Servers running the Mailbox role host
Exchange mailbox and/or public folder databases.
It’s common practice to dedicate one
or more servers to running the Mailbox server
role, but the reason is typically related more
to performance than security. Exchange databases
tend to be resource hogs, so a dedicated
server makes sense in many situations.
If you must consolidate server roles, then I
recommend running the Mailbox role and the
Hub Transport role on the same box (assuming
that your hardware is up to the job). These
two roles present the least chance of causing a
security problem when run together.
Hub Transport servers are responsible for
all internal mail flow, routing messages and
applying filtering rules to them. Because this
role and the Mailbox role both sit on the internal
network, the security risks associated with
running these two roles on the same box are
minimal.
The Client Access role should always run
on a dedicated server. This role is the Exchange
2007 equivalent of an Exchange 2003 front-end
OWA server, meaning that it receives requests
from the Internet and forwards them to a
Mailbox server. Obviously, you should have a
firewall sitting in front of the Client Access
server filtering out everything except HTTP
and HTTP Secure (HTTPS) traffic on ports 80
and 443. Even so, the Client Access role does
receive traffic from the Internet, and it’s best to
not have the Client Access server hosting other
roles that could potentially be exploited.
The Unified Messaging role is completely
new to Exchange 2007. In case you’re not
familiar with unified messaging, it’s a new
technology that allows voice messages and
faxes to be received and stored alongside email
messages. Unified Messaging servers provide
a new type of interface called Outlook Voice
Access (OVA), which lets users interact with the
Exchange organization by using their voice or
touch tones via a telephone.
In my opinion, OVA doesn’t pose nearly
the security risks that OWA does because OVA
doesn’t expose Unified Messaging servers to
the Internet, and Unified Messaging users don’t
use a computer to connect to the servers. However,
OVA does expose Unified Messaging servers
to the Public Switched Telephone Network
(PSTN), which arguably has worse security
and more connected devices than the Internet.
Thus, I recommend isolating Unified Messaging
servers from the rest of the Exchange server
organization with a firewall. In addition, Unified
Messaging servers are extremely resource
intensive and that condition alone often justifies
using a dedicated server.
Employ an Edge
Transport Server
The Edge Transport server role is new in
Exchange 2007. I want to talk about this role
separately because its entire purpose is to help
secure the Exchange organization. I recommend
that every Exchange environment uses
an Edge Transport server as an important part
of its security plan.
Using an Edge Transport server role is like
bringing hosted filtering in house. If you aren’t
familiar with hosted filtering, I discuss it next.
An Edge Transport server sits behind the corporate
firewall but is isolated from the rest of
your Exchange server organization, usually on
a separate network segment. The Edge Transport
server filters messages before they enter
your primary Exchange organization to get rid
of viruses and spam, thus helping to lighten
the workload of your Mailbox servers and Hub
Transport server.
Having an Exchange server that’s dedicated
to the task of removing viruses and
spam before messages pass through to your
internal network probably sounds like a good
idea, but you might be apprehensive to deploy
an Exchange server, with its dependency on
Active Directory (AD), on the edge of your
network. Earlier I mentioned that the Edge
Transport role can’t coexist on a system with
any other Exchange role. This is because
Microsoft designed Exchange 2007 so that
servers running the Edge Transport role don’t
need AD access (at least not directly).
To avoid exposing AD to the outside world,
an Edge Transport server relies on AD Application
Mode (ADAM) instead. ADAM is an
AD partition that stores data related to a
specific application rather than storing a copy
of the entire AD database. When you install
the Edge Transport role, Exchange creates an
ADAM database on the Edge Transport server.A minimal amount of information is then
pushed from AD to the ADAM database to give
the Edge Transport server the configuration
information it needs, without exposing all of
AD in the process.
Microsoft even designed the Edge Transport
replication process to prevent exposure. The
Edge Transport server never contacts the rest of
the Exchange organization. Instead, the setup
process creates a special XML file, called an edge
subscription file, on the Edge Transport server.
The edge subscription file tells your Exchange
organization to replicate recipient and configuration
information from AD to the ADAM
partition on the Edge Transport server. The
administrator copies this file to the Hub Transport
server and then manually removes it from
the Edge Transport server so that a hacker can’t
use this file to exploit the replication process.
Given its role within the organization,
an Edge Transport server is designed to be
secure by default. As such, there isn’t anything
special that you have to do to secure an Edge
Transport server aside from making sure that
Windows is installed securely, removing the
edge subscription file, and following routine
best practices that are common to all Exchange
servers.
Choose Hosted Filtering
I’m a big believer in hosted filtering, in which a
company such as an ISP filters out viruses and
spam before they ever reach your Exchange
organization. When hosted filtering is in use,
the MX record for your domain doesn’t point
to your mail server but rather to a designated IP
address that belongs on the server that’s filtering
content. This means that email doesn’t come directly to your organization
but flows to the
filtering company first.
The filtering company
scans for and removes
viruses and spam and
then forwards legitimate
messages to your
Exchange organization.
Hosted filtering
offers at least three
benefits. First, email
viruses are eradicated
by the filtering server
and never reach
your organization. I
still recommend running antivirus software
on your Exchange servers and email client
machines, though. You never know when a
virus might slip through the hosting company’s
filter, and having your own antivirus software is
a good second line of defense.
The second advantage of hosted filtering is
that it helps to conserve network bandwidth.
It’s probably safe to say that in most organizations,
spam accounts for 60 percent to 90 percent
of the total inbound email. If you can filter
out most spam before it reaches your organization,
you could end up saving a significant
amount of Internet bandwidth just because
your Exchange servers don’t have to download
all that spam. Not only does blocking spam
reduce Internet bandwidth consumption, but
it also helps to conserve memory, CPU, and
disk resources on your mail servers.
The third major benefit of hosted filtering
is that it obscures your mail server’s IP address
from the outside world. The DNS record that
would normally point to your mail server
now points to a filtering server that’s part of
another company’s network. A hacker who
attacks your mail server might not realize that
you use hosted filtering and might directly
attack the filtering company rather than you.
A more sophisticated hacker might be able to
determine your mail server’s real IP address,
but locating it would be more difficult than it
would be if hosted filtering weren’t in use.
This article just barely scratches the surface
of what you need to know about Exchange
security. Even so, good security starts with
a secure design, and I’ve talked about some
things that you can do to design your Exchange
organization with security in mind.
Register
