By Michael Caton  |  Posted 2003-09-22 Print this article Print

Exchange 2003 security is a mixed bag. We found a considerable number of improvements that will provide meaningful benefits to Exchange sites, specifically in the areas of virus and spam control.

For example, the anti-virus API has been updated to allow anti-virus products to run on servers without mailboxes so that an Exchange system can now serve as an anti-virus gateway. The new API also allows an anti-virus application to delete messages and send responses to the sender. This latter feature will require much consideration in practical deployment, given the way that viruses now have the propensity to create overwhelming e-mail traffic in just a single direction.

Exchange 2003 offers a number of anti-spam features, including the ability to block HTML e-mail content in Outlook 2003 and Outlook Web Access. This prevents spammers from validating e-mail addresses using links in messages to external content. From a practical standpoint, the fact that Microsoft enables this feature by default may cause headaches for administrators fielding requests from users receiving legitimate content.

We found the more compelling feature to be inbound recipient filtering. This filters inbound e-mail based on recipient addresses and sender permissions. This will likely discourage unsolicited e-mail while still giving legitimate senders a chance to connect with users because the sender receives a nondelivery report.

We also appreciated the ability to create and manage real-time safe and block lists to help manage the flow from co-opted Internet addresses and re-establish connections using a postmaster account.

Microsoft has also enhanced the security of Outlook Web Access by adding forms-based authentication and time-based log-off.

Some security lessons are never learned, however, and Microsoft has made a number of decisions that will put companies at risk in the name of simplicity.

Although Outlook Web Access is a compelling feature that delivers a great deal of value, enabling it (and access from mobile devices) by default for every user exposes companies to a good deal of risk. Creating a well-designed Exchange security architecture and enforcing good password policies take considerable effort and resources that many companies just dont have. Installing a feature that some administrators may not have the resources to manage introduces them to unreasonable risk.

Another convenience feature that could create more problems than it solves is the one that connects an Outlook 2003 system outside the firewall to an Exchange 2003 server via an HTTP/ HTTP Secure connection. It also requires Windows Server 2003 running the RPC (Remote Procedure Call) proxy service. This feature would allow a company to provide access to e-mail without requiring deployment of a VPN client. Windows includes a VPN client, so we cant figure out what the value-add is here, given the associated risks.

On the deployment side, Exchange includes a number of tools to help companies migrate from early versions of Exchange to this update. The tools will make it easier to avoid some of the pitfalls associated with installing necessary updates and tools required for a successful installation, but they just dont make the product easier to deploy.

From a user management perspective, the lack of integration between Exchange System Manager and Active Directory can be maddening. We found it particularly frustrating that there was no easy way to create a mailbox for a user who already existed in Active Directory. Likewise, the fact that a users mailbox is not visible in Exchange System Manager until the user logs in left us wondering frequently if we had successfully created a new mail account in the Active Directory user manager.

Most of Exchange 2003s improvements for end users focus on the Outlook Web Access experience, but Outlook 2003 includes one feature that should, at the very least, cut down on help desk calls: When used with Exchange 2003, Outlook 2003 can cache mailbox data locally. Not only does this reduce network bandwidth, but when the network goes down briefly, users are less likely to notice the interruption.

Outlook Web Access has a new user interface that more closely resembles the interface in Outlook 2003. Although this doesnt obviate the need for training, Outlook 2003 users should be able to use the new Web client without much difficulty.

User interface improvements include easier management of meeting requests against the calendar, as well as the addition of a reader pane. A number of convenience features, such as right-click menu options and personal tasks, are also now available through the Web client.

For companies that want to use Outlook Web Access in a kiosk environment, device access license, rather than client access license, pricing makes this an affordable proposition.

Technical Analyst Michael Caton can be contacted at michael_caton@ziffdavis.com.

Next Page: Exchange 2003: Be Prepared


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel