S 3.31 Administrator training on Exchange system architecture and security

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

Microsoft Exchange integrates strongly into the Active Directory of a Microsoft Windows system environment. The Active Directory is the central configuration database of Windows network infrastructures used to store user data, group participations, and other administrative data. Therefore, knowledge of the Active Directory and its basic concepts is required for administering Microsoft Exchange; otherwise, misconfigurations, possibly with significant security-relevant effects, may easily occur. Therefore, administrator training in this field is indispensable (see also S 3.27 Training to Active Directory administration).

When installing Microsoft Exchange on a Windows server, a scheme extension takes place on the scheme master in order to create specific Exchange objects, as well as additional attributes for the already existing objects. Microsoft Exchange requires permanent availability of a Global Catalogue Server offered in every Active Directory site. Furthermore, the network services (particularly DNS) must be configured and functional.

Then, the settings for the external connection must be performed. In this, the respective protocols must be enabled and corresponding rules must be defined on the affected security gateways. Ultimately, user accounts and groups must be defined as well.

However, the described aspects only refer to the server component of the Microsoft Exchange system. Proper administration of the client component is important for the overall system additionally.

The approach outlined above results in a host of subsequent administrative tasks to be performed by one or several specialist administrators. Therefore, it is particularly important for the smooth operation of the system that the administrators and their representatives be trained intensively on Microsoft Exchange and Outlook. The administrator training should cover the following subjects:

Basic information

• Overview of the security mechanisms of Windows server operating systems
• Security management (MMC-Snap-In)
• Active Directory (see S 3.27 Training to Active Directory administration) and DNS
• Trust relationships between domains
• Access control options for servers

Microsoft Exchange-Server

• Architecture of an Exchange system
• Basic concepts and routine tasks
• Connector concept for connecting to third party communication systems
• Outlook Web Access (OWA)
• Email filters
• Mailboxes and folders, as well as the assignment of rights for these objects
• Protection of the client-server communication

Microsoft Outlook

• User profiles
• Active content and potentially dangerous file formats
• Auto-reply function

Microsoft Technet includes the basic information of a training measure, for example for Microsoft Exchange Server 2010, in "Getting Started With Exchange 2010: Exchange 2010 Help".

Review questions:

• Did all administrators receive training regarding their work with Microsoft Exchange, Windows Server, and Active Directory?
• Did the administrators receive training as to how to handle all relevant security mechanisms of Microsoft Exchange?
• Did the training deal with the possible email clients, particularly Microsoft Outlook?