Hardening an Exchange Server 2003 Environment (Part 4)

If you would like to read the other parts in this article series please go to:

And so we reached part 4 of this series about security. In this part I’ll focus mainly on the client side of your messaging environment.

Secure the Client

It’s not all about the servers. Because Exchange 2003 is a distributed, client/server application, it is important to consider the client in your security strategy. Specifically, consider the following:

  • Limit the client base to only those required. As part of your risk management strategy, you should examine which clients are strictly required and then limit Exchange functionality to those clients. For example, to run POP3 or IMAP4 clients in your organization, you must first enable these services in your Exchange 2003 environment. You can also restrict which versions of Outlook are allowed to connect to your servers.
  • Ensure that your patch management plan extends beyond the operating system on the client desktop. Use current and patched versions of the client software, regularly checking for client security updates.
  • Users are important in helping keep the client secure. Therefore, you should educate your users about e-mail viruses, virus hoaxes, chain letters, and spam, and then establish procedures that your users can follow when they encounter such mail.
  • Keep client anti-virus up to date.
  • Utilize out-of-the-box security features of Outlook 2003/OWA 2003 (Attachment blocking, Junk mail filtering, beacon blocking).

Patch Management

Patch management helps you maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your production environment.

In my work experience I’ve noticed that Patch Management can be a drama to some Sysadmins. Every time some patch needs to be applied in a production server, they just don’t feel comfortable with installing something that can compromise system uptime (most of Microsoft hotfixes require a reboot) or, in a worst case scenario, it can turn their servers into a wreck.

I really understand them for not feeling comfortable, let’s face it, security patches and hotfixes don’t pass through all the quality testing that gold releases of software have to comply with. But Patch Management doesn’t have to be a drama, there are some measures you can take in order to minimize the risks. For instance, as a best practice you should always test a patch in a test environment before applying it in your production server.

When patching Exchange, it is important that you remain current with the latest patch level, but you should not disregard the operating system. If the operating system is vulnerable, then Exchange is also vulnerable.

Microsoft supplies some tools to help you stay current with the latest service packs, hotfixes and patches: Windows Server Update Services (WSUS), Microsoft Update, Automatic Updates (I really don’t think you should use this one in your servers), Systems Management Server (SMS) and Microsoft Baseline Security Analyzer (MBSA). These tools can really be of extreme value, especially on the client side, helping you to keep all the workstations with latest patch level, keep anti-virus definitions up to date or even the latest Junk E-Mail definitions.

It’s up to you to define your Patch Management strategy, but you definitely should have one. Needless to stay that Patch Management it’s absolutely crucial for security. Most of the virus outbreaks I know could be avoided if the proper security patch had been applied some months before.

Microsoft has some great online resources about the subject. You can start here: Security Guidance for Patch Management.

Educate Users

Educate, inform, evangelize. One of the most important steps to protect your network is user education. Users should be made aware of company policies for acceptable usage of the network and network resources, including e-mail.

For instance, one effective way of combating spam is to educate your users about how to handle it. In fact, people are probably the most important defense against spam. Spammers often use some social engineering tactics employed against your users, like messages with fraudulent content, forged senders (aka phishing) and many others.

Another important battle where user education can really make the difference is in your antivirus strategy. If they are aware of viruses, if they recognize a potentially dangerous attachment, if they know what messages not to open, then they may be able to help stop virus spread.

It’s your responsibility to keep your users informed. Don’t be shy, use every means in your reach: workshops, newsletters, paper posters next to the coffee machine, just spread the word (but avoid starting your own spam business).

Message Security

Although Microsoft has a complete document about this subject (Exchange Server Message Security Guide), I’ll try to give you just the essential information and then you can later complement it by reading the entire guide.

As you probably know, SMTP was not designed to be secure. In response to that, Secure/Multipurpose Internet Mail Extension (S/MIME) has emerged as a standard to enhance SMTP with security capabilities. S/MIME provides two security services: digital signatures and message encryption. These two services are the core of S/MIME-based message security and together they provide authentication, nonrepudiation, data integrity and confidentiality.

Although Exchange Server 2003 supports a variety of client programs, not all of them support S/MIME. Exchange 2003 provides full support not only for MAPI clients, but also through the Internet e-mail standard protocols POP3 and IMAP4, if the e-mail client supports S/MIME version 2 or version 3.

In a fully deployed Exchange Server 2003-based message security system, there are three technologies that make up the complete solution:

  • Exchange Server 2003
  • E-mail client
  • PKI

Exchange Server 2003 is limited to delivering and storing S/MIME e-mail messages. The e-mail client and PKI provide functions for digital signatures and encryption. You integrate these components, rather than configure Exchange Server 2003 to support S/MIME (by the way, Exchange is configured by default to support S/MIME).

Figure 1: Conceptual drawing of the three components of an Exchange security system

Your security design strategy should also define how e-mail client default settings for outgoing e-mail messages should be configured. Available options are:

  • Encrypt contents and attachments for outgoing messages.
  • Add digital signature to outgoing messages.
  • Send clear text signed message when sending signed messages.
  • Request secure receipt for all S/MIME signed messages.

Also remember that S/MIME adds some performance overhead to both clients and servers, so use it with care.

Exchange Best Practices Analyzer (ExBPA)

My latest advice is to use one of the best tools ever released for Exchange: Exchange Best Practices Analyzer (ExBPA).

Although ExBPA is not exclusively tailored for security, it does examine some security misconfigurations, e.g. open relays, too many administrators or authentication weakness.

Here’s a list of all the security related configurations that ExBPA can check:

  • Recent Changes
  • Global Message Size Limits Set
  • UCE (Spam) Thresholds
  • Latest Service Pack and Patches
  • DNS, Kerberos Configuration
  • TCP/IP Ports, Protocols, Suppress OOF to DL’s, Exchange Journal Settings
  • Anti-Virus Installed, Recent Signatures, Symantec, McAfee, Sybari
  • Hot Fixes (Windows and Exchange)

Be sure you use it, you won’t regret it.


After reading this series of articles I can only hope that you’ll take immediate actions to correct some (minor) security issues with your Exchange Server environment. By doing so, you’re helping to build a better World (this looks like kind of a Miss Universe speech), in the sense that the life of bad intentioned people will become more difficult.

If you would like to read the other parts in this article series please go to:

Additional Reading

Exchange Server 2003 Security Hardening Guide

Windows Server 2003 Security Guide

Exchange Server Message Security Guide

Using ISA Server 2004 with Exchange Server 2003 

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

Customizing Outlook 2003 to Help Prevent Viruses

Messaging Hygiene at Microsoft: How Microsoft IT Defends Against Spam, Viruses, and E-Mail Attacks

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top