Chapter 5: Protection | 73 |
To keep your Exchange Server computers secure, look carefully at group memberships. One of the most critical groups you should monitor is the Exchange Domain Servers Group. Any user or computer account that is a member of the Exchange Domain Servers account has full control of the Exchange Organization, so it is extremely important to secure membership of this group. You should also ensure that the membership of the Built- in/Administrators group on the Exchange Server computers is also tightly locked down. Members of this group automatically have Send As permissions on all mailboxes for that server. The most efficient way to control membership of these groups is through Group Policy.
You would also be advised to audit for configuration changes to Exchange. A good change and configuration management system ensures that no changes are made to the system which have not been
Your Exchange operations department should ensure that it receives security bulletins from Microsoft. To receive these bulletins, visit the following Web site:
http://www.microsoft.com/technet/security/notify.asp
In cases where a security breach has been exposed and a new hot fix needs to be applied, the change should generally be considered urgent and should travel through the change configuration process accordingly.
One of the best ways of protecting against malicious use of
Of course, you still need to protect your Exchange Server computer against external attack. The rest of this section examines what you need to consider when you are operat- ing one or more firewalls in your environment.
Firewall Operations
Exchange can exist in a variety of different firewall configurations. As part of your plan- ning and deployment you will have chosen how to deploy your firewall solutions around Exchange. Possible deployments could include a single firewall in front of servers running Exchange, to multiple firewalls in front of and behind
Firewall configuration is typically rather complex, so it is very important that operations personnel have a good idea as to exactly how firewalls are configured within their organi- zation, what they should keep out and what they should let in, when they are correctly