I am interested in improving my knowledge of exchange / email security and want to know what procedures would be taken in a security review of exchange. Essentially we have 3x MS Exchange (2003) Servers users (250 or so) have Outlook (2003) as the client to review there emails. There is also an OWA Service for remote access to corporate email, for this user authenticate with there Active Directory credentials; this is offered over a HTTPS site. • I am not over sure of the main risks that external hackers etc go after when attacking corporate email, the obvious one to me is trying to get unauthorised access to emails containing sensitive data, but are there any other main risks in this area? Also internal hackers I presume would want to get into there managers/directors email account and so on, so there is both an internal and external threat. • What areas of the email infrastructure need to be reviewed from a security perspective with the aforementioned application products? And what type of testing needs to be covered. • In what priority do these areas of the email infrastructure need to be reviewed, i.e. public facing OWA service first etc. • Are there any tools that can be used both internally and externally to test for vulnerabilities in an organisations email setup, specifically geared at MS Exchange? • Is using MS Exchange 2003 a risk in itself, 7 year old product etc, albeit still patchable etc.

Hi Maybe this article is helpful for you, it's about hardening exchange 2003.. But be careful ! http://www.msexchange.org/tutorials/Hardening-Exchange-Server-2003-Environment-Part1.htmlJonas Andersson MCTS: Microsoft Exchange Server 2010, Configuration | MCITP: EMA | MCSE/MCSA Blog: http://www.testlabs.se/blog