Nine Steps to Secure your Exchange Server

In this article we will list some steps you can take to make sure your Exchange Server is running as securely as possible.



1. Harden the OS


We can’t stress enough how important it is to harden the OS that is hosting the Exchange Server. It might seem obvious to you but, in fact, many IT professionals seem to forget about this first basic step. You can try to harden the OS by yourself, or use some of the tools available out there to help you. The important thing here is to disable all unnecessary services and to patch the server regularly.




2. Run MBSA, SCW, SCM, and EBPA


So you think you’ve passed the first step? Be sure to check! The purpose of all these tools is to help you make sure your environment is secure enough.


  • Microsoft Baseline Security Analyzer (MBSA) is not a very sophisticated tool – its main purpose is to check for applied and available patches.
  • The Security Configuration Wizard (SCW) will check your OS depending on the roles of your server’s hosting and will give you some recommendations on how to enhance your security. It can help you in areas such as configuring the LM authentication protocol, SMB signing, and firewall rules for the roles of the server.
  • The Security Compliance Manager (SCM) is the newest Microsoft tool for performing a security scan on your server. The security configurations are checked against predefined templates and are deployed via Group Policy. It has a better library and features than the SCW.
  • The Exchange Best Practices Analyzer (EBPA) will check your current Exchange infrastructure against the Microsoft Best Practices. It is a good idea to check this periodically since the best practices change along with your infrastructure.



3. Use Safe and Block lists


This is a built-in, easy-to-use tool in Outlook that gives you the opportunity to specify the senders that you trust and the ones you don’t. The Exchange server then performs a safelist aggregation process, in which the Sender Filtering agent on the Edge Transport server is notified to pass or block senders that are specified by the recipient user without further inspection.



4.Use Outlook Anywhere and OWA instead of VPN


Do you want to check your email when away from the office? Or do you want to enable that feature for other users? Don’t use (or give permission to use) VPN for that. The Outlook Web App is almost as feature-rich as the normal Outlook client. But if you (or your users) feel more comfortable using Outlook, you can also enable the Outlook Anywhere feature. It gives you the opportunity to use Outlook without making a VPN connection or opening other ports through your firewalls.



5. Use Certificates for external services


It is practical to secure all external services via SSL certificate. The good news is that you can use the same certificate for all external services such as OWA, Outlook Anywhere, or ActiveSync. You have two possible choices at this step: to use an external Certificate Authority (CA) to issue your certificate or to use an internal one. If you use an external CA your users won’t have to make any additional configurations on their computers. If you choose the internal CA, then you have to make sure the users’ computers trust your internal CA, which can be difficult in cases where users frequently change their computers.



6. Use a Firewall


There are two common choices for a firewall for the Exchange Server. The first one is to use the built-in Windows Firewall with Advanced Security, which is free and easy to use. It’s also preconfigured to allow the Exchange traffic through. The second choice is to use Forefront Protection for Exchange. It is much more than just a firewall. It also offers fast and effective detection of viruses, worms, spyware and spam, all in one easy to manage tool.



7. Use Attachment Filtering / File Filtering through Forefront


Exchange has nice built-in attachment filtering functionality that you can use. It allows you to block messages that contain attachments of some kind (.exe for example). If you choose to use Forefront Protection for your Exchange server, then you can take advantage of its functionality to perform even more granular file filtering. For example, it can scan .zip, .rar, etc. container files for embedded files of interest.



8. Use a Reverse Proxy


If you choose to use Forefront for protection, you can take advantage of its feature to serve as a Reverse proxy. The idea is as follows: You want to enable external services such as OWA for your users, but you don’t want to expose your internal organization. What the reverse proxy does is make a decision whether to accept the connection from the user, or not. The way the reverse proxy makes its decision is different for the different solutions since Forefront is not your only choice. You can also use ISA, Apache, Squid, or even hardware devices for this purpose. All these proxies can block obvious hacking attempts and leave the more granular level decisions for tools inside the organization. Note that Forefront is the successor of ISA, so is a better solution than ISA.



9. Monitor the server


The last step in this list is to monitor the server. Make sure you don’t miss important information that can help you predict a failure. You can do that easily with Monitis. Here is some information on how to do it: