Re: Hardening Windows 2003 Server and Exchange Server
Date: 16 Aug 2005 20:42:13 -0000 To: firstname.lastname@example.org('binary' encoding is not supported, stored as-is) You should understand what security measures are available, and understand that any single product (in this case Microsoft) does not create a secure operating environment. While it is possible to secure most systems against a cursory invasion attempt, it becomes more difficult if you do not accept a layered approach. I will not harsh on any particular vendor, but a firewall in my opinion should be dedicated to network protection. A server OS such as Microsoft, Linux, BSD, Solaris, etc.. are all multi-function systems. Sure they can protect a network, but often with specialized configurations.
Broaden your horizons, and seek out hardware devices for your security needs. Several excellent ones are: Juniper/Netscreen (ASIC), Cisco PIX (yes, it's a UNIX), Nokia (BSD). They have already done the work for you.
Also, a good practice is to separate your private systems through the use of perimeter networks (DMZ). Use smart hosts for smtp, reverse proxies for http, and wireless access points on these perimiter networks (use VPN to communicate with your private network). You will sleep better at night knowing you have a distributed architecture with varying levels of access.
Another step is to check out the wealth of knowledge at www.nist.gov. Especially the Common Criteria recommendations for Microsoft and other product vendors. THere are also suggestions for EAL4 configurations if you want to follow government standards.
If you want some MORE reading, check out RFC2196, ISO17799, BS7799, and the FDIC Technology Guide Booklet (sp?). These references along with the knowledge at NIST, and you are on your way to an understanding of security best practices.
Always remember that cheap security is very expensive.