Step 1 Harden Windows and use firewalls.

Step 2 Limit yourself to one Exchange version.

Step 3 Put only one Exchange server role on each server.

Step 4 Employ an Edge Transport server.

Step 5 Choose hosted filtering.