One of Microsoft's primary focuses in developing Exchange Server 2007 was security. As such, Exchange 2007 is designed to be secure by default. For example, Exchange 2007 has a built-in self-signing certificate. This allows communications between Exchange 2007 servers, or between Exchange 2007 and Outlook 2007 clients to automatically be encrypted. Its secure-by-default nature means there are a lot of settings you can manually set, relatively speaking, to make Exchange 2007 more secure. The best thing you can do to secure your Exchange 2007 deployment -- aside from the obvious, such as installing updates -- is to design your deployment with security in mind.
This article will focus on some of the most obvious threats to security. I'll discuss how your antivirus and antispam strategy should match the overall design of your Exchange Server deployment.
Security, Exchange 2003 style
In an Exchange Server 2003 environment, the generally accepted practice was to install Exchange-aware antivirus software on mailbox servers. The idea was that by doing so, viruses could be removed before they were placed in user's inboxes, or before a virus from an infected workstation left the organization. On the client end, Outlook integrated antivirus software would check messages in the user’s inboxes for any viruses that might have slipped through the server’s scanning engine.
In Exchange Server 2007, this basic strategy has changed radically. The reason for this is that Exchange Server 2007 is role-based. Exchange Servers in your organization perform different tasks, depending upon the roles installed. Since Exchange servers are performing a variety of specialized tasks, it doesn’t make sense to use a single, catch-all approach in protecting the servers from viruses and spam.
Exchange 2007 server roles
- Hub Transport Server Role: Used for message routing. This role is required whether you need to route messages between two mailboxes on the same server or between the Exchange Server and Internet based recipients.
- Client Access Server Role: Similar to the Exchange Front End Server role found in Exchange Server 2003. It provides the Outlook Web Access Interface through which external users may access the server.
- Mailbox Server Role: Required for any server that will be hosting mailbox stores.
- Unified Messaging Role: Acts as an interface between the Exchange 2007 Server and a compatible PBX phone system. This allows voice and fax messages to be placed into user’s inboxes.
- Edge Transport Role: Cannot be used in conjunction with any other roles. Servers running this role are typically placed in an organization’s DMZ. These servers work to filter out viruses and spam before messages are allowed to flow into Exchange Servers within the perimeter network.
Protecting Exchange Server against viruses
Microsoft's recommended antivirus solution for Exchange 2007 involves using a product called ForeFront Security for Exchange Server (ForeFront), which is designed to use multiple scanning engines. The scanning engines currently available for use with ForeFront include:
- Sophos Virus Detection Engine
- VirusBuster AntiVirus Scan Engine
- CA Innoculate IT
- Norman Virus Control
- Microsoft Antimalware engine
- Kaspersky Antivirus Technology
- CA Vet
- Authentium Command Antivirus
- AhnLab Antivirus Scan Engine
ForeFront allows you to use up to five of these scanning engines simultaneously. The advantage is that having multiple scanning engines makes your organization less vulnerable to zero-day virus attacks. Imagine, for example, that you were protecting your Exchange organization with Norton AntiVirus. If a brand new virus was unleashed tomorrow, and Symantec was the first antivirus company to release a signature that would allow their product to detect and eradicate the virus, your organization would obviously be very well protected.
However, next week a new virus could be discovered, and this time Symantec might be the last to release a signature. Your company would be completely vulnerable to the virus until you finally received the signature; those protecting their networks with other antivirus products would already be protected.
You never know how quickly an antivirus company will be able to release a signature for the next virus discovered. The odds of getting a signature quickly for the next new virus increase dramatically when you add additional scanning engines. By running five different scanning engines on your Exchange Servers, you can be reasonably sure that at least one of those engines will be among the first to receive a signature for new viruses.
Whether you use Microsoft's ForeFront or a third-party antivirus product, the real trick to protecting your Exchange organization is to apply virus protection to each server with respect to the Exchange Server roles hosted on that server. Building an Exchange organization that has optimal security usually means having multiple Exchange 2007 servers, each dedicated to hosting a specific role. If you're running ForeFront on each Exchange Server, then you'll need to ensure that each server is updated regularly with the latest antivirus signatures. (This is easier than it might sound.) Microsoft packages the signatures for each of the antivirus engines, so you don't have to download the signatures for the various engines individually. The signatures can be downloaded to a distribution server that then pushes the signatures out to each individual Exchange Server.
