• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft Exchange Articles
• Planning an Exchange Server 2003 Infrastructure
• Backing up the Exchange Server 2003 Environment
• Configuring and Maintaining Exchange Server 2003 Virtual Servers
• Configuring Exchange Server 2003 Administrative Permissions
• Creating and Managing Public Folders
• Disabling Services and Protocol Logging on Exchange 2003 Servers
• Exchange Server 2003 Data Storage and Management
• Exchange Server 2003 Maintenance and Management Activities
• Exchange Server 2003 Overview
• Exchange Server 2003 Virtual Servers
• Implementing Exchange Server 2003 Security to Secure Mailboxes
• Installing Exchange Server 2003
• Installing Exchange Server 2003 Clusters
• Managing Exchange Server 2003 Mailboxes
• Managing Exchange Server Connectivity across Firewalls
• Managing the Exchange of Business Documents
• Migrating from Exchange 2000 to Exchange Server 2003
• Migrating from Exchange 5.5 to Exchange Server 2003
• Monitoring Exchange Server 2003
• Protecting Exchange Server 2003 against Computer Viruses
• Restoring Exchange Server 2003
• Securing Exchange Server 2003 through Digital Signatures and Encryption
• Troubleshooting Exchange Server 2003
• Configuring and Managing SMTP transport
• Understanding Microsoft Outlook
• Understanding Outlook Web Access Client
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Protecting Exchange Server 2003 against Computer Viruses

Understanding Worms, Viruses and Trojan Horses

A virus is a malicious code that affects and infects files on a system. Numerous instances of the files are then recreated. Viruses usually lead to some sort of data loss, and/or system failure.

There are numerous methods by which a virus can get into a system:

• Through infected floppy disks.
• Through an e-mail attachmentinfected with the virus.
• Through downloading softwareinfected with the virus.

Toprotect your network infrastructureagainst viruses:

• Install virus protection softwareon systems.
• Regularly update all installed virusprotection software.
• Regularly back up systems afterthey have been scanned for viruses, and are considered clean from virusinfection.
• Your users should be educated tonot open any e-mailattachments which were sent from individuals theydo not recognize.

A worm is an autonomous code that propagates over a network, targeting hard drive space and processor cycles. Worms not only infects files on one system but can propagate to other systems on the network. The purpose of a worm is to deplete available system resources. Hence the reason why a worm makes copies of itself over and over and over. Worms basically replicate until available memory is used, bandwidth is unavailable, and legitimate network users are no longer able to access network resources or services.

A Trojan horse is a file or e-mail attachment that is disguised as being a friendly, legitimate file. When executed though, the file corrupts data and can even install a backdoor which hackers can utilize to access the network.

A Trojan horse differs to a virus or worm in the following ways:

• Trojan horses disguise themselvesas friendly programs. Viruses and worms are much more obvious in theiractions.
• Trojan horses do not replicatelike worms and viruses do.

A few different types of Trojan horses are listed here:

• Keystroke loggers monitor the keystrokesthat a user types and then e-mails the information to the networkattacker.
• Password stealers are disguised as legitimatelogin screens which wait for users to provide their passwords so that theycan be stolen by hackers. Password stealers are aimed at discovering andstealing system passwords for hackers.
• Remoteadministration tools (RATs) are used byhackers to gain control over the network from someremote location.
• Zombies are typically used to initiate distributed denial of service(DDoS) attacks on the hosts within a network.

Planning an Antivirus Strategy

To secure and protect your Exchange Server 2003 messaging system from viruses, you need to plan and implement an effective antivirus strategy

Your antivirus strategy should include the following:

• Install antivirus software on thenecessary locations. You can install antivirus software on differentlocations:
  • Installing antivirus software on firewalls: When you install antivirus software on a firewall, the firewall scans incoming files, and then filters out any viruses prior to the files reaching the network. A firewall can also filter out viruses leaving the network.

  You can configure antivirus software installed on a firewall to perform a number of functions:

• Send email to an administrator when a virus is detected.
• Remove attachments.
• Keep a suspicious message in a queue so that it can be examined at a later stage.
• Installing antivirus software on servers: It is recommended that you install antivirus software on each Exchange Server 2003 server deployed in the organization. This strategy assists in preventing viruses from reaching users that do not have client-side antivirus software installed.

