are only scanning for viruses,
not the actual content of the mail–an important distinction in the
privacy circuit. Some of the scanners actually do look at content, so
be sure to read up on what each of the packages does before you make
your decision.


There are a wide range of scanner choices, and some work with any SMTP
server under Microsoft Windows: Norton AntiVirus Corporate Edition
with the Symantec AntiVirus/Filtering 3.0 for Exchange add-on
(http://enterprise security.symantec.com/), Sophos Sweep
(http://www.sophos.com/), Trend Micro ScanMail
(http://www.antivirus.com/), and CAI’s eTrust InoculateIt
(http://www3.ca.com/Solutions/ProductFamily.asp?ID=128).


Wrapping Up

Don’t leave your users to get buried under spam and viruses. Do your
part to help cut down on the number of servers out there that offer
open relays to spammers, and put some spam and virus filtration on
your company’s email servers so that the users can have more time to
do their paying work and keep your company going. Lost work hours add
up with all of the time spent deleting spam these days, and it’s not
only the user that gets a headache when they activate a virus on their
system. You get to clean it up.


Even if you only take the time to make sure your server’s locked down,
you’re doing a huge service to the Internet community. Once you’ve
done that, talk to your peers and make sure they’ve got their servers
locked down, and get them to talk to theirs. We can’t completely stop
the spam deluge this way, but we can make life a lot harder for the
spammers.


Bone up on your local laws, too. In some states and cities, you can
actually sue spammers for damages or lost time. The best way to stop
unethical business practices is often to hit the business where it
hurts: in the pocketbook.

Latest Articles

Follow Us On Social Media

Explore More