Exchange 2003 Secure?

Printable View

June 30th, 2003, 03:19 PM
tonybradley

Exchange 2003 Secure?

Development of Exchange 2003 is set to end sometime next week. I haven't heard an "official" release date, but the article below claims it should coincide with the release of Office 2003 in June sometime.

Has anyone had a chance to use a beta version or play with this at all? I am curious specifically what changes have been made to make it more secure.

One thing I know Microsoft did was to involve more people and more organizations in the testing process and they brought in outside firms like @Stake to perform penetration and vulnerability testing.

Does anyone have any insights or opinions on whether Exchange 2003 will in fact improve email security at all? Are there any anti-spam features that actually work?

Here is an article about the new Exchange server from NetworkWorldFusion: Exchange ready to test secure code development in real world
June 30th, 2003, 04:29 PM
mohaughn

I do not have any first hand knowledge of the increases in security. However, some of the positive things that i have heard about Exchange 2k3 is that the OWA interface is now much much faster. A lot of work was put into the optimization of the code, as well as working to compress as much data as possible when it is encrypted. The move user interface and the background code for moving users has also been improved dramatically. It is now multithreaded, includes a scheduler, and has the ability to skip corrupted messages instead of hanging the move process.

I know another area they were working on as far as making improvements is that they were working to make the entire exchange backend database run on the same platform as SQL. This would eventually lead to better database and mailbox management tools as well as security improvements. Much of the database changes are not supposed to be included in E2K3, but the next version of exchange. I would expect that this upgrade will be exchange 6.5 instead of being a 7.0 upgrade.
June 30th, 2003, 04:47 PM
CXGJarrod

Tony: Have you read this article? http://www.nwfusion.com/news/2003/06...microsoft.html

Quote:

Independent security testing firm @stake, which works with four of the top 10 software vendors, was brought in to do two-weeks of penetration testing, including close scrutiny of possible vulnerabilities in client connections.

Chris Wysopal, director of research and development for @stake said his team found about 30 bugs and made two recommendations to meet Microsoft’s "secure by default" criteria, including changing a default so the only open RPC port was the one used by Outlook to talk to Exchange.
June 30th, 2003, 04:57 PM
tonybradley

Quote:

Tony: Have you read this article? http://www.nwfusion.com/news/2003/0...tmicrosoft.html

Yes, it is the article I referenced in the original post. :-)

While they found a number of bugs and identified various issues I don't necessarily consider that a bad thing..yet. I give them credit for involving external organizations in the testing. Hopefully the end result is that these things are found and fixed before its release.

The proof is in the pudding though. We'll see if the increased scrutiny during development actually leads to a more secure product after release.
June 30th, 2003, 05:49 PM
CXGJarrod

Tony: Whoops, missed the link. :)
June 30th, 2003, 08:57 PM
mohaughn

Quote:

Originally posted here by tonybradley

Yes, it is the article I referenced in the original post. :-)

While they found a number of bugs and identified various issues I don't necessarily consider that a bad thing..yet. I give them credit for involving external organizations in the testing. Hopefully the end result is that these things are found and fixed before its release.

The proof is in the pudding though. We'll see if the increased scrutiny during development actually leads to a more secure product after release.

I would be more concerned with the stability of the product. MS has had some pretty bad luck at releasing a highly available version of exchange from the get go. If you were running an extremely large exchange implementation it was not at all stable until sp2. SP3 resolved a lot of issues with RPC thread management as well as some memory issues. I hope that they have continued to address the virtual memory management issues in 2k3. You still can't run a heavily loaded active-active cluster without hitting a pretty low maximum connection limit.

I'm a member of the exchange JDP team, I'll ask about security enhancements on the next call.

update--> It was released RTM on 6/30/03. Final build is 6944.4.