You can configure antivirus software installed on a server to perform a number of functions:

• Scan mailbox stores for viruses.
• Scan public folder stores for viruses.
• Scan transport.
• Filter out viruses before it reaches the network.
• Installing antivirus software on client computers: You should install antivirus software on each client that accesses the network. This should include remote clients as well. When installed on client computers, the antivirus software installs file system filters that scan files for the signatures of known viruses. When a client has antivirus software installed, the antivirus software becomes activated when a user opens an attachment that has a virus. The attachment is either immediately deleted, or it is copied to the local hard disk to clean the file.
• Maintain the effectiveness of theantivirus software by ensuring that it is current.
• Make users aware of viruses andthe threat that they pose.
• Educate users on the ensuring thattheir computers are updated with the latest signature files and security updates.

You can use either of these methods to inform and alert users on e-mail virus threats:

• Through email messages.
• Regularly inform users on currentexisting viruses. Educate users on the different ways that can be used to deal withthese viruses.
• By educating users on thecharacteristics of attachments that should not be opened.

When deciding on which antivirus software to install, consider the following important factors:

• Check whether the vendor is TruSecureInternational Customer Service Association (ICSA) Lab certified or CheckMarkcertified.
• Determine whether the vendor thatyou select provides support for software that can be used with ExchangeServer 2003.
• Determine the following additionalimportant information on the vendor:
  • The frequency at which the vendor releases product updates. This becomes especially important when a virus manages to attack your system.
  • Determine whether the vendor provides any surety that it will update its software to scan for any new viruses.
• Determine whether the antivirussoftware integrates with Exchange Server 2003 and all other servicesrunning in the environment.
• Determine whether the antivirussoftware will negatively affect the performance of Exchange Server 2003.
• Determine which of the followingthreats the antivirus software provides protection for:
  • Viruses
  • Worms
  • Trojan horses
• Determine whether antivirussoftware that you want to use scans inbound email and outbound e-mail.
• Determine whether the softwareprovides for the scanning of viruses at the following locations:
  • Firewall
  • Server
  • Client computer
  • Transport
• Check whether the antivirussoftware provides the same level of protection for local computers andremote systems.
• Check whether the softwareincludes support for automated updates.
• Determine whether automateddeployment of client-based software is supported.
• Determine whether clients can bemonitored from one single location.

Defining Virus-Clean Policies and Procedures

Because there may be instances where a virus manages to bypass your security measures and attack your system, you need to define virus-clean policies and procedures that will deal with these events.

Virus-clean policies and procedures should be carefully planned and defined so that they assist with the following:

• Determine the source of theattack.
• Determine the extent of theattack.
• Gather information on the attack.
• Provide for the continualoperation of the organization.
• Prevent the attack from causingmore damage.
• Protect mission-critical,sensitive data.
• Protect networks
• Protect systems.
• Enable you to isolate all affectedsystems by taking them offline
• Recover any virus infected system.

In cases where antivirus software does not manage to completely remove a virus from an affected system, you might need to perform the following activities:

• Use a clean backup copy to restorethe system to its original state.
• Reinstall the operating system.
• Reinstall all applications.

Security Updates and Exchange Server 2003

A software update is a file(s) that needs to be applied to a computer running a Windows operating system to correct an existing issue or problem, or to add enhancements and additional features. An update is also referred to as a patch. An update can only be applied to specific software which is installed already. All Microsoft updates are implemented in the form of an executable file that has an .exe extension, and each update is set to back up all files that they replace. While updates which are security-specific need to be deployed almost immediately, there are other updates that deal with reliability problems

Security updates eliminate known security vulnerabilities. Remember that if Windows Server 2003 has known security vulnerabilities, then Exchange Server 2003 also has security issues.

The characteristics of security updates are listed here:

• Security updates are released bythe Microsoft Security Response Center (MSRC) to address a specificsecurity weakness or vulnerability.
• Each specific security updateincludes a security bulletin and a Microsoft Knowledge Base article.
• The security bulletin providesadministrators with comprehensive information on the existing securityissues and security vulnerabilities:
  • Who the security bulletin affects.
  • The level of severity of the security vulnerability.
  • The impact or risk associated with the security vulnerability.
  • The recommended response process for all parties who are affected by the security vulnerability.
• The information contained within asecurity bulletin are listed here:
  • Title; the title of the security bulletin including the current year and the bulletin number for the specific year.
  • Summary; contains summary information on who the affected customers are, what the level of severity of the security vulnerability is, and the recommended response process.
  • Technical description; contains a thorough description of the security vulnerability and the instances that could lead to the security vulnerability being exploited.
  • Mitigating factors; includes technical factors which could reduce the vulnerability being exploited.
  • Severity rating; includes a rating for each specific software that could be affected by the vulnerability. The ratings are Critical, Important, Moderate, Low and None.
  • Vulnerability identifier; a link(s) to organizations which are external to Microsoft to identify the vulnerability.
  • Tested versions; contains all software which has been tested by Microsoft for the specific vulnerability.
  • Frequently asked questions; includes answers to any questions which Microsoft has identified as being expected for this particular security bulletin.
  • Update availability; indicates the locations from where the update can be downloaded.
  • Additional information; contains additional information on installation of the update.
• The Knowledge Base article for avulnerability is usually only issued after the security bulletin has beenreleased. Knowledge Base articles contain more comprehensive informationon the vulnerability.

You can use the following utilities to help you in ensuring that your system security remains up to date:

• Microsoft Systems Management Server (SMS): Youcan use SMS to install updates and service packs on SMS client computers from a network distribution share. UsingSMS for deploying updates involves the following steps:
  • You have to create a SMS package that includes the location of the service pack source files and the package definition file (.pdf) for distributing the service pack. The package definition file includes the information that would be needed to create the SMS package. The SMS package includes command-line executables as well. These executables runs on the SMS client computers to manage how the SMS package executes.
  • You then have to distribute the SMS package to the distribution points that you have identified
  • Lastly, you have to create an SMS advertisement that will inform the SMS clients on the available service packs.
• Software Update Services (SUS): SUSwas introduced to control the features of Windows Update to a corporateserver, by deploying or downloading the updates to a designated corporateserver who then provides the updates to your internal client computers. Asan Administrator, you can ensure that clients’ systems are up to date withthe latest updates through SUS, you can control what updates are deployedin the network, and you can test the updates that are deployed to clients.One SUS server would connect to the Microsoft servers for updates, and youwould configure the client computers in your corporate network to connectto the internal SUS server for their updates. This also increases thesecurity stance of your network because less internal clients areconnecting over the WAN links. Administrators have greater control overwhat updates are deployed to the client computers. You can choose toeither approve the updates or prevent a specific update from beingdeployed to the internal client computers. In addition to having greatercentral control within your environment on what updates are deployed, youcan also control the synchronization of updates from the Windows Updatesite. This can be done automatically, or manually. By using SUS, you canalso deploy a SUS statistics server on the computer where the SUS server resides.This would enable you to verify what clients have installed updates.
• Microsoft Baseline Security Analyzer (MBSA): You can use the Microsoft Baseline Security Analyzer (MBSA)to check for and scan computers for security weaknesses and missing securityupdates. The Microsoft Baseline Security Analyzer (MBSA) is a securityassessment graphical tool that can be downloaded from the Microsoftwebsite, and then used to scan for common security errors on a singlecomputer or multiple computers. The MBSA can be used to verify that thecomputer has the latest security updates. When MBSA is run from the GUI,it places reports in the SecurityScans folder of the user profile thatcreates the reports. You can also use MBSA to check for missing security updatesfrom the command-line.

The MBSA can scan for and detect a number security problems and shortfalls, including the following:

• Check whether all the necessary security updates and service packs have been installed on the computer.
• Check whether all disk drives on the computer are formatted using the NTFS file system.
• For computers running Internet Information Services (IIS) or Microsoft SQL Server, MBSA can scan for a number of security vulnerabilities.
• Check for a number of account weaknesses and vulnerabilities, including the following:
  • Whether Autologon is being used by the computer.
  • Whether multiple accounts exist with Administrator privileges.
  • Whether the Guest account is enabled.
  • Whether anonymous users have been granted excessive access to the computer.
• Checks the configuration of passwords:
  • Whether passwords are blank.
  • Whether passwords are weak.
  • Whether passwords have been set to expire.

For a computer to use MBSA, the requirements listed below have to be met:

• The computer must be running Windows NT 4, Windows 2000, Windows XP or Windows Server 2003. Windows 95, Windows 98 and Windows Me are not supported by the MBSA tool.
• The computer must be running Windows Explorer version 5.01 or higher.
• The computer must have Client for Microsoft Networks installed.
• An XML parser must be installed.
• The Workstation and the Server service must be enabled.

How to install the SUS Server

1. You have to download the SUSsoftware, the sus10sp1.EXE file, from the Microsoft website. You can usethe following URL: http://go.Microsoft.com/fwlink/?linkid=6930.
2. When the SUS homepage opens, clickDownload SUS Server with Server Pack 1 (SP1).
3. The sus10sp1.EXE file should becopied to the server where you want to install SUS.
4. Double-click the sus10sp1.exe file.
5. The Welcome To The MicrosoftSoftware Update Services Setup Wizard screen is displayed. Click Next.
6. The End User License Agreementscreen is displayed next. Read through the license agreement, and click IAccept The Terms In The License Agreement.Click Next.
7. The Choose Setup Type screen isthen displayed. You can either choose a Typical installation or a Custominstallation. If you select Typical, SUS is installed with its defaultsettings. If you select Custom, you can customize the settings of the SUSinstallation.
8. Select the Typical installationoption.
9. The Ready To Install screen isdisplayed, and shows the URL which will be used by clients to connect to thisSUS server. The default URL is http://servername.
10. Click Install.
11. The Completing The MicrosoftSoftware Update Services Setup Wizard screen is displayed. Click Finish.
12. The SUS administration Web site inyour default Web browser will automatically open.

