- INTRODUCING EXCHANGE 2000. - Unnecessary Exchange 2000 Back-End Server Services. - Unnecessary Exchange 2000 Front-End Server Services. - Accessing the Exchange 2000 Directory Service. - Standard Exchange 2000. - High Security Exchange 2000. - Introducing Exchange 2000. - Understanding the Basic Security Risks Associated with Exchange 2000. - Exchange 2000 is the latest iteration of Microsoft’s enterprise messaging platform. - However, the Exchange 2000 release contains significant changes from previous versions. - Exchange 2000 components and some of the Windows 2000 services that are required to run Exchange 2000.. - Figure 1 Major Components of Exchange 2000 and Windows 2000 Dependencies. - Exchange 2000 is completely dependent on several components of Windows 2000. - A list of services (provided here) must be running prior to the Exchange 2000 System Attendant starting.. - During Exchange 2000 installation, the SMTP and NNTP components are extended to provide. - The Exchange 2000 installation process also installs POP3 and IMAP4 services that function as part of IIS.. - All Exchange 2000–to–Exchange 2000. - Exchange 2000 Components. - Table 1 has a list of the common Exchange 2000 services, that service’s executable service, and the Windows 2000 service on which this service. - Table 1 Exchange 2000 Services and Dependencies. - Exchange 2000 Service Windows 2000 Service Dependencies Microsoft Exchange System Attendant. - The first Exchange 2000–specific component that starts is the Microsoft Exchange system attendant.. - One of the more common problems with Exchange 2000 occurs when an administrator attempts to tighten security on Active Directory objects. - The crown jewel of Exchange 2000 is now the information store. - Exchange 2000 includes a kernel-mode device driver called the Exchange Installable File System (ExIFS) driver. - If you are interested in further reading about the Exchange 2000 architecture, consult Chapter 26 of the Exchange 2000 Resource Kit from Microsoft Press.. - In order to successfully harden Exchange 2000 servers against attacks on the server, it is important that you understand the potential security risks that the Exchange server may face. - or malicious code being installed on the Exchange 2000 server. - This section of this ebook covers some of the vulnerabilities that may be found in Exchange 2000. - One of the most important things to keep in mind is how permissions are assigned for administration of Exchange 2000 components. - Exchange 2000 Administrative Rights. - Further, any of the Enterprise Admins group can alter the Exchange 2000 permissions regardless of who is actually the Exchange 2000 administrator. - This is due to the default permissions that are assigned to the Active Directory configuration container that holds the Exchange 2000 configuration.. - Almost all of the Exchange 2000 configuration information is stored in the Active Directory database’s Configuration partition. - This is the location of almost all the configuration data for each Exchange 2000 server in the entire forest.. - Figure 2 ADSIEdit Shows the Exchange 2000 Configuration Information in the Configuration Partition. - Exchange 2000 administrators must place a lot of trust in members of the. - Once an Exchange 2000 server loses contact with all domain. - Exchange 2000 Front-end Servers and Exchange 2000 Back-end Servers. - As I discussed previously, Exchange 2000 is dependent on the Windows 2000 operating system, Internet Information Server, and Active Directory. - Windows 2000 and Exchange 2000 install a number of services that may not be necessary in your environment. - Exchange 2000 back-end servers are servers on which mailboxes and public folders resides. - By default, Exchange 2000 servers are back-end servers unless a server is reconfigure d as a front-end. - Table 4 shows a list of services that you may be able to disable on Exchange 2000 back-end servers.. - Table 4 Windows and Exchange 2000 Services That Might Not Be Necessary on Back-End Servers. - FTP is not required on Exchange 2000 servers. - Exchange 2000 front-end servers were introduced with Exchange 2000. - Table 5 Windows and Exchange 2000 Services That Might Not Be Necessary on Front-End Servers. - If you have Exchange 2000 front-end servers, implement and require SSL only on the front-end servers, not the back-end servers. - For example, if you are configuring an Exchange 2000 front-end server that will be used by POP3 