You are the Exchange administrator for your company. The Exchange organization contains a single server named Exch1. Exch1 runs Exchange Server 2003 and hosts all user mailboxes.
Exch1 also functions as an SMTP gateway for Internet e-mail. A firewall separates the internal network from the Internet and allows only SMTP traffic to reach Exch1.
One afternoon, users report extremely slow response times on Exch1.
Some users cannot access the server at all. You examine network traffic to Exch1 and conclude that the server is the target of an external distributed denial of service (DDoS) attack.
Your immediate need is to prevent the attack from affecting Exch1. You must minimize the affect of your actions on internal e-mail users.
What should you do?
A.
Stop the SMTP service on Exch1.
B.
Reconfigure Exch1 to prohibit all POP3 and IMAP connections.
C.
Reconfigure the firewall to prohibit all incoming SMTP traffic.
D.
Reconfigure Exch1 to accept only POP3 connections. Instruct users to access Exch1 by using POP3 client software.
E.
Configure TCP/IP filtering on Exch1 to permit only RPC traffic.
Explanation:
The primary goal should be to stop the denial of service attack of the Exchange Server.
The most efficient way to do this WITHOUT affecting the internal E-mail users is to shut down the SMTP traffic by reconfiguring the firewall to block SMTP traffic.
Incorrect answers:
A. Stopping the SMTP service will also shut down all the internal mail, which violates the last requirement of the question.
B. Prohibiting IMAP and POP3 connections will not prevent the incoming SMTP traffic. The SMTP traffic is the root of the DDoS attack.
D. While this would stop the DDoS attack, it would require a lot of reconfiguration on the clients, and hence disrupt all the internal e-mail users.
This is a violation of the last requirement of the question.
E. Only allowing RPC traffic would prevent internal clients from connecting. Remember that internal clients will be using SMTP to communicate.
Allowing ONLY RPC traffic will prevent the internal users from connecting to the Exchange server.