No Internet service is as widely used as electronic messaging. Even the word "e-mail" has risen from the status of computer jargon to acceptable English usage. With messaging's rise in popularity has come a subsequent rise in dependence on it, and many companies rely on their messaging systems for additional services such as scheduling, project collaboration, and file storage. Although this single access point for information is convenient and easy for the end user, it creates a blaring target for those with less honorable intentions.

In this article, I will take a close look at Exchange Server, Microsoft's messaging platform. First, I will examine some basic and not-so-basic steps toward securing an Exchange Server installation. Then I will consider the options available to connect this platform securely to the Internet.

The Worst That Could Happen

Website defacement is a more glamorous crime, but it is the "cyberspy's" quest for access to information that presents the most immediate danger to email dependant companies. No other platform in the IT infrastructure combines so much information with ready availability to so many client machines as Exchange Server. As a result, there are four attack scenarios for which the system administrator must prepare.

First, and most common, is the "denial of service" (or DoS) attack, in which the Exchange Server becomes unavailable. A corporation that relies heavily on messaging can be crippled by such an event. A DoS attack occurs when enough additional overhead is created that the server has to refuse legitimate service requests due to lack of available resources. This can be accomplished either by a simple "spam" attack (when a machine is flooded with useless e-mail) or by complex buffer overruns, in which an attacker's code is executed ad infinitum in privileged memory space.

The practice of "spoofing" is also common, and occurs when an external attacker poses as a legitimate email user in order to spread misinformation or trick employees into sending sensitive data.

Of course, there is the threat of the virus. We should learn our lesson from Melissa: a single infected message can spread through an organization like, well, a virus. Not all viruses, however, are as obvious as Melissa; some are "Trojan horses," e-mail attachments that are harmless until brought inside an organization's defenses. It is only upon unwitting execution that they do their damage.

Lastly, there is traditional theft of information. The methods used, however, are becoming less and less traditional, but usually entail either "sniffing" information off of a company's network or gaining entry through escalated user privileges.

As you can see, there is quite a bit to be concerned about. Fortunately, there are ways to defend against all four types of attack.

Start With the Operating System

The best security model is premised on multiple layers put between public networks and internal resources, which make access to those resources extremely difficult. Too often, a company's security is limited to a kind of fortress mentality, with a strong perimeter defense (firewall/packet filtering) but no interior auxiliary defenses. Don't be overconfident (like the Trojans before you) about the impregnability of your single wall. The more layers there are to your defense, the more secure your resources will be. A good security model addresses every aspect of a company's resources, from the smallest to the largest. Currently, the largest organizational unit in the Microsoft realm is the NT domain (a domain is simply a collection of resources that share a common security database). The security of the NT domain has a tremendous amount of influence over how protected the Exchange Server will be.

Often, the Exchange Server is made a trusted member of the internal domain, yet this configuration-although seemingly logical-creates an excellent launching point for attacks against network resources. It is even worse if this machine is made a domain controller of the internal domain; this makes the SAM database vulnerable to attacks as well. In this scenario, making Exchange a member server is clearly less damaging, although there is still potential for information to be stored in its registry or files that could aid an attacker in gaining access to network resources.

A better solution is to put the Exchange Server its own domain; in this way any information taken from it would most likely be irrelevant to a company's internal resources. Simply create a one-way trust to the internal domain so that authenticated users can access Exchange's resources.

Exchange Server, like all of Microsoft's Back Office products, is dependent on Windows NT for its security management and is highly integrated into the operating system. Microsoft has taken great pains to make NT a user-friendly product, but there is more to it than simply installing it out of the box. NT is a powerful operating system, with a myriad of configuration options and parameters. Securing NT is the first step in securing an Exchange Server; an excellent configuration for this purpose can be found on SecurityFocus.com at ntsecure.html.

An unsecured service account represents a huge security risk because of the access this account requires to function. Many companies simply copy the administrator id and give it a glaringly obvious name such as ExchServ or ExchAdmin. One of the most simple and effective ways to secure an Exchange Server is to give this account the name of fictitious user (such as DavidH or DHasselhoff) and use a complex password. (For an excellent discussion of complex passwords, see /advisories/485.)

Encryption can also help to keep a server secure. Microsoft usually releases new versions of its Service Packs as an exportable 40bit encryption package. However, in the United States and Canada, there is a 128bit encrypted version available. The difference in time necessary to crack 40bit encryption versus 128bit is considerable-akin to the difference between a hundred-yard dash and a marathon. To obtain this enhanced-security version, connect to Microsoft's website from a computer within a registered United States domain and download it, or, for a few dollars, order the CD-ROM from Microsoft. This simple step is essential to locking down Exchange/NT installations.

