During the past decade email has emerged as one of the most important business applications today. Because Microsoft Exchange Server has the largest market share of any enterprise messaging platform, understanding the security implications associated with your Exchange environment has become of paramount importance to the success of your IT operations. Whether youre a Windows or Exchange administrator, corporate IT manager or executive, or a security officer or consultant working in an Exchange environment, "Secure Messaging with Microsoft Exchange Server 2003" is the book for you. Paul Robichaux, well-known Windows & .NET Magazine Contributing Editor, Exchange expert, and Microsoft Exchange MVP, sets out "to help you assess the security of your Microsoft Exchange 2003 messaging systems, and then fix any deficiencies you find."
Lest you think this book is solely focused on S/MIME or other traditional Exchange security topics, youll be pleasantly surprised at the breadth and depth of the topics covered. Beginning in Part I "Security Fundamentals" Paul sets out to define security. A secure system, he maintains, is one that "allows authorized users timely access to data, the integrity of which has been maintained." This discussion leads logically into an explanation of authentication, access control, and data integrity--along with a discussion of breaches of security related to confidentiality, privacy, malicious code, and rights management issues.
In chapters two and three, Paul takes us through the role of protocols and algorithms in ensuring authentication and identity verification, encryption and non-repudiation and explains how each of these apply in a Windows and Exchange environment. These chapters are followed by a clear and concise discussion of threat and risk assessment as it pertains to an Exchange environment, with an interesting discussion of Microsofts STRIDE risk assessment model.
Chapters six to ten make up Part II, "Exchange Server Security," which focuses on securing the physical Exchange servers that comprise a given Exchange environment. Here, Paul discusses perhaps the most commonly known elements of Exchange security: patch management, delegation, relaying, spam filtering, antivirus filtering, disclaimers, and content control. I especially like his detailed coverage of the Microsoft Baseline Security Analyzer (MBSA) and the explanation of Exchange 2003s spam filtering engine.
Part III, "Communications Security," shifts the focus from securing your servers to securing the communications between these servers and to the rest of the world. Paul starts this section by addressing TLS and SMTP, and follows with a section on IPSec. I was impressed to see a section on Publishing MAPI RPCs over ISA Server--a poorly understood topic that is generally overlooked by books about Exchange Server. Of course, no book on Exchange 2003 would be complete without addressing RPC over HTTPS, and Paul handles this topic well. He even includes a brief section on troubleshooting RPC over HTTPS. This section should be welcomed by anyone trying to set up RPC over HTTPS. Paul closes Part III of the book with a section on S/MIME and a discussion of Microsofts new Windows Rights Management Services (RMS)--along with detailed information about using certificate authorities in an Exchange environment.
Once youve learned about securing your servers and your communications channels, Part IV, "Client Security," takes a hard look at the many client access points that could be used to access a given Exchange infrastructure. Paul addresses Outlook clients, Outlook Web Access (OWA) portals, POP and IMAP clients, and mobile clients (in Chapter 16, "Securing Mobile Exchange Access," which is actually in Part V instead of Part IV, where I think it belongs). Readers will find a useful reference of policy settings for Outlook Cryptographic Features (Table 13-3, for when you have the book), along with a great discussion of Information Rights Management using Windows RMS Servers ability to integrate with Microsoft Office and many, many other useful tips and tricks.
Securing the servers, communications processes, and points of entry into an Exchange environment is only part of the picture, however. Part V, "Advanced Topics," contains some of the real groundbreaking gems of this book. Chapter 17 (written by Joshua Konkle of KVS Software) and Chapter 20, "The Law and Your Exchange Environment" (written by William J. Friedman, former Duke University law professor and former Federal Communications Commission counsel) alone are well worth the price of the book. With the ever-increasing role that industry-wide policies such as the Sarbanes-Oxley Act, HIPPA, SEC Rule 17a-3 and 17a-4, and many other overarching policies have on corporate Exchange environments, being able to discover areas of compliance or non-compliance and then act appropriately is becoming more and more critical to minimizing risk and liability in the enterprise messaging arena today.
Paul Robichauxs goal in writing "Secure Messaging with Microsoft Exchange Server 2003" was to help "assess the security of your Microsoft Exchange 2003 messaging systems, and then fix any deficiencies you find." With its well-organized approach to understanding security, securing your servers, securing your email communications, securing your clients accessing the Exchange infrastructure, and understanding your policy-related obligations in light of sweeping legislation and the many corporate guidelines facing companies today, this book more than meets that goal. Paul has brought his years of experience, the input of the Microsoft Exchange Product Group, and the Exchange community as a whole to bear in this outstanding book on Exchange 2003 security.
Secure Messaging with Microsoft Exchange Server 2003
Author: Paul Robichaux
Publisher: Microsoft Press
Published: March 2004
ISBN: 0735619905
Paperback, 506 pages
Price: U.S.A. $49.99; Canada $72.99