Dougs Blog... Exchange Server (rarely) daily

from a Microsoft UK consultant & Microsoft Certified Master specialising in Exchange Server Online & On Premise...
Blog - News

Follow me on Twitter...

Have a look at a my blogs on 'You Had Me At EHLO...'
Protecting Exchange Data with DPM, CCR Decision Making Flowcharts, SCR Decision Making Flowcharts, On email archiving.

...and a few more here
High item counts - what do you do about it?, Archive v Big Mailboxes, Getting your Exchange 2007 Project Approved, (and the follow up 7 blogs), Recovery Scenarios Part 1, Recovery Scenarios Part 2, Recovery Scenarios Part 3, How quick will DPM backup?, Synchronous or Asynchronous Replication?, Why not stretch CCR?, Backup solutions for Exchange 2007..., Do we actually need to backup Exchange?, SAN v DAS.

Search
  • Advanced search options...
Tags
Options

Run your own Exchange Server Health Check.... Part 3

MSDN Blogs > Dougs Blog... Exchange Server (rarely) daily > Run your own Exchange Server Health Check.... Part 3

Run your own Exchange Server Health Check.... Part 3

12 Jun 2007 9:00 AM
  • Comments 2

Security

There are of lot of different parts to this topic.  A lot of this will be covered in the Operations Section and should include the following:

  • Mailbox Rights - do system administrators have access to mailboxes by default? Which accounts have access to which mailboxes? (There should be some scripts out there on the Internet to dump a list of mailbox rights for every mailbox.)
  • Do you use Windows Group Policies to enforce security?  For example are policies in place for; the security group membership on the Exchange servers, the state of Microsoft Windows and Exchange Server services, Local security policies.
  • How is external access to the Exchange Servers secured?  Do you use ISA or an equivalent to ensure the traffic is encrypted all the way from the client to the front or back end Exchange server?

There might also be potential security risks identified by ExBPA. The following are a few of many rules related to security:

  • A Secure Sockets Layer Certificate Will be Expiring Soon
  • Everyone security group is not denied the right to create top-level public folders
  • SMTP server accepts basic authentication
  • Anonymous access is allowed on internal SMTP virtual servers and dedicated SMTP virtual servers for IMAP and POP clients

I would also run MBSA for this section of the health check.  Install MBSA on your workstation and run it against each Exchange Server in turn.  Each time you run the tool against a computer a new scan report is created for you to review at a later data. The reports will be located in a 'SecurityScans' directory on your workstation. You should see a report similar to the following for each server: (This is just the top part from a sample MBSA report and shows one of the most obvious reasons for running MBSA - that is to determine the security update status for the server.)

mbsa

When you click on the 'Result Details' the tool will display which updates you are missing.

mbsa2

It is also important that review all the information that MBSA is reporting on.  For example in 'Administrative Vulnerabilities' the tool determines if there are any local user accounts on the computer with non-expiring passwords or that have blank or simple passwords.

mbsa3

Ideally in the Operations section of the health check you will have identified whether you have a good solid procedure in place to report on the security update status of your Exchange Servers and install updates as appropriate.  If you don't then use MBSA manually until you do.  For the purposes of this health check run MBSA against each server, list all missing updates, and other security vulnerabilities that MBSA highlights.

 

 

..'Run your own Exchange Server Health Check....  Part 4 - Server Performance' to follow soon...

Comments
Page 1 of 1 (2 items)
Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post