Last week, I discussed spring-cleaning for your Microsoft Exchange Server deployments. As I mentioned, security is one of the key areas that needs this type of annual checkup. Microsoft has recently placed additional focus on security, and configuration management is a key part of this focus. A few weeks ago, Microsoft began a more proactive posture for securing your Exchange servers and posted "Configuration and Security Recommendations for Exchange 2000" on the Exchange Web site. This proactive approach will help us maintain more secure and stable Exchange Server deployments.
The document discusses how to maximize Exchange 2000 Server's security and performance, and contains a listing of the current build requirements for your OS (Windows 2000), Exchange 2000, and client (Microsoft Internet Explorer—IE—or Microsoft Outlook 2002), as well as the most recent fixes and patches to provide the most secure and robust Exchange Server environment. For example, three important Win2K security fixes (see Microsoft articles Q311401, Q313450, and Q314147) directly affect Exchange 2000's security. In addition, for the most secure Exchange 2000 deployment, you need to install Exchange 2000 Service Pack 2 (SP2) plus the Exchange 2000 Admin Patch (Exchange Server build 5770.21). The document also lists recommended updates for IE and Outlook 2002.
The Exchange 2000 Admin Patch is a recent release that you might not be aware of, but it's important for running a secure Exchange 2000 environment. In addition to updating the security fixes included with Exchange 2000 SP2, this patch adds some specific fixes to the Exchange System Manager (ESM) and the System Attendant Service (mad.exe); these fixes address some potentially serious problems that can affect the stability of your Exchange 2000 environment. Microsoft felt these fixes warranted a separate patch that couldn't wait until SP3.
I'm impressed with Microsoft's focus on security and proactive approach to alerting users about potential problems. This update-based approach will benefit everyone, although it might delay product releases. I think Microsoft is finally serious about security and will perhaps shed its reputation for putting out insecure software.