\[Editor's Note: Do you have something to share with other Windows NT Magazine readers? We want to know about it. Write for Reader to Reader online, and you can tell others about your NT discoveries, comments, problems, solutions, and experiences. Email your contributions (700 words or less) to firstname.lastname@example.org along with your name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
As an IT manager and a part-time consultant, I spend a lot of time reading computer publications and white papers, and I frequently participate in Usenet groups. I've seen several questions lately about security issues with Exchange Server and its various client options, particularly while communicating over the Internet. I believe many of these questions arise from the wide range of email client options and security methods available for both the server and the client.
Although I'm concerned about security, I feel that too much emphasis is placed on securing systems, at times to the point of rendering simple messaging applications difficult for end users to use. When you’re considering security policies and practices, keep end users in mind. If you make things too complicated for users, they'll find ways to circumvent your system. Find a secure solution, but keep it usable.
That said, here are some methods for ensuring secure client/server or server/server communication over Internet connections using Exchange Server:
- Configure Exchange or Outlook Messaging API (MAPI) clients to use encrypted remote procedure calls (RPCs), the default when communicating between servers at the same site. On the client you can use RPCs over the network and with dial-up connections. Unless you're in a security-sensitive environment, or running Windows NT outside North America, this 40-bit encryption might be all you need. You can force Exchange Server to use fixed ports for communicating via TCP/IP, something you would want to do to enable RPC communications through a firewall without opening up a wide range of ports (see http://www.microsoft.com/exchange/55/gen/Security.htm for more information). With Outlook 98 you can use the Outlook 98 Deployment Kit (ODK) to pre-configure and lock down your client options.
- Use Outlook Web access with Secure Sockets Layer (SSL), a method that provides a manageable solution for basic email, contact, schedule, and public-folder access via Internet connections. With the Microsoft Windows NT 4.0 Option Pack, you can use Microsoft Certificate Server to become your own Certificate Authority (CA) and issue the required certificate for the Internet Information Server (IIS). Be sure to consider the encryption level you can and will support--either 40- or 128-bit encryption--especially if you plan to allow access from outside your intranet.
- Use PPTP, included with RAS or RRAS, and 128-bit encryption. You can use the Connection Manager Administration Kit (CMAK), also available with the Option Pack, you can easily distribute and manage preconfigured dial-up connections including Internet and PPTP connections. CMAK provides for multiple dial-up entries, so you can use it with a central RAS phone book to automatically update DUN entries upon connection--a method that allows use of any client (POP3, IMAP, MAPI) with encryption for all communications provided over the PPTP channel.
Beyond securing client access, investigate your options and, at minimum, install server-based antivirus software. Several packages integrate nicely with Exchange Server and provide a first barrier against those nasty viruses. And for complete antivirus security, don’t forget the desktop.