Results 1 to 6 of 6

Thread: Exchange 2003 Secure?

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Exchange 2003 Secure?

    Development of Exchange 2003 is set to end sometime next week. I haven't heard an "official" release date, but the article below claims it should coincide with the release of Office 2003 in June sometime.

    Has anyone had a chance to use a beta version or play with this at all? I am curious specifically what changes have been made to make it more secure.

    One thing I know Microsoft did was to involve more people and more organizations in the testing process and they brought in outside firms like @Stake to perform penetration and vulnerability testing.

    Does anyone have any insights or opinions on whether Exchange 2003 will in fact improve email security at all? Are there any anti-spam features that actually work?

    Here is an article about the new Exchange server from NetworkWorldFusion: Exchange ready to test secure code development in real world

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I do not have any first hand knowledge of the increases in security. However, some of the positive things that i have heard about Exchange 2k3 is that the OWA interface is now much much faster. A lot of work was put into the optimization of the code, as well as working to compress as much data as possible when it is encrypted. The move user interface and the background code for moving users has also been improved dramatically. It is now multithreaded, includes a scheduler, and has the ability to skip corrupted messages instead of hanging the move process.

    I know another area they were working on as far as making improvements is that they were working to make the entire exchange backend database run on the same platform as SQL. This would eventually lead to better database and mailbox management tools as well as security improvements. Much of the database changes are not supposed to be included in E2K3, but the next version of exchange. I would expect that this upgrade will be exchange 6.5 instead of being a 7.0 upgrade.

  3. #3
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Tony: Have you read this article? http://www.nwfusion.com/news/2003/06...microsoft.html

    Independent security testing firm @stake, which works with four of the top 10 software vendors, was brought in to do two-weeks of penetration testing, including close scrutiny of possible vulnerabilities in client connections.

    Chris Wysopal, director of research and development for @stake said his team found about 30 bugs and made two recommendations to meet Microsoft’s "secure by default" criteria, including changing a default so the only open RPC port was the one used by Outlook to talk to Exchange.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  4. #4
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Tony: Have you read this article? http://www.nwfusion.com/news/2003/0...tmicrosoft.html
    Yes, it is the article I referenced in the original post. :-)

    While they found a number of bugs and identified various issues I don't necessarily consider that a bad thing..yet. I give them credit for involving external organizations in the testing. Hopefully the end result is that these things are found and fixed before its release.

    The proof is in the pudding though. We'll see if the increased scrutiny during development actually leads to a more secure product after release.

  5. #5
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Tony: Whoops, missed the link.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by tonybradley


    Yes, it is the article I referenced in the original post. :-)

    While they found a number of bugs and identified various issues I don't necessarily consider that a bad thing..yet. I give them credit for involving external organizations in the testing. Hopefully the end result is that these things are found and fixed before its release.

    The proof is in the pudding though. We'll see if the increased scrutiny during development actually leads to a more secure product after release.
    I would be more concerned with the stability of the product. MS has had some pretty bad luck at releasing a highly available version of exchange from the get go. If you were running an extremely large exchange implementation it was not at all stable until sp2. SP3 resolved a lot of issues with RPC thread management as well as some memory issues. I hope that they have continued to address the virtual memory management issues in 2k3. You still can't run a heavily loaded active-active cluster without hitting a pretty low maximum connection limit.

    I'm a member of the exchange JDP team, I'll ask about security enhancements on the next call.

    update--> It was released RTM on 6/30/03. Final build is 6944.4.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •