As with everything else in Windows, it's important to make sure that you have secured your Exchange server as much as possible. After all, it's not a good idea to install something as important as a mail server that handles important communications for your entire organization, and then let an outsider into it and change an important setting that you carefully configured.
Just as important is the requirement to make sure that nefarious people cannot get into your server and read your users' e-mail. Some of these e-mails could contain company confidential information, especially given the fact that most users will not be aware of the need to secure confidential information in their e-mail messages.
So how do you go about handling such problems? One way, suggested in an article by Kent Joshi at InformIT, is to use the Encrypting File System (EFS) for your e-mail message store.
Exchange administrators can invoke EFS on the server. You then right click on the file you want protected, and then follow the wizards to set EFS in place. Once that's done, a user can even grant access to his mailbox to another user, or the administrator can do so, and that second person will be unable to read mail that the user has encrypted from his Outlook client.
You will also want to ensure that access to the Exchange server is controlled, so that rogue persons cannot get into the server and alter settings. You can do this with a Group Policy Object (GPO), specifying which groups of users are allowed to access the server itself.
But there's one thing that many people might forget, and that is to ensure that the GPOs themselves are secured with an access control list. If someone can get into your GPOs and alter them, they could give themselves access to your entire network setup. So make sure you use restrictive Access Control Lists that will not allow just anyone to view or edit them.
David Gabel has been testing and writing about computers for 25 years.