Microsoft Exchange Server 2007 Security Basics
The Scope of Security 508
Motivations of a Criminal Hacker 509
How Hackers Work 510
Physical Security 514
Administrative Security 514
SMTP Security 522
Computer Viruses 527
Junk E-Mail 529
Security Tools Provided by Microsoft 530
Security incidents, including hacking, virus attacks, spyware outbreaks, and identity theft, have rocked the computing world. Due to the e-mail server’s reliance on access to the outside world, e-mail has become a target for miscreants everywhere, who try to use this medium to gain access to an organization. As such, security has become so central to the administrator’s role that a large portion of this book is devoted to a discussion of it.
This chapter offers ideas about how to add complexity and create hindrances to those who wish to attack your network over port 25. It is never foolproof, but the more you invest in security, the more secure your e-mail server will be. However, if you have good strategies in place and adequate tools to assist you, you can anticipate and thwart most attacks.
The Scope of Security
Everyone has heard the old phrase “a chain is only as strong as its weakest link.” You can easily apply that thinking to security: a network is only as secure as its least secured component. Always consider e-mail to be one of those weak links on your network because it is an obvious entry point. Attackers use e-mail to wreak havoc because it’s easy: no matter how well you secure your network, chances are good that you have port 25 open on your firewall and that a Simple Mail Transport Protocol (SMTP) server is ready to work with e-mail when it comes in.
When you begin thinking about security strategies, always answer the following question: What am I securing Exchange Server 2007 against? The answers to this question are varied and can be grouped into four categories:
Protection against social engineering attempts
You learned about social engineering in depth in Chapter 18, “Security Policies and Exchange Server 2007.” In this chapter, the other three security categories are covered.