Solved

Exchange 2010 Security on Small Business Server

Posted on 2013-11-03
4
325 Views
Last Modified: 2013-11-18
Our system includes a 2008 R2 enterprise server (64 bit) that hosts our web server, ftp server, exchange server and file server.  (Our server includes 2 Xeon processors and 32 GB RAM.)

I know that we are not supposed to have all of these services on a single server, but we do.  We are a small business, and everything has worked very well in the past, with minimal load on the server.  System backups to tape are fairly easy to manage with a high level of dependability.

We recently needed to renew our Exchange SSL certificate.  Apparently, the renew function on Exchange Servers encrypts the .req file so the third-party certificate provider could not use that file, and we were required to request a new certificate.  (This may not be critical to the discussion, but this is a major certificate provider who says the renew .req files from an exchange server never works.  You would think Microsoft would fix that.)

We did request a new certificate and installed it successfully.  In the process, our web page security was changed to require a secure connection for access.  We changed that in IIS to no longer require SSL.  Users can now access our website.

This whole process made me question the optimum security and authentication settings for my server.  I need to allow Anonymous Authentication for my website, yet I would like good security for remote access to our Exchange Server that is connected to our website.

It seems to me that should be fairly easy using the correct SSL and authentication settings.  Because we have a range of smart phones that access our Exchange Server from android, to IOS to windows phones, I want to make sure authentication is set up properly.  We also access our site using VPN and Remote Desktop.

I found the default settings on the attachment on the web, but I don't believe they will work for our configuration:


Any help for recommended settings would be appreciated.

Chuck
printscreenofiissettings1.jpg
0
Comment
Question by:ArchitectChuck
4 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 300 total points
ID: 39620227
Simply put, you shouldn't have a private web site (Exchange) on the same web site as a public web site. Simple as that. A public web site is best hosted in a data centre.

As you are using Enterprise edition of Windows, you could have split the functionality out in to separate virtual machines - you can have four VMs on the same server with Enterprise edition.

Then if you insist on having public resources on an internal server it could have its own dedicated virtual machine which can be isolated by the firewall and the VM hypervisor from the rest of the network.

I don't think you can secure the system correctly without some major redesign, simply because you are mixing the traffic and are unable to separate it.

Simon.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 50 total points
ID: 39620241
I agree with Sembee2 but what is done is done.  What you could do is the following:

1. Assign a second IP to the server
2. Bind internal web site to the second IP and you could create a DNS that would point to the IP
3. Set the internal site to http
4. Set the external site to https
5. On your firewall, ensure you do not allow access to the second IP
0
 
LVL 4

Assisted Solution

by:Smighty
Smighty earned 50 total points
ID: 39620260
I concur with Sembee2. With a Machine that has 32GB of RAM and Windows Enterprise Edition a Virtual Machine would be best suited to seperate your Websites with anonymous access.
Since I had to do that recently I thought I share some thoughts on how you could do that:

Install Hyper-V and setup a fresh Server OS (the IIS-Versions change with every Release, so best to use the same OS version as the host - Server 2008 R2 in your case).

Be careful seperating the external IPs, Exchange relies heavily on its own IP address (MX record, Reverse Lookup Pointer, SPF-Entry, Blacklisting, etc.), so best to use other Address(es) for the Website(s) and let them Point to the new Address in your external DNS.

Microsoft Best Practice for Hyper-V include that you don't use a NIC for Host and virtual machine at the same time, better to have one additional NIC just for virtual Access (in your case, you'd need 2 - one for internal (Traffic, Domain, Database, Management, etc.) and one with the public IP address.

So yes, it is best to seperate internet facing roles when possible and use other machines for that. :)
0
 

Author Closing Comment

by:ArchitectChuck
ID: 39657531
Thank you all for your comments and suggestions.

I have no doubt that your recommendations are correct.  I have not had time to look further into creating a virtual server and implications for backup and restore.

Thanks!!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now