Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Improving domain/exchange and OWA security 1

Status
Not open for further replies.

kopja

Technical User
Jul 20, 2005
63
US
Hi all

I administer a small network, watchguard firewall, 6 servers, and 40 desktops behind it. All servers are on WinStandard2003, and we run Exchange Server standard 2003 SP2.

The Exchange server is set up as a single server, and has OWA on it. Also it serves as a domain controller. The only other domain controller serves as a backup server. The remaining 4 servers are our apps/file servers. Our OWA/mail/DC server has an SSL certificate deployed, and we have several users using ActiveSync.

I have recently been told that having OWA on the Exchange server, and a domain controller to boot represent a high security risk.

Given that it is time to replace our 2 domain controller servers (they are about to get off warranty), I wanted to get some suggestions as to what the best architecture may be. As you can judge from the company size, the budget is quite limited.

From what I have been reading, I understand that the best(and most expensive) solution from a security prospective would be to

Buy 2 new servers to replace the domain controllers.
Buy 2 more servers, use one as BE, one as FE for Exchange
Buy an additional server and deploy ISA on it.

An alternative to it would be, instead of an ISA server, add an additional firewall between FE and BE server to create a DMZ.

However this seems overkill and most likely would never get approved.

Any suggestions on how to do this? Do I even need a FE/BE exchange if I have only 40 users? How would that affect OWA security?

Thanks in advance
 
do you need" is somewhat vague. Technically, no. You could use a typical server, publish it through ISA, and be good.

But a couple of things to think about. exchange 2003 is past mainstream support. In a month or so, it will be 2 versions back. You'd be better off making a move to 2007 or 2010. Server refresh time is the best time to do this. You have to move the users anyways - why not move them to a newer version?

In any case, I'd deploy the lastest OS possible for the version of Exchange that you decide on. I'd also use the Security Configuration Wizard to lock down all relevant servers to reduce attack surface.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Thanks 58sniper, I was considering Server08 as well. But leaving aside the Exchange upgrade for now (which can be done later, probably straight to exch2010), what architecture would you propose to be reasonably safe?
 
For 40 users, off the top of my head, I'd use a single Exchange server, published through ISA. I'd use security in layers via a tightly configured hardware firewall, as well as Windows firewall settings on the servers and workstations.

And if anyone recommended I put it on a DC, I'd KINDLY refuse. Ok, maybe not kindly.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Thank you.

So that I know, what is the danger on having exchange on a DC, if OWA is published thru ISA?
 
Exchange and DC is not a recommended config. It isn't about publishing / security, it just isn't good.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top