Tips for the Exchange administrator on protection from malware
This tip was submitted to the searchSecurity Tip Exchange Contest by user Danielle Piesowocki. Let other users know how useful it is by rating the tip below.
Of course, Exchange administrators should all be running antivirus sof
tware at both the client and the server levels AND keeping it up to date with virus definition changes. Sometimes, however, this is not enough and there are certainly lots of things that can be done to assure tighter security at the client level.
The first thing I believe in doing when an employee begins his or her employment with the company is to spend a short time explaining what constitutes "executable" type files. I further explain the possibilities of vulnerability occurring with HTML formatted e-mails, since the virus writers seem to be getting more and more savvy.
I also subscribe to various e-mail alerting systems, which notify me of potential releases and immediate releases of viruses in the wild. Immediately upon receipt of a verified new virus circulating, I inform my clients, update the virus definitions on the server (if available), push those virus definitions to the clients and keep the clients informed.
There are also tools available to the Exchange administrator that allow blocking of attachments (through third-party programs) in both Exchange 5.5 and 2000, both proactively and reactively. The
now provided by Microsoft will reactively remove any attachments from an affected server. If you are running Symantec's Norton Antivirus for Firewalls and Gateways
on your Exchange Server, there is a procedure for creating a registry entry that will automatically block attachments, as well. NOTE: Other virus blocking software likely have the same capabilities; however, after testing many types of blocking software and antivirus software, we have standardized on Norton's and
have been very pleased with its performance.
Of course, it goes without saying that an e-mail subscription to various ListServes dealing with Exchange is also advisable. While it takes a few minutes to scan the e-mail each morning, there just may be something in there that will save your server (and potentially your network) from being infected.
One of the last things people do is provide a "grapevine," which has also proved to be a wonderful tool. Most people in this field don't have as much time as they would like to network with each other, but if you set up a method with other Exchange administrators (or vendors or VARs) in your area whereby whoever finds out about a virus outbreak immediately notifies the others, you may be one more step ahead of the game. This has proven helpful for us during the last worm "Goner." Allow me to explain.
First thing in the morning, a user logged onto her computer and opened Outlook. She saw an e-mail that looked suspicious and forwarded it directly to me. As an administrator, it was hard not to be curious as to the contents, but I took as much information as possible from the e-mail (without opening the attachment and without allowing HTML code to be run in the e-mail itself) and began my research. I (almost immediately) found an article about a "new" virus found earlier that morning that appeared to meet much of the criteria of the e-mail we received. I notified the user and contacted Symantec to see when virus definitions may be available to protect against this virus. I then sent out a warning to all users notifying them of this virus, went into the server room and set the server to live update and called a few of my colleagues who were prone to getting hit with new viruses. Thankfully, we were unaffected by this virus, as were the colleagues with whom I spoke. This is one of the best illustrations of how a good plan of attack can save you from unnecessary infection, even if the virus strain is only a few hours old. The clients are extremely appreciative of this information, as it has saved more than one home computer from contracting a virus.
This was first published in December 2001