Securing an Exchange Server 2010 Environment : Securing Your Windows Environment

• Server operating system— Microsoft’s latest server operating system (OS), and the one that Exchange Server 2010 is designed to run on, is Microsoft Windows Server 2008 R2.

• Server messaging system— Exchange Server 2010 is the current messaging system from Microsoft. Exchange Server 2010 provides messaging, calendaring, mobile access, and unified communications for the enterprise.

• Client operating system— Microsoft’s latest client operating systems are Microsoft Windows 7 or Windows Vista. Although Exchange Server 2010 can work with older versions of client software.

• Client messaging application— Microsoft’s latest client messaging application is Microsoft Office Outlook 2007, though Outlook 2010 is scheduled for completion shortly after publication of this book. Again, although Exchange Server can work with older versions of Outlook.

Both the server messaging system and the client messaging application are only as secure as their underlying operating systems. Fortunately, Microsoft Windows Server 2008, Windows 7, and Windows Vista are very secure by default, and with a little knowledge and experience can be made exceptionally secure.

Windows Server 2008 Security Improvements

Even from the default installation, Windows Server 2008 and the latest version Windows Server 2008 R2 are significantly more secure than their predecessors. Previous versions installed with most features defaulting to an enabled state, counting on the administrator to disable them if they were not going to be used. This left a lot of openings for malicious intruders, especially in an environment where the administration staff was not well versed in hardening an underlying operating system.

In Windows Server 2008, all features and roles are disabled by default and must be manually turned on, making it more difficult for unauthorized users to exploit vulnerabilities. This is one way of improving server security, known as “reducing the attack surface.”

Some of the changes in Windows Server 2008 include the following:

• After a default installation, many services are disabled, rather than enabled.

• Internet Information Services (IIS), the built-in web server, has been completely overhauled and is no longer installed by default. In addition, group policies can be implemented that prevent the unauthorized installation of IIS in your environment.

• Access control lists (ACLs) have been redefined and are stronger by default.

• Security can be defined by server and user roles.

• Public Key Infrastructure (PKI) Active Directory Certificate Services (AD CS) has been enhanced and includes advanced support for automatic smart card enrollment, certificate revocation list (CRL) deltas, and more.

• Wireless security features, such as IEEE 802.1X, are supported.

• The Security Configuration Wizard included with Windows Server 2008 can further lock down security based on server role and function.

Windows 7 Security Improvements

Windows 7 complements Windows Server 2008 R2 from the client perspective by supporting the security features embedded in Windows Server 2008 R2. The following are among the more notable security features in Windows 7:

• Core system files and kernel data structures are protected against corruption and deletion.

• Software policies can be used to identify and restrict which applications can run.

• Wireless security features, such as IEEE 802.1X, are supported.

• Sensitive or confidential files can be encrypted using Bitlocker encryption as well as Encrypting File System (EFS).

• Communications can be encrypted using IP Security (IPSec).

• Kerberos-based authentication is integrated in the core logon process.

• Enhanced security devices such as smart cards and biometric devices are supported.

All of the security improvements are supported with Group Policy enhancements to the Windows 7 operating system, providing centralized policy setting and management.

Windows Firewall Protection

In today’s messaging environments, users often have to be able to access their emails from noncorporate locations. Gone are the days of accessing email only from the office computer; many users now access their mail from hotels, client sites, or wireless network “hot spots” such as the local coffee house.

Supporting this “anytime, anywhere” availability is important, but organizations must work to minimize potential security risks that can come with enhanced functionality.

Because remote users are often utilizing equipment that is not configured by their organization’s security administrators, this equipment can be more susceptible to viruses and intrusions. To minimize security risks, client computers should have the Windows Firewall installed and operating.

Windows Firewall provides a protective boundary that monitors information traveling between a computer and a network (including the Internet). Windows Firewall blocks “unsolicited requests,” which are often the result of external users located on a network trying to access your computer. Windows Firewall also helps protect you by blocking computer viruses and worms that try to reach your computer through a network connection.

The Windows Firewall uses stateful packet inspection to monitor all communications to and from the computer and records the outbound connections made from the protected system. Windows Firewall can also be customized to allow exceptions based on an application or port as well as to log security events.

Utilizing Security Templates

Security templates are a practical and effective means to apply standardized security policies and configurations to multiple systems in an environment. These security templates can be customized to meet the minimum security requirements of a particular organization, and can be applied to client computers as well as to servers using the Security Configuration and Analysis Microsoft Management Console (MMC) snap-in.

By utilizing the automatic deployment of security templates to client PCs, administrators can ensure that computers are identically configured and utilize available security measures, even if the system is not able to be managed by Group Policy Objects (GPOs).