clients, you would configure the POP3. - this figure shows the limits I recommend for a typical Exchange 2000 server (I am occasionally accused of being rather generous). - When Exchange 2000 is installed, a couple of shared folders are created. - Enable IPSec between all Exchange 2000 servers including those configure d as front-end and back-end servers. - Exchange 2000 SP . - If you wanted to disable all MAPI clients except the Exchange 2000 components, you would enter . - The first step toward a virus-free utopia is to make sure that you have chosen the correct anti-virus software to work on the Exchange 2000 server. - If you are extra cautious, you might also consider blocking this list that is published on the Exchange 2000 administrator’s mailing list FAQ (see Table 9).. - One of the criteria for deployment of Exchange 2000 was that it must be more tolerant of e-mail- based viruses. - Exchange 2000 and Firewalls. - Exchange 2000 servers should always be protected by a firewall. - Exchange 2000 opens a lot of ports on a Windows 2000 computer. - Table 11 Ports that Exchange 2000 Requires Port number Description/requirement. - The Exchange 2000 System Attendant runs two processes that answer these calls. - Each time the Exchange 2000 System Attendant starts, it dynamically picks an unused port above 1,024. - Each Exchange 2000 server has at least one SMTP virtual server. - There are a couple of SMTP issues that you are going to want to consider when planning Exchange 2000 security. - If you are concerned about SMTP traffic being intercepted on the network, I generally recommend using IPSec between Exchange 2000 servers. - Auditing Exchange 2000 is essential. - Exchange 2000 Event Auditing. - There are also a few events that you should enable for Exchange 2000 auditing. - Figure 25 shows the Diagnostics Logging property page for an Exchange 2000 server.. - Figure 25 Diagnostics Logging for Exchange 2000. - In order to accurately track usage of the Exchange 2000 mailboxes, there are a number of event types that I recommend you enable. - Table 13 Diagnostics Logging Categories for Exchange 2000 Servers. - Table 14 Exchange 2000 Security-Related Events Found in the Application Log. - The following is a list of the problems with ZZZ Company’s Exchange 2000. - A Windows 2000 auditing policy should be enabled for all Exchange 2000 servers.. - On the other hand, if you are going to have many users that require digital certificates, you should consider deploying the Exchange 2000 Key Management Server. - The requirements for the Exchange 2000 Key Management Server are as follows:. - You cannot install the Exchange 2000 KMS on an Exchange 2000 server in a cluster.. - Organize Exchange 2000 servers into their own Active Directory OU.. - Now that the platform is secure, let’s move on to Exchange 2000. - This checklist should be good for all Exchange 2000 servers whether they are front-end or back-end servers:. - Apply Exchange 2000 SP3.. - Enable Exchange 2000 Diagnostics Logging for mailbox store and public folder stores.. - Implement physical access controls over all Exchange 2000 servers.. - Put all Exchange 2000 servers on switched segments.. - Implement IPSec between all Exchange 2000 servers and to/from Windows 2000 domain controllers.. - Exchange 2000 is tightly integrated with Windows 2000 and Internet Information Server.. - An additional load will be placed on the Windows 2000 domain controllers and global catalog servers for each Exchange 2000 server.. - this is the biggest vulnerability for Exchange 2000.. - Internet Information Server should be locked down with IIS Lockdown using the Exchange 2000 template.. - Exchange 2000 diagnostics logging will provide you with a better understanding of the types of access happening on the Exchange server.. - Keep Exchange 2000 and Windows 2000 up-to-date with patches and security updates.. - In the summer of 2002, Microsoft released their Exchange 2000 Security Operations Guide. - deployment called the Exchange 2000 Front-End and Back-End Topology guide. - Before posting to either of these lists, I strongly recommend that you read the Exchange 5.5 and Exchange 2000 FAQs. - Exchange 2000 Resource Kit. - Q: You did not mention Exchange 2000’s Instant Messaging feature. - A: Exchange 2000 cannot strip out headers without custom programming. - Q: What do you see as the most neglected Exchange 2000 security procedures?
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt