When you mention Exchange Server 2007 security, many administrators are familiar with the various built-in mechanisms used to harden Exchange. What's often overlooked is that it's just as important to use administrative policies to secure your Exchange organization.
Administrative policies, which vary from company to company, dictate how to configure and run the Exchange organization. Although Microsoft doesn't have any official Exchange Server administrative policy best practices, here are some rules that can benefit most companies.
Apply global security settings in an Exchange organization
One important step for securing an Exchange Server 2007 organization is to apply global security settings when possible. Exchange Server 2007 lets you manage security at a more granular level than was possible with previous versions of Exchange. Even so, using granular security settings is not necessarily a good thing.
It seems that the more granular a security policy is, the more difficult it is to manage. Using global security settings prevents an administrator from wondering what settings apply to a particular server or recipient. Setting policies globally is especially important for organizations that are subject to regulatory issues. In such cases, applying security policies at a high level ensures that no objects are missed as might have happened if security was applied at a lower level. It also ensures that the policies are being applied consistently across an entire organization.
Who should have an Exchange mailbox?
Although it seems that email is something everyone has, there are some accounts that should not be mail-enabled. The domain administrator account is a perfect example.
There are several reasons why you shouldn't mail-enable the domain administrator account. First, this account is a favorite target of hackers, spammers and malware authors. Having a mailbox link to the administrator account implies that someone is regularly logging into the domain administrator account. Unfortunately, administrative actions need to be performed at times and doing so requires administrative access.
Don't use the domain administrator account unless it's absolutely necessary. Instead, I recommend creating two separate user accounts for each user who needs administrative access to the system. One account should be granted administrative permissions; the other account should be a basic user account.
This accomplishes a few things. First, it allows administrators to perform day-to-day tasks, such as checking email without being logged on using administrator credentials. Additionally, if a user has to perform an administrative action, the action can be audited to a specific user account so that it's easy to find out who performed it. If the domain administrator account is used for all administrative actions, audit logs would show the actions. It also would be impossible to determine who was responsible for those actions.
In addition, I recommend that you don't associate mailboxes with any account the administrator must access. If a user was to open an infected email message accidentally and the attachment was able to execute, the malicious attachment would run with administrative credentials and would have free reign over the system. Using two separate user accounts for each administrator lets you link the administrator's mailbox to a non-administrative account.
Standardize server builds throughout your Exchange organization
I recommend standardizing server builds. Keep versions of Windows Server and Exchange Server consistent that you're running in your organization. When possible, you should not only run the same version consistently across the organization, but you also should run the same service pack level as well as the same set of patches, drivers and updates.
Consistent server builds ease the management process, and sometimes Microsoft will change the way that a particular setting behaves when it releases a security patch or a service pack. If you aren't running consistent server builds, you may apply the same security settings across all your Exchange servers, but not all servers will receive the same level of protection. This may lead to a false sense of security and will result in the administrative staff needlessly spending hours troubleshooting an issue that would not have existed if all versions were consistent.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.