Many Exchange Server experts, such as Brien Posey, have outlined some major steps you can take to protect an Exchange installation. Posey recommends implementing relay restrictions to prevent the system from being used to send email without your authorization. This encompasses using Sender ID, SPF or DKIM to describe who can use your mail relays.
Other methods to safeguard your system include the following:
• Set up some type of mailbox protection.
• Use RPC over HTTP to limit the scope of what resources can be accessed remotely.
• Protect front-end servers with some type of edge protection independent of Windows Server itself when possible.
• Keep everything up to date.
The last point is easier to uphold when you use Exchange 2010’s database availability groups for redundancy; you can apply rolling patches and not worry about much downtime. You do, however, need to be mindful of suspending mailbox services on the server before rolling out updates.
Properly planning and designing your network topology also helps protect your environment. Devin Ganger, an Exchange MVP, has listed a few security best practices for Exchange Server 2007, many of which also apply to Exchange Server 2010, including the following:
• Use the Client Submission Port for incoming email from trusted clients.
• Disable insecure (non-SSL) HTTP connections.
• Use commercial X.509 certificates--not default certificates--for Internet-facing servers.
• Use the Security Configuration Wizard to make sure that the operating system and Exchange are set up securely.
• Be sure to properly place Exchange servers. For example, you should place an Edge Transport Server role on your perimeter or Internet-facing machines and place other server roles—client access, hub transport, mailbox or unified messaging—behind that.
Security Products for Exchange
The most logical place to look for add-on security products for Exchange Server would be Microsoft, which pushes its own Forefront Protection 2010 for Exchange Server as a one-stop solution for security from outside threats. The Unified Access Gateway product for Forefront also allows remote users to plug securely into your Exchange environment; however, it requires that clients use Windows 7. Therefore, it won’t be useful if the majority of your clients are on Windows XP or Vista.
There is a range of third-party Exchange security products: Symantec Mail Security for Microsoft Exchange supports not only Exchange Server 2010 but also Hyper-V virtualized installations. A downside of this product is that it comes with a high price per mailbox, but it does offer a great deal of protection for organizations without such protection in place.
GFI MailDefense Suite uses multiple virus scanning engines as part of its detection system. Individual products within the suite, such as GFI MailSecurity, are available separately, so you can tailor the product to your organization’s specific needs.