Assessing security at the edge of an Exchange 2007 network

With Exchange 2007, Microsoft has introduced the concept of an Edge Transport server which is the outward-facing messaging component for handling SMTP network traffic.

An Exchange 2007 server in this role can send and receive Internet mail for the Exchange network (and do such things as blocking viruses and spam) but isn’t joined to the Active Directory domain. With this in place, Microsoft claims you can minimize security exposure.

We performed an initial security evaluation of the Edge Transport mode of Exchange as you would in an enterprise while doing the initial research on what it would take to deploy and defend Exchange 2007.

The first thing you notice is that the Edge Transport is definitely not the only thing at the edge. Outlook Web Access services and direct connections from Outlook clients and mobile devices still talk directly to Exchange servers that are fully part of the trusted inner circle. So the Edge Transport server handles strictly SMTP-based communications, which is only a part of the potential attack surface.

Current attack strategies often focus on Microsoft’s RPC mechanisms, IIS Web server transaction, and on vulnerable behavior of the email client, such as Outlook. SMTP attacks are simply not all that popular today. The Edge Transport is a sort of a Maginot Line in that Microsoft has put a lot of effort into defending something that may well not be where the attacks come from.

The Edge Transport uses a lightweight interface to Active Directory, ADAM (Active Directory Application Mode), to tie into the larger Exchange 2007 network. This limits the amount of directory information present near the edge to the minimum needed, the email addresses to be accepted.

The Edge Transport enforces email and security policies through message header inspection, content inspection and blacklist/whitelist management for all email traffic. Microsoft’s layers its anti-virus/anti-spam product Forefront Security on top of the Edge Transport server to block inappropriate email. Microsoft offers some protections in the communication between the Edge Transport server and the rest of the Exchange network to ensure that spam and virus verdicts cannot be faked by an attacker.

Another issue lies in the fact that there isn’t really documentation on Exchange 2007 security deployment and internals.

There are online help files and many, many pages on the vendor’s web sites, blogs, and affiliated Internet Exchange love fests. However, there is no manual with a part number and version number that you can point to if your auditors ask you precisely what vendor documentation you are using.

This isn’t specific to Exchange 2007, of course; Microsoft’s documentation strategy has never focused on delivering complete manuals that describe the operation and management of its products.

< Return to main story