Using the Security Configuration and Analysis Tool

The Security Configuration and Analysis tool is a utility that can apply security templates to computers. It compares a computer’s security configurations against an administrator-defined security template, and reports any differences found between the two. Furthermore, when the security configuration on the computer does not match the settings specified in the template, you can use the tool to update the system accordingly.

This utility has two modes of operation: analysis and configuration. An often-overlooked best practice is to analyze the system prior to making any changes so that you have a baseline frame of reference.

To run the Security Configuration and Analysis tool and analyze a computer, perform the following steps:

1.	Start the Microsoft Management Console by selecting Start, Run, typing MMC in the Open text box, and then clicking OK.
2.	Select File, click Add/Remove Snap-in.
3.	In the Add or Remove Snap-in window, select Security Configuration and Analysis, click Add, and then click OK.
4.	In the MMC, right-click the Security Configuration and Analysis snap-in, and select Open Database.
5.	Type a database name, select a location to store the database, and then click Open.
6.	Select a security template from those listed, or navigate to C:\Windows\inf and select one of the files starting with deflt, as shown in Figure 1. After you have selected the appropriate .inf file, click Open. Figure 1. Using the Security and Configuration Wizard.
7.	Back in the MMC, right-click the Security Configuration and Analysis snap-in, and choose Analyze Computer Now.
8.	Enter a path to store the generated log file, and click OK to continue.

After the System Security Analysis has completed, the utility displays the security settings that are configured in the template you selected, and what is currently configured on the computer. Items for which the computer is not in compliance with the policy appear with a red “x” beside them.

If you want to configure the system with the security settings in the template, you can do so by performing a few extra steps:

Customizing Security Templates

An administrator might want to use custom security templates for several reasons. The organization might want a simple method of ensuring that attached computer systems meet with defined minimum security criteria. They might desire to ensure configured security settings that work for a particular application can be replicated to other servers of the same nature.

Larger organizations often have the need for customized security templates. For example, a member of the Internal Auditing department might need to regularly connect to employee hard drives, whereas the receptionist is only allowed basic Internet access. By applying different security settings to each of these machines, you can help the company ensure people have access to the data they need, and not to the resources they don’t.

Windows Server 2008/2003, Windows 7/Vista, and Windows XP Professional are equipped with the Security Templates MMC snap-in that enables administrators to quickly and easily customize settings on individual systems. Loading this tool is similar to the Security Configuration and Analysis tool discussed previously. To add the snap-in, follow these steps:

When the Security Templates snap-in is expanded, it displays the default search path to the security templates folder in the current user’s profile. Other paths can be opened to display other security templates that might reside on the system. Expand the default template storage directory (C:\windows\inf\deflt*.inf) to see the available default templates. Rather than editing these default templates, it is recommended that you select the one you are going to use as a baseline, right-click it, and save it as a new template.

After you have created the new template, expand it to display all of the modifiable security settings. From here, you can configure the template to apply the security settings you want, as shown in Figure 2.

Figure 2. Editing Security Templates.

After you have completed customizing the template, it is an easy process to save the file to an accessible network share, and then use the Security Configuration and Analysis tool to apply it to the appropriate systems.

Keeping Up with Security Patches and Updates

Applying service packs, updates, and hotfixes in a timely manner is critical to maintaining the security of an environment. Whether you are talking about a server operating system, an application such as Exchange Server 2010, a client operating system, or even client applications, keeping your systems up to date with the latest releases ensures that you are protected against known vulnerabilities.

Organizations often underestimate the importance of these updates, so let’s look at them in a different light. These updates are released to protect against known vulnerabilities. That means that there is a good possibility that malicious users in the hacker community already know how to exploit them. So, there the system sits, not only does it have an unlocked door, but the criminals know it is unlocked.

In the past, updates often had to be manually implemented on a system-by-system basis and, for companies with hundreds (or thousands) of workstations, it proved to be a monumental task. These manual processes still exist, but rarely need to be used today.

With Windows Server 2008/2003, Windows 7/Vista, and Windows XP, utilities exist that allow you to automate this process and simplify the distribution of updates. Microsoft has provided several options: Windows Update, Microsoft Update, Microsoft Windows Server Update Services (WSUS), and Microsoft System Center Configuration Manager (SCCM). In addition, there are a variety of third-party applications that can assist you with this endeavor.

Windows Update

Windows Update, located at http://www.microsoft.com/windowsupdate, is a website that scans a local system and determines whether it has the latest updates applicable to the operating system. Windows Update is a very useful tool when dealing with a small number of systems. One shortcoming of Windows Update is that it only addresses updates to the operating system—not to any applications installed on the computer. Windows Update was designed for Microsoft Windows 2000 SP2 and earlier. Those using later versions of the operating system (including Windows 2000 SP3 and higher, Windows Server 2008/2003, Windows 7/Vista, and Windows XP) can instead use the Microsoft Update discussed in the following section.

