For many organizations, Exchange Server 5.5 and Windows NT 4.0 continue to offer reliable service. Such organizations might see few compelling reasons to upgrade, and as a result, you might see Exchange 5.5 in service for a couple more years. Unfortunately, when the time comes to tighten security, many of these Exchange servers sit neglected. Let's review some practical advice for tightening security when you run Exchange 5.5 on NT 4.0. Specifically, let's discuss how to keep up with the latest service packs, secure Windows, lock down Microsoft IIS and Microsoft Outlook Web Access (OWA), enable Secure Sockets Layer (SSL), enable auditing, and instigate general and client-side security measures. (For information about setting up and maintaining Exchange 5.5 on NT 4.0, see "The Exchange 5.5 Reality Check," February 2003, http://www.exchangeadmin.com, InstantDoc ID 27483.)
As with any changes or updates, don't apply all fixes and security-related changes at once. Start with the OS updates, then wait a few days before applying the Exchange 5.5 updates. After a few more days, you can make the security-related changes. When you do make changes, make sure that you understand what you've done and how to reverse the process if necessary.
Service Packs
Your first line of defense when securing any computer is to install the most recent service packs and security fixes. This step entails applying updates to all applications running on your server, but most important the OS, IIS, Microsoft Internet Explorer (IE), and antivirus software. Be sure to check for any interdependencies and potential conflicts between updates you install and your antivirus software.
When you apply patches, the starting point is the OS. If you haven't already, install NT 4.0 Service Pack 6a (SP6a) and the SP6a Security Rollup Package 1 (SRP1), which the Microsoft article "Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP—http://support.microsoft.com/?kbid=299444) documents. Microsoft has released several hotfixes that fix security problems, buffer overflows, and other vulnerabilities since releasing NT 4.0 SP6a SRP1. You can find these hotfixes at the Microsoft Web site at http://www.microsoft.com/downloads.
When you apply service packs and fixes, go ahead and upgrade the server's copy of IE to IE 6.0 SP1 or IE 5.5 SP2. You can then run Microsoft Baseline Security Analyzer (MBSA) 1.1, which replaces HFNetChk, to determine whether you're missing hotfixes. For information about MBSA, see the Microsoft article "Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available" (http://support.microsoft.com/?kbid=303215). Apply any hotfixes that the tool recommends, especially any that relate to security or buffer overruns.
Next, make sure you update your Exchange server with the latest fixes and updates. The latest service pack for Exchange 5.5 is SP4. Since releasing SP4, Microsoft has issued several updates that you should apply. Web Table 1 (http://www.exchangeadministrator.com, InstantDoc ID 37532) lists these updates and the Microsoft articles you should refer to for more information. I suggest that you apply these fixes in the order that the table presents them.