Updated: April 15, 2005
E-mail Security, It’s More Than Filtering: The Checklist
1. Perform a security audit.
As with any security effort, you should start by conducting an audit:
| • | First, identify all critical resources on your network, such as intellectual property. |
| • | Identify who has access to this data and how they utilize it. |
| • | Determine the risks associated with the unauthorized exposure of this data. |
| • | Develop a security strategy to protect your intellectual property. |
You can review our October Security360 on Information Risk Management for information on how to perform a security audit, or view the Microsoft Operations Framework available on TechNet. Microsoft also offers a free Security Risk Self-Assessment Tool at securityguidance.com. This tool is particularly useful for organizations with fewer than 1,000 employees.
2. Protect your e-mail infrastructure.
Take a holistic approach to securing your e-mail. You can start by protecting the infrastructure.
| • | First, you should install Windows XP Service Pack 2 on all the computers on your network to ensure that they are fully protected. Also, be sure to enable Automatic Updates, install antivirus software, and activate a desktop firewall on each computer. |
| • | Consider upgrading your Internet facing servers to Windows Server 2003 for increased protection, and download the newly released Windows Server 2003 Service Pack 1. Service Pack 1 includes enhancements to security, reliability and performance. |
| • | Deploy an application layer firewall in front of your email servers. For example, deploy ISA Server 2004 to help safeguard your Exchange Server. ISA Server 2004 adds security to Outlook Web Access. Visit www.microsoft.com/isa for guidance on how to deploy ISA Server 2004 with Exchange Server for optimal security benefits. |
3. Filter unwanted or malicious e-mail.
Basic e-mail hygiene practices can help remove potentially malicious e-mail messages.
| • | Evaluate the Smart Screen Technology for the Intelligent Message Filter (IMF) in Exchange Server 2003 and in Outlook 2003. This technology helps block spam, phishing, and unwanted email. Here at Microsoft, we use Smart Screen filtering to help block over 3 billion unwanted messages per day in e-mail services such as Hotmail. You may also want to use filtering in ISA Server 2004. |
| • | Distribute a default Junk E-mail Filter List to your users and encourage them to customize it for their needs. A Junk E-mail Filter List includes a Blocked Senders List, a Safe Senders List, and a Safe Recipients List. When an incoming message comes from an address or domain on the Blocked Senders List, it is always treated as junk mail. When an incoming message contains an address or domain on a person's Safe Sender or Safe Recipient list, the message is not subject to filter scans. |
| • | Use controls in Outlook 2003 to implement your security policies concerning e-mail attachments. With Outlook 2003, you can block access to certain types of files or require users to save them to a disk before opening them. You can get the same functionality for older versions of Outlook by downloading the Outlook E-mail Security Update from office.microsoft.com. |
| • | Implement anti-virus protection on your e-mail server and at the gateway. For example, you can configure Sybari AntiGen for Exchange Server to scan all incoming and outbound messages for viruses, protect your Web storage system, and provide content-filtering capabilities. |
4. Prevent unauthorized access to and modification of your digital assets.
You can deploy technologies that help reduce the risk of e-mail communications landing in the wrong hands.
| • | Consider implementing Windows Rights Management Services and the Information Rights Management technology in Office 2003 to safeguard confidential information. It enables information workers to define exactly how information can be used, such as who can open, modify, print, forward and/or take other actions with it. |
5. Monitor your infrastructure and update your e-mail security policies.
It is important to monitor your e-mail infrastructure to verify compliance with e-mail policies, such as content filtering or confidentiality policies. But policies are only effective if they remain relevant to the current conditions of your infrastructure, so be sure to review and update your policies on a regular basis.
Related Resources
| • | Watch Microsoft CIO webcast on Security
Join Ron Markezich, CIO of Microsoft IT, on May 2 for this webcast examining how Microsoft uses a risk assessment plan to design security for its network exterior and interior.
|
