Re: Hardening Windows 2003 Server and Exchange Server

[kevinlh () hotmail com]

You should understand what security measures are available, and understand that any single product (in this case 
Microsoft) does not create a secure operating environment. While it is possible to secure most systems against a 
cursory invasion attempt, it becomes more difficult if you do not accept a layered approach. I will not harsh on any 
particular vendor, but a firewall in my opinion should be dedicated to network protection. A server OS such as 
Microsoft, Linux, BSD, Solaris, etc.. are all multi-function systems. Sure they can protect a network, but often with 
specialized configurations.

Broaden your horizons, and seek out hardware devices for your security needs. Several excellent ones are: 
Juniper/Netscreen (ASIC), Cisco PIX (yes, it's a UNIX), Nokia (BSD). They have already done the work for you.

Also, a good practice is to separate your private systems through the use of perimeter networks (DMZ). Use smart hosts 
for smtp, reverse proxies for http, and wireless access points on these perimiter networks (use VPN to communicate with 
your private network). You will sleep better at night knowing you have a distributed architecture with varying levels 
of access.

Another step is to check out the wealth of knowledge at www.nist.gov. Especially the Common Criteria recommendations 
for Microsoft and other product vendors. THere are also suggestions for EAL4 configurations if you want to follow 
government standards.

If you want some MORE reading, check out RFC2196, ISO17799, BS7799, and the FDIC Technology Guide Booklet (sp?). These 
references along with the knowledge at NIST, and you are on your way to an understanding of security best practices.

Always remember that cheap security is very expensive.