Many organizations use desktop-level software for their anti-virus needs, which is a good start but insufficient. Hackers are increasingly able to gain access to secure systems through e-mail borne viruses and Trojan horses, as discussed above. Some commercially available anti-virus software can detect such evils, but they depend on the user to eradicate them. Instead, you will need an agent that runs on the Exchange Server and scans messages as they come in, so that the tainted code never makes it inside the organization. Many vendors of desktop anti-virus software offer agent-based Exchange anti-virus software.

What about Exchange?

There are a number of features built into Exchange which will aid in securing the system. By default, the IMC (Internet Mail Connector) will accept connections from any IP address. If your configuration only requires communication with a limited number of hosts, you can deny traffic from all other nodes, creating a much more difficult task for a would-be attacker.

Additionally, it is very simple within Exchange to restrict which users will have access to Internet email. For example, you may want to prevent consultants or temporary employees from being able to send email outside of the company. You can also limit the size of messages that IMC will pass either into your organization or out to the Internet. By limiting this parameter, you can effectively prevent Denial of Service Attacks based around sending large email attachments.

Another feature is the ability to allow or deny emails based on the origin of the message. Although this is a bit reactive, it can aid your anti-spamming efforts. Equally important is disabling automatic replies out to the Internet. Many users enjoy setting up Out-of-Office replies when they are away. However, this information should be kept within your organization since it could be quite useful in the wrong hands.

Let's get on the Internet

Any network connected to the Internet should implement some sort of firewall. An in-depth discussion of firewalls is beyond the scope of this article, but there are a number of excellent products available on the market. At the very least, packet filtering (selectively blocking packets based on their origin, protocol type, or service request) should be enabled on your organization's perimeter router to block unnecessary traffic. Building Internet Firewalls (by Chapman and Zwicky, O'Reilly & Associates, 1995, available from Amazon) is still the Bible on the subject. A well-thought-out and well-implemented filtering strategy is an excellent step towards preventing unauthorized external access.

Where Do I Put It?

I've covered the importance of placement of the Exchange Server within the NT domain architecture; now I'll address its placement within the network. Usually, a de-militarized zone (or DMZ) is created as a buffer between the corporate network and the Internet, and then layers of defense are added on both sides of this 'zone'. The DMZ should contain all of the machines that need to be available to the Internet . In general, little valuable information should be left on these machines, since they are constantly being "touched" by Internet users. Many companies-due to budget restraints or ignorance-choose to keep their Exchange Servers in the DMZ along with Web and DNS servers, making all of that precious data vulnerable to attack.

Ideally, a bastion host should sit in the DMZ and act as a relay for the Exchange Server. There are a number of SMTP proxy products, some of which are even free, that are specifically designed to sit in the DMZ and relay mail from the Internet to the Exchange Server, which then sits safely behind multiple (and secure) layers. This can also be done quite simply with another copy of Exchange: install Exchange, add the Internet Mail Connector, and add it to your existing site. In essence, this machine only routes SMTP traffic, so there is no need for mailboxes or public folders to be present, and very little data is externally exposed.

If the Exchange Server must be placed in the DMZ, at the very least there should be two network cards in the machine. This way, one interface sits on the private network and services user requests, and the other sits on the external network passing mail to and from the Internet. With this setup, routing between the interfaces should be disabled, otherwise transmitted packets can bypass the packet filters on your routers. In addition, it's a good idea with dual-homed machines to unbind any unnecessary services from the external interface; this can be done in the "bindings" feature in the Control Panel network applet. All extraneous software should also be removed, and superfluous services disabled. This gives a would-be attacker fewer entry points to exploit.

Although Domain Name Service (DNS is an Internet system for translating names of network nodes into addresses that computers can understand) is not actually part of Exchange, it does play an integral role in its function. The Exchange Server needs access to DNS servers if it will be routing Internet-bound messages. These servers may or may not belong to a company; they may belong to the company's Internet Service Provider. External DNS lookups present opportunities to attackers, so the alternative is to manage from within the company or use an SMTP relay for Internet-bound mail. Many organizations manage their own DNS without proper regard for security implications. Often, hackers are able to perform direct zone transfers from DNS servers that maintain host information about a company's precious internal resources. If you take on the responsibility of managing DNS, at the very least, use separate servers for internal and external resources.

The Future

There are a number of factors involved in securing an Exchange installation, and all should be addressed. The more encompassing the security solution, the better. Focusing too closely on one aspect and neglecting others creates opportunities for someone attempting to penetrate your defenses. In the impending release of Windows 2K, many of the security features, such as encryption and authentication, will change. The next release of Exchange (code named "Platinum") will be highly integrated with the operating system, utilizing the Active Directory for single-point configuration and security. As these products are redeveloped, their web functionality increases and improves-and more security issues are presented. Maintaining a high level of security is an ongoing task. What is secure today is not necessarily secure tomorrow. Staying ahead of the knowledge curve will help you maintain security as the technology continues to evolve; to this end there are a number of mailing lists, newsgroups, and websites to help you stay current. New exploits and viruses are discovered every day. The biggest security risk you can take is to be complacent about how much you know.