- Raffle: GFI MailArchiver - Affordable and easy-to-use email archiving software for Exchange - Wed, Jul 27 2011
- 62.4% of SMEs do not use email archiving - Mon, May 2 2011
- How to protect your Exchange infrastructure from malware attacks - Mon, Mar 7 2011
The best security solutions are layered ones, taking a defense in depth approach so that there is no single layer between vital information resources and disaster. Nowhere can this be more critical than in protecting your Exchange infrastructure from malware attacks. In this post we will go over the seven key layers you should have in your game plan.
1. Consider a cloud solution as the first line of defense
The right place to stop malware (and spam) is as far away from your systems as possible. Using a solid SaaS solution is a great way to filter out malware and spam before it ever gets to your perimeter. This saves you on bandwidth, CPU cycles, and storage space and can reduce the number of threats crossing your border by an order of magnitude.
2. Deploy a packet filtering firewall with intrusion prevention at the perimeter
This firewall should be able to recognise protocol level attacks and shun source addresses.
3. Use the Edge Transport Server role
The Edge Transport Server role is specifically designed to filter messages while they are still in your DMZ using anti-spam and antimalware agents. If something does get through, the inner firewall is still in place to protect your internal systems from threats. Use an antimalware product designed to work on the Edge Transport role and to scan messages with multiple engines.
4. Deploy that inner firewall.
Whether this is a separate physical firewall, or another VLAN of a three-legged deployment, this firewall not only protects your internal systems from threats, but should prevent outbound SMTP from anything other than your Exchange infrastructure. That way, any malware that tries to send SMTP messages will be blocked, and detected.
5. Implement antimalware on the Hub Transport Server
The Hub Transport Server role can also perform antimalware and anti-spam screening. Personally, I like to have one pair of antivirus engines running on the Edge Transport server, and a different pair on the Hub Transport, so that messages are scanned by four different engines overall.
6. Don’t forget the Mailbox server
Messages passed between mailboxes on the same Mailbox Server won’t pass through a Hub Transport server. Make sure messages are being scanned on the Mailbox Server.
7. Use a comprehensive antimalware suite on your clients
You want to make sure that your antimalware solution includes protection for Outlook as a last line of defense. It also helps to protect from any personal email accounts that your users might setup their Outlook client to access, if they have administrative rights.
As with all of your other servers, make sure you are also running antivirus on the operating system of each of your Exchange servers to protect the server itself. This is a critical step that cannot be skipped, to ensure that your Exchange servers are protected from threats that are not originating from email. Remember, your Exchange servers are still Windows servers, with all of the services and administrative shares that all your other servers have. Keep in mind that client antimalware can interfere with Exchange if it is not properly configured. Make sure to follow Microsoft’s recommendations on exempting key directories and processes of Exchange to avoid any problems.
There are a lot of layers that need to be protected, but there are a lot of layers in an Exchange infrastructure, and each is just as important as any other. Covering all your bases is the best way to minimize your risks, and maximize your defenses.
Additional reading:
- Top 10 Security Predictions For 2011
- File-Level Antivirus Scanning on Exchange 2010
- A Patch Management Strategy for Your Network
- Evolution of Defense in depth
This guest post was provided by Ed Fisher on behalf of GFI Software, a software developer that produces network and messaging security solutions for SMBs.
Information about GFI email security for Exchange Server/SMTP/Lotus solution
Dear Ed,
Your statement "Messages passed between mailboxes on the same Mailbox Server won’t pass through a Hub Transpothe the Hub Transport server, otherwise Transport rules could not be enforced.
Ref. http://technet.microsoft.com/en-us/library/bb123494.aspx where it explicitly states: "The Hub Transport server role processes all messages that are sent inside the Microsoft Exchange Server 2010 organization before the messages are delivered to a recipient's Inbox or are routed to users outside the organization. There are no exceptions to this behavior; messages are always passed through a server that runs the Hub Transport server role."
It's still a good idea to have AV software on your mailbox role, it allows you to scan older mail with newer virus definitions.