Microsoft Exchange 2000 Operations Guide — Version 1.072
Chapter Sections
This chapter covers the following procedures:
◆ Protection against hacking
◆ Anti-virus measures
◆ Disaster recovery procedures
◆ Recovery testing
◆ Backup
◆ Restore
Protection Against Hacking
Whenever you consider protecting your organization against malicious attack, it is worth
recalling one of the golden (and most disillusioning) rules of security: the majority of
attacks on a network security come from inside. The reasons for this are obvious. Security
is typically more relaxed on the inside of an organization than on the outside, and employ-
ees generally have far more knowledge of the workings of a company than outsiders.
Security of an e-mail system is extremely important, because of the power associated with
it. Envisage a scenario where an unhappy employee (it is possible that even your company
contains some of these people) manages to gain access to their managers e-mail account.
The unhappy employee then sends various e-mails posing as their manager, authorizing
various decisions that adversely affect the company (and thus their managers position).
To gain access to another person’s e-mail account you need to either log in as that person,
or gain administrative access to Active Directory, allowing you to grant send as and receive
as permissions on the mailbox. (Specifically, you require Account Operator or greater
access on the user object and Exchange administrative permissions on the mailbox itself to
make the changes.)
The problem with the former method of attack is that it is almost impossible for opera-
tions to spot, as the user is successfully logging in as the other party. However, there are
steps you can take. In particular, you should have a method for users to report any unusual
activity with their e-mail accounts, and you should teach the users how to report any such
activity. Typically this would be to notify the help desk. Any reported unusual activity on
e-mail should be treated as a security violation and investigated immediately.
Mailboxes that are being accessed by someone other than the primary mailbox owner are
reported in the Event Log. Wherever possible, you should ensure that you are notified
whenever a security descriptor on a mailbox is chanted. If you are able to also maintain a
list of users who should be able to access each mailbox, then you will be able to compare
any changes against this list. At the very least, you should try and collect Event Log
information that you can consult in the event of a security problem.