RE: Securing Exchange Server

[Jim Holmgren]

Title: Message

Its just locking it down a bit tighter.  Fewer ports open = fewer exploits available.  Bringing your Exchange server inside the LAN makes it virtually invisible to those on the outside that would do evil things to it.  Its way easier to lock down a server that only has to do one thing - SMTP - port 25, than to lock down an Exchange server, which needs so many other ports open besides simple SMTP.  You can set up a separate SMTP server on your DMZ, just for Internet mail, and have it forward to your Exchange server through your firewall (and vice-versa).  Have your firewall configured to ONLY allow traffic from your SMTP server into your Exchange server via the DMZ.  With this setup you can also implement attachment/content filtering outside of your Exchange server (using Mail Essentials, NAV for Gateways, or a similar product).   Its early, so I hope I've explained this clearly - if anyone has a different opinion, or configuration preference, I am sure I'll hear about it as the day goes on ;-)   Jim   Jim Holmgren MCSE, CCNA [EMAIL PROTECTED] Network Engineer Advertising.com We bring innovation to interactive communication. Advertising.com -- Superior Technology. Superior Performance. -----Original Message----- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 5:10 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server Isn't the DMZ as secure as the LAN with the exception that certain ports are open for the various services on the servers in the DMZ?  I guess I just don't see the difference other than that and the fact that the LAN is "unknown" to the DMZ.  But like I said, I know jack about this stuff, which is why I'm asking.  Leaving it on the LAN actually sounds easier to me anyway, I just want to understand why it is more secure.  Seems like a bad idea leaving an "exposed" computer on your LAN-I thought that was the whole point of a DMZ.   -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 4:24 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server   Exchange just doesn't belong on a DMZ.  What purpose would it serve there?  For every single purpose anyone could think of, there is a better solution that keeps Exchange inside the firewall, more secure and less prone to hacker attacks.   Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems   -----Original Message----- From: Allen Crawford [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 3:58 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server   This may sound ignorant, and if it does, then I guess it really is ignorant, but here goes anyway.   Why is placing an Exchange server on the DMZ bad?  We are getting a PIX soon and are going to be changing a lot of things here.  Our reseller just informed me the price of the PIX 515 dropped big time too but that it is also being replaced by a faster one...the 515E for the same price.   -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 3:43 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server   That was the intent of what I was thinking - something to tide him over.  But he also didn't say whether this was multihomed, or sitting in the DMZ (Gosh I hope not!), or what.  Without more specifics, we are trying to hit baseballs with straws.   Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems   -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 3:32 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server   I was thinking the same thing. Heck, even Zonealarm or something just to hold you over. -----Original Message----- From: Ben Winzenz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 12:23 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server You can turn off unused/unwanted protocols under the Site, Configuration, Protocols, properties for each protocol.  This should render the ports inactive and unable to accept connections on them.  You can also do the same on a per server basis under the Server, Protocols, properties for each protocol.  This will cover the Exchange protocols only though.   I really think that if you are wanting to filter that many ports, you should look at a firewall.  Heck, even if it is a software firewall to start with.  It would be better than nothing.   Ben Winzenz, MCSE Network/Systems Administrator Peregrine Systems   -----Original Message----- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 3:14 PM To: MS-Exchange Admin Issues Subject: RE: Securing Exchange Server   Why no SSL? -----Original Message----- From: Manish Govindji [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 12:11 PM To: MS-Exchange Admin Issues Subject: Re: Securing Exchange Server Thanks for the reply.   Not for relay, but we do not have any firewall as yet, and i would like to close unecessary ports. Its a fresh installtion NT server PDC, Exchange 5.5. So all the ports are open. I just want 25, 110, 80 to be open.   I tried that on TCP/IP security and nobody could connect to mail server ....     ----- Original Message ----- From: Martin Blackstone To: MS-Exchange Admin Issues Sent: Thursday, February 21, 2002 11:02 PM Subject: RE: Securing Exchange Server   So are you saying someone used you as a relay or hacked your box or what?   Are you behind a FW? What ports are open to the Exch server? -----Original Message----- From: Manish Govindji [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 11:41 AM To: MS-Exchange Admin Issues Subject: Securing Exchange Server Hello,   I have tried many times but failed to secure Our Exchange Server. We have a Exchnage server for only   Server has NT4, IIS4, DNS.   How Do I use TCP IP security tab to configure security so that all the unnecessary ports are closed, we only use exchnage for POP3 and SMTP.   The last time I tried I got Max user limit .... on SMTP List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm *********************************************************** The information transmitted in this email is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email in error, please contact the sender and permanently delete the email from any computer.