You can protect Exchange on seven layers: cloud, perimeter, Edge Transport Server, inner firewall, Hub Transport Server, Mailbox Server, and clients.

The best security solutions are layered ones, taking a defense in depth approach so that there is no single layer between vital information resources and disaster. Nowhere can this be more critical than in protecting your Exchange infrastructure from malware attacks. In this post we will go over the seven key layers you should have in your game plan.

Protect Exchange from malware

1. Consider a cloud solution as the first line of defense

The right place to stop malware (and spam) is as far away from your systems as possible. Using a solid SaaS solution is a great way to filter out malware and spam before it ever gets to your perimeter. This saves you on bandwidth, CPU cycles, and storage space and can reduce the number of threats crossing your border by an order of magnitude.

2. Deploy a packet filtering firewall with intrusion prevention at the perimeter

This firewall should be able to recognise protocol level attacks and shun source addresses.

3. Use the Edge Transport Server role
The Edge Transport Server role is specifically designed to filter messages while they are still in your DMZ using anti-spam and antimalware agents. If something does get through, the inner firewall is still in place to protect your internal systems from threats. Use an antimalware product designed to work on the Edge Transport role and to scan messages with multiple engines.

4. Deploy that inner firewall.
Whether this is a separate physical firewall, or another VLAN of a three-legged deployment, this firewall not only protects your internal systems from threats, but should prevent outbound SMTP from anything other than your Exchange infrastructure. That way, any malware that tries to send SMTP messages will be blocked, and detected.

5. Implement antimalware on the Hub Transport Server
The Hub Transport Server role can also perform antimalware and anti-spam screening. Personally, I like to have one pair of antivirus engines running on the Edge Transport server, and a different pair on the Hub Transport, so that messages are scanned by four different engines overall.

6. Don’t forget the Mailbox server
Messages passed between mailboxes on the same Mailbox Server won’t pass through a Hub Transport server. Make sure messages are being scanned on the Mailbox Server.

7. Use a comprehensive antimalware suite on your clients
You want to make sure that your antimalware solution includes protection for Outlook as a last line of defense. It also helps to protect from any personal email accounts that your users might setup their Outlook client to access, if they have administrative rights.

As with all of your other servers, make sure you are also running antivirus on the operating system of each of your Exchange servers to protect the server itself. This is a critical step that cannot be skipped, to ensure that your Exchange servers are protected from threats that are not originating from email. Remember, your Exchange servers are still Windows servers, with all of the services and administrative shares that all your other servers have. Keep in mind that client antimalware can interfere with Exchange if it is not properly configured. Make sure to follow Microsoft’s recommendations on exempting key directories and processes of Exchange to avoid any problems.

There are a lot of layers that need to be protected, but there are a lot of layers in an Exchange infrastructure, and each is just as important as any other. Covering all your bases is the best way to minimize your risks, and maximize your defenses.

Additional reading:

This guest post was provided by Ed Fisher on behalf of GFI Software, a software developer that produces network and messaging security solutions for SMBs.
Information about GFI email security for Exchange Server/SMTP/Lotus solution

1 Comment
  1. Koen 11 years ago

    Dear Ed,

    Your statement “Messages passed between mailboxes on the same Mailbox Server won’t pass through a Hub Transpothe the Hub Transport server, otherwise Transport rules could not be enforced.

    Ref. where it explicitly states: “The Hub Transport server role processes all messages that are sent inside the Microsoft Exchange Server 2010 organization before the messages are delivered to a recipient’s Inbox or are routed to users outside the organization. There are no exceptions to this behavior; messages are always passed through a server that runs the Hub Transport server role.”

    It’s still a good idea to have AV software on your mailbox role, it allows you to scan older mail with newer virus definitions.

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account