Hub transport servers
As I explained earlier, the hub transport server is responsible for routing messages within your Exchange organization. Every message flows through your hub transport server, regardless of whether the message was generated internally or externally.
It is important to have a transport-level antivirus solution in place on hub transport servers to stop the spread of viruses within your organization. For example, if a user sends a message to another user in your organization using Outlook, then the message will never pass through the edge transport server because the message is intended for an internal destination. It will, however, pass through a hub transport server. If the message contains an infected attachment, the hub transport server is one of the best places to detect and remove that infection.
At first, it might not make a lot of sense to perform Exchange-level scanning on mailbox servers, since the messages will have been scanned at the transport level. The problem is that old, infected messages may exist in the database from before ForeFront was implemented. Likewise, it is possible for an infected message to be added to the database if no signature for the virus exists at the time the message passes through the transport.
Even so, the majority of the messages in the database will normally be safe. ForeFront does not scan the databases upon message submission, but rather when messages are accessed. In addition, ForeFront performs background scans of the entire database that should catch any viruses existing in very old messages.
Client access servers
Client access servers present a unique situation because they are not "true" exchange servers, but simply Web servers that provide an interface to back-end databases. As such, client access servers should be protected in the same way that you would protect any other Web server. This means implementing an antivirus solution that can protect the server's file system.
Edge transport servers
When it comes to protecting your organization against viruses, the edge transport server needs the most attention. After all, this is the server responsible for moving messages between your Exchange organization and the outside world.
ForeFront is responsible for scanning each e-mail message as it comes into or leaves your Exchange Server organization. In addition, ForeFront can be used to keep prohibited file types out of your organization.
Exchange 2007 is designed to allow you to filter file attachments from inbound messages based on file extension. For example, if you wanted to make sure that inbound messages did not contain executable code, you could configure Exchange to block EXE, BAT, and PIF extensions. The problem with this method is that Exchange only looks at the file's extension, not its content. Therefore, if someone were to give an EXE file a TXT extension, the file would not be filtered, even though it contains executable code. However, ForeFront can be used to augment attachment filtering by looking at the actual contents of the attached file rather than just looking at the file's name.
By now, you know it is advisable to implement some form of antivirus protection on each of your Exchange servers. You probably also realize that the scanning process can be resource intensive, especially when multiple scanning engines are in use. Consequently, you have to consider whether or not it's necessary to scan a file that has already been scanned by another server.
If you want to avoid repetitive scanning, ForeFront can help. The edge transport server can be configured so a digital signature is applied to scanned messages. Other servers in the organization see this signature and know there is no need to scan the message.
Hosted filtering can be used to scan inbound e-mail messages for viruses. Most of the benefits associated with using hosted filtering for spam control also apply when hosted filtering is used as a means for protecting the organization against viruses.
Protecting Exchange Server against spam
Throughout this article, I have focused primarily on protecting your Exchange Server organization against viruses. However, spam is almost as big of a security threat as viruses are. After all, spam often carries viruses, or contains links to malicious Web sites. The effects of high quantities of spam can also be similar to a denial-of-service attack.
In an Exchange 2003 environment, most organizations filtered spam at the parameter level. Often, an antispam appliance would be placed between the firewall and the Exchange Server organization. In other situations, spam-filtering software might be loaded directly onto servers containing mailboxes.
The strategy really hasn’t changed much in Exchange 2007 except that Microsoft now offers hosted filtering for spam. Messages sent to recipients in your organization are directed to a server owned by Microsoft, rather than being sent directly to one of your mail servers. Upon arrival, the spam is removed and legitimate messages are forwarded on to your Exchange Server organization.
The largest benefit to hosted filtering is bandwidth conservation. By allowing Microsoft to filter spam on your behalf, you are avoiding having thousands of spam messages flowing through your network perimeter every day, freeing up a lot of bandwidth. Depending upon how your current antispam solution is set up, you may find that you also conserve resources on your mail server, such as CPU time, disk space, and memory.