Configuring a Secure Exchange 2010 Environment

 

 

This article will go over securing your Exchange 2010 environment while maintaining uptime. Having multiple roles allow Exchange 2010 servers to be secured in by functions.

Exchange 2010 CAS servers are point of contact for clients and often times exposed externally to the internet. This makes the client access server a high target for hackers. It’s important to configure certificates issued by public CA for web services. This allows traffic between your Exchange server and clients to go over port 443 securely. To request a certificate from a public Certificate authority such as Verisign or Digicert, they require that you prove your identity to them. You need to request a certain type of certificate called a SAN Certificate, which is also known as Subject alternative name certificate. A SAN certificate allows the use of both internal and external DNS names and alias you have set for your exchange servers. For example, your internal name is cas.internaldomain.com, your external domain is webmail.externaldomain.com, and you need to include both names in the certificate. Once you identify your identity with the public certificate authority and create an account, you are now ready to request a certificate. This task is run from Exchange 2010 Client Access Server. Follow the instructions below to create a certificate request from your CAS server.

  1. RDP to Exchange 2010 Client Access Server.
  2. Open START > PROGRAM FILES > EXCHANGE 2010 > EXCHANGE MANAGEMENT SHELL.
  3. Run
    New-ExchangeCertificate –GenerateRequest –Domainname casserver,webmail.domain.com –privatekeyexportable $true –subjectname “c=US, o=companyname, cn=casserver.domain.com” > c:\cert.req
  4. Send the cert.req file to a public CA and they will return a certificate in .cer format. Once you load this certificate on the server, it automatically pair it with the private key. If you have more than one CAS server, you must export the private key and import it to other CAS servers.
  5. Use below command to import the certificate on your CAS Server
    Import-Certificate –Path c:\cert.cer
  6. Now, enable the newly imported certificate for Exchange services. To do this use the enable-exchangecertificate command. For example:
    enable-exchangecertificate –thumbprint “thumbprint” –services “iis,imap,pop”

 

 

Securing Hub Transport Servers

One advantage of Exchange 2010 design is that every single email flows through the hub transport server. This allows admins to scan messages on the hub transport server. Since hub transport role doesn’t take up a lot of resources on the server, it’s a perfect place to scan messages instead of mailbox server role. Scanning for viruses on mailbox roles can increase IO latency and increase the chance of data corruption. MS also allows installation of antispamagents on hub transport server. You may simply install antispamagents by running “c:\program files\microsoft\exchange server\v14\scripts\install-antispamagents.ps1” script. This allows for spam scanning occurring on the hub transport servers instead of 3rd email gateway. You can also block certain type of attachments from Hub Transport server by creating hub transport rules. To do this:

  1. RDP to Exchange 2010 hub transport server.
  2. Open START > ALL PROGRAMS > EXCHANGE 2010 > Exchange Management Console
  3. Go to Organization Configuration > Hub Transport
  4. Click “New Transport Rule”
  5. When asks for a conditions, choose “When any attachment file name matches text patterns”
  6. Enter designed patterns such as “.vbs”
  7. Follow onscreen instructions.

 

You can also configure the hub transport sever to block messages coming from a certain SMTP server. This is done by using IP block list in Exchange. To do this:

  1. RDP to Exchange 2010 hub transport server.
  2. Open START > ALL PROGRAMS > EXCHANGE 2010 > Exchange Management Shell
  3. Run below command
    Add-ipblocklistentry –ipaddress 98.34.3.34