- Planning for Exchange Server 2007
- Understanding AD Design Concepts for Exchange Server 2007
- Determining Exchange Server 2007 Placement
- Configuring Exchange Server 2007 for Maximum Performance and Reliability
- Securing and Maintaining an Exchange Server 2007 Implementation
- Summary
- Best Practices
This chapter is from the book
This chapter is from the book
This chapter is from the book
Securing and Maintaining an Exchange Server 2007 Implementation
One of the greatest advantages of Exchange Server 2007 is its emphasis on security. Along with Windows Server 2003, Exchange Server 2007 was developed during and after the Microsoft Trustworthy Computing initiative, which effectively put a greater emphasis on security over new features in the products. In Exchange Server 2007, this means that the OS and the application were designed with services "Secure by Default."
With Secure by Default, all nonessential functionality in Exchange must be turned on if needed. This is a complete change from the previous Microsoft model, which had all services, add-ons, and options turned on and running at all times, presenting much larger security vulnerabilities than was necessary. Designing security effectively becomes much easier in Exchange Server 2007 because it now becomes necessary only to identify components to turn on, as opposed to identifying everything that needs to be turned off.
In addition to being secure by default, Exchange Server 2007 server roles are built in to templates used by the Security Configuration Wizard (SCW), which was introduced in Service Pack 1 for Windows Server 2003. Using the SCW against Exchange Server helps to reduce the surface attack area of a server.
Patching the Operating System Using Windows Software Update Services
Although Windows Server 2003 presents a much smaller target for hackers, viruses, and exploits by virtue of the Secure by Default concept, it is still important to keep the OS up to date against critical security patches and updates. Currently, two approaches can be used to automate the installation of server patches. The first method involves configuring the Windows Server 2003 Automatic Updates client to download patches from Microsoft and install them on a schedule. The second option is to set up an internal server to coordinate patch distribution and management. The solution that Microsoft supplies for this functionality is known as Windows Software Update Services (WSUS).
WSUS enables a centralized server to hold copies of OS patches for distribution to clients on a preset schedule. WSUS can be used to automate the distribution of patches to Exchange Server 2007 servers, so that the OS components will remain secure between service packs. WSUS might not be necessary in smaller environments, but can be considered in medium-sized to large organizations that want greater control over their patch management strategy.
Implementing Maintenance Schedules
Exchange still uses the Microsoft JET Database structure, which is effectively the same database engine that has been used with Exchange from the beginning. This type of database is useful for storing the type of unstructured data that email normally carries, and has proven to be a good fit for Exchange Server. Along with this type of database, however, comes the responsibility to run regular, scheduled maintenance on the Exchange databases on a regular basis.
Although online maintenance is performed every night, it is recommended that Exchange databases be brought offline on a quarterly or, at most, semiannual basis for offline maintenance. Exchange database maintenance utilities, eseutil and isinteg, should be used to compact and defragment the databases, which can then be mounted again in the environment.
Exchange databases that do not have this type of maintenance performed run the risk of becoming corrupt in the long term, and will also never be able to be reduced in size. Consequently, it is important to include database maintenance into a design plan to ensure data integrity.