How to synchronize the SUS server with the public Windows Update servers

1. On the Software Update Services administration screen, select SynchronizeServer.
2. The Synchronize Server screen is displayed.
3. You can select Synchronize Now from the Synchronize Serverscreen to manually synchronize the server, or you can alternatively selectSynchronization Schedule if you want to configure a synchronizationschedule for the SUS server.
4. If you selected Synchronization Schedule, the ScheduleSynchronization Web Page screen is displayed. This is where you set theschedule for when your updates should occur. It is recommended to scheduleupdates for non-peak network hours, and at a time when the server is notbeing backed up.
5. After setting your synchronization schedule, it is recommendedto manually synchronize the SUS server the first time. Click SynchronizeNow to do this.
6. The SUS server configuration determines whether updates areautomatically approved, or manually approved.
7. To examine the updates, select Approve updates from thenavigation menu.
8. If you want to approve particular update(s), and have itapplied to client computers, select the update(s), and then click theApprove button.
9. Click Yes to acknowledge the warning message that appears
10. If you are prompted to accept an End User License Agreement,choose Accept.
11. When the SUS server is done downloading the updates you have specified, you arepresented with a message indicating that the updates are available forclients.
12. The SUS server shows the updates together with a message. Themessages that can be displayed are:

• New, means that the update was downloaded and has not been approved. An update that has a New message is not available to client computers that query the SUS server to download updates.
• Approved, means that the update has been approved and is available to client computers that query the SUS server to download updates.
• Not Approved, means that the update has not been approved and is therefore not available to client computers that query the SUS server to download updates.
• Updated, means that this particular update has since been modified during the SUS server synchronization process.
• Temporarily Unavailable, means that the updates are stored locally on the server, and that a needed dependency is unavailable.

How to approve security updates for deployment to clients

1. Click Synchronize Server tosynchronize the SUS server with the public Windows Update site.
2. Click Synchronize Now toimmediately synchronize the SUS server and download updates
3. Click OK once the download iscompleted.
4. You will next be informed that thedownloaded updates need to be approved and tested.
5. When you have thoroughly testedthe updates, click the Approve Updates button to approve the updates thatyou want to deploy.
6. On the Approve Updates screen,select each update that should be approved, and click Approve.
7. Click Yes to continue.
8. Click Accept to accept the licenseagreement. The list of approved updates is now available to clients.
9. Click OK.

How to download and install the MBSA

1. First download the MBSA tool fromthe Microsoft website.
2. Double-click the mbasetup.msiinstaller.
3. Click Next when the wizard’swelcome page opens.
4. Read and accept the end userlicense agreement, by clicking the I Accept the License Agreement option.Click Next.
5. On the User information page,enter the appropriate information in the Full Name and Organization textboxes.
6. If you want the settings to beinstalled for only the current user, click the Only for Me option.
7. If you want the settings installedfor any user who utilizes the computer, click the Anyone who uses thiscomputer option. Click Next
8. Accept the default installationpath, or specify another path on the Destination Folder page.
9. Clear any of the followingcheckboxes if you do not want the actions performed.
• Place a Shortcut on the desktop.
• Show Readme file after installation
• Launch the application after installation
10. Click Next.
11. Select the options and featuresthat you want to install on the local hard drive and then click Next.
12. Click Next to start installing theMicrosoft Baseline Security Analyzer.
13. Click Finish.

How to use MBSA to scan a computer for missing security updates

1. Open the MBSA that you installed
2. Choose Scan a computer.
3. On the Pick a computer to scanpage, select the computer you want to scan.
4. Select the scan options that youwant to use:
   • Check For Windows Vulnerabilities
   • Check For Weak Passwords
   • Check For IIS Vulnerabilities
   • Check For SQL Vulnerabilities
   • Check For Security Updates
5. Click Start scan.
6. Click Yes to install theMSSecureXML file. This is the file which is updated each time Microsoftissues new updates.
7. The MBSA tool displays the scanresults after the scan is completed.
8. You can click Result Details ifyou want to view additional information.

Bookmark Protecting Exchange Server 2003 against Computer Viruses

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum