I am looking to go out to competitive tender for a security assessment of our Corporate Email (based on Microsoft Exchange 2003 currently). You will see from my post I am far from technical expert in the field of Microsoft Exchange / Email Security. Can I ask, what are the main threats to corporate email, routing from both insiders and malicious outsiders from the Internet? What typically would the scope of a security assessment for an Exchange Email setup include, i.e main areas of focus in a security review? What typically are security flaws in email security / exchange security? I assume you all have a 3rd party security assessment and as email is typically a business critical system I assume it will have been included in the scope of such reviews in your own organisations. Is it likely any part of our network infrastructure relating to Email Infrastructure is Internet facing? Thanks for taking the time to read this post and any input is greatly appreciated.

I'll try to cover as much as possible, as this should be posted in a security forum, and the security issues can go to very deep levels. 1. Users: need to have direct access to the exchange servers only from the internal network. 2. Anti-Virus on the server it's self and on all the users clients. 3. Using a front-end to publish the Exchange OWA and RPC over HTTPs to the outside (using ISA server) 4. Have a firewall (can be configured very specificaly to allow access only to what you need) 5. Have a Mail-Relay appliance to perform the initial anti-virus and anti-spam 6. If data leak is an issue, you can also install a DLP solution I'm sure there is more, but those are the main things.Yanir Ben-Nun / System Team Leader / IT / IS Professional

You can also download this Technet topic about Exchange security. Exchange Server Security Hardening Guide http://technet.microsoft.com/en-us/library/aa997203(EXCHG.65).aspxFrank Wang