General server-based protection
Your first line of defense should be at the perimeter of your network. Deploying firewalls to block port- and service-based attacks is essential. However, perimeter protection can go much further than simply blocking all but a handful of required ports. You should also consider deploying perimeter scanners to scan for and block viruses before they ever get inside your network.
Many worms exploit vulnerabilities in the operating system, so patching against those vulnerabilities is critical. Applying service packs and updates can go a long way toward closing holes that expose the server to attack. Windows Server 2003 can typically apply patches without rebooting (and triggering the disruption that rebooting can cause). For earlier Windows operating systems, consider using Qchain.exe to apply multiple patches with a single reboot. Although most worms and viruses target Windows platforms, Linux platforms are equally at risk if not patched and updated.
Disable unneeded services
Carefully review each server and ensure that it is running only those services required for it to carry out its function. Disable services that are not needed to reduce the server's attack surface, and explore ways to harden required services. Separate critical services from noncritical services by moving them to other servers, and consider deploying load balancing and clustering where appropriate to help ensure high availability.
File system protection
Consider how your network resources should be protected. All file servers should have an antivirus solution that actively scans the file system in real time so that, as files are modified or added, the antivirus application can quarantine or repair the affected files before they spread to client systems or other servers. The server should also be protected at the file system level in other ways. For example, all Windows servers should use NTFS, since FAT offers essentially no security. You should also eliminate unnecessary shares, require share permissions for all shares, and use hidden shares where possible to further protect the server from worms that propagate through unprotected shares.
Protection for e-mail services
Mail servers are obviously a vulnerable point in any network. A file system scanner can catch message files as they are written to the system, but a better approach is to use an antivirus solution that scans the messages as they arrive in the mail system. There are several antivirus solutions that interface directly with Exchange Server to proactively scan incoming and outgoing messages. An SMTP gateway scanner is another alternative in networks where other mail servers are used, or where you want to scan the messages before they reach your mail servers.
It's also important to not place all of your faith in one solution. Using multiple scanning engines from different vendors can add an extra layer of protection. A message might get past a single engine, but it's less likely to sneak past two or three. Using multiple scanning engines also guards against a coordinated denial-of-service attack on a particular antivirus vendor. GFI's MailSecurity is an example of an antivirus solution that employs multiple scanning engines. As an alternative to a single-vendor solution, you could deploy an SMTP-gateway scanner from one vendor and a solution from a different vendor on your e-mail servers.
The antivirus solutions you choose for your e-mail servers should scan for more than just virus-infected files. It's critical that they also perform exploit detection and scan for scripts, malformed MIME headers, or other mechanisms that exploit vulnerabilities in e-mail clients or server operating systems