Microsoft Update

For other Microsoft applications on your system, including Microsoft Outlook, use Microsoft Update, located at http://update.microsoft.com. This website offers the same downloads available on the Windows Update site, plus the latest updates for Microsoft Office and other Microsoft applications.

When you visit the website, it scans your computer and allows you to review a list of available updates and select the ones you want to implement.

The site breaks down the available updates into categories, identifying those that are critical to the security and reliability of your computer as high-priority updates.

One other feature of the Microsoft Update website is the ability to review your update history. By selecting this link, you can see the update, the product it applied to, the status of the implementation, the date it was applied, and the method used to apply the patch—for example, Windows Update or Automatic Updates, which is discussed in the next section.

Like Windows Update, Microsoft Update is intended for managing one system at a time. As useful as it is for individual users and small environments, other alternatives should still be considered for larger organizations.

Automatic Updates

One of the most reliable, and least time consuming, methods of implementing updates from Microsoft is built in to Windows Server 2008/2003, Windows 7/Vista, and Windows XP. Known as Automatic Updates, this feature allows your system to automatically download and install high-priority updates, without manual intervention. Optional updates, however, still need to be implemented using other methods.

With Automatic Updates, you can configure the utility to automatically download and install updates on a daily or weekly basis, at the time of day of your choice (for example, every Saturday at 2:00 a.m.).

Alternatively, you can select one of the following options:

• Download Updates for Me, But Let Me Choose When to Install Them.

• Notify Me But Don’t Automatically Download or Install Them.

• Turn Off Automatic Updates.

When connecting to Microsoft Update or Windows Update, this method has a few drawbacks that must be mentioned. First, by automatically downloading and applying hotfixes, you are not afforded the opportunity to download and implement them in a test lab prior to deployment. Second, some high-priority updates require a reboot and might automatically restart your system without your prior approval.

To mitigate these shortcomings, you can configure Automatic Updates to not download and install updates directly from Microsoft, but can instead receive updates from a Microsoft Windows Server Update Services (WSUS) server, discussed next.

Windows Server Update Services (WSUS)

Realizing the increased administration and management efforts that challenge administrators of larger environments, Microsoft created the Microsoft Software Update Services (SUS), and the newer version called Windows Server Update Services (WSUS). This no-charge add-in component is designed to simplify the process of keeping computers in your organization up to date with the latest updates and service packs. WSUS communicates directly and securely with Microsoft to gather the latest security updates for a variety of Microsoft products, including Exchange Server, and enables administrators to manage the distribution of these updates to clients and servers in their environment. By utilizing WSUS, administrators can download updates, test them, and schedule the deployment to additional systems.

Utilizing Background Intelligent Transfer Service (BITS), the application allows administrators to download updates in the background, using available network bandwidth, to minimize the impact on their user community.

WSUS version 3.0 includes a new MMC-based user interface and has the following features:

• Advanced filtering and reporting

• Improved performance and reliability

• Branch office optimizations and reporting rollup

• System Center Operations Manager Management Pack

Client-Based Virus Protection

One of the primary reasons why the installation of service packs and software updates in a timely manner is so important is the prevalence of computer viruses. Many viruses are written to exploit specific vulnerabilities that are found in computer operating systems and applications—both on clients and servers. Because Microsoft products are used so widely throughout the world, those who create viruses generally write them specifically to attack Microsoft products. This has resulted in the creation of an entire industry focused solely on protecting businesses and individuals from attack.

Companies truly concerned with protecting their environment from attack should use a multilayer approach to virus protection. By including antivirus applications on gateways, Exchange servers, and on the desktop, outbreaks can be prevented, or quickly detected and dealt with.

There are many ways to distribute viruses, and one of the most effective is by installing unauthorized software on a workstation and turning it into a distribution point. This method might (or might not) utilize an existing messaging system. If it does not, gateway and Exchange server-level antivirus methods might not be able to help at all. By implementing a separate antivirus solution on the desktop itself, you can minimize your exposure to attack.

An aggressive plan should be in place to keep antivirus signature files and engines up to date. Virus outbreaks that once took days (or weeks) to become widespread can now travel around the globe in a matter of hours. Antivirus updates (often referred to as “signature files”) should be updated daily at a minimum and more often if your product supports it.

Windows Lockdown Guidelines and Standards

Microsoft has gone to great lengths to provide secure and reliable products. This endeavor was not accomplished in a vacuum—Microsoft has worked closely with companies, government agencies, security consultants, and others to identify and address security issues in the computer industry. Through this concerted effort and teamwork, security standards and guidelines have been developed that are applicable to not only Microsoft products, but also to the computing industry as a whole.

In addition to researching and implementing Microsoft recommended security standards and guidelines, responsible administrators can also use recommended best practices that have been compiled by the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA).

Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their websites (www.nist.gov and www.nsa.gov, respectively).