You absolutely must keep access to administrative tasks restricted to internal networks or VPNs unless you intend to enable some form of multifactor authentication via third-party products such as RSA SecurID.
Make sure you have a sensible password policy in place. Guidance on this keeps changing, but we’re partial to the newer idea of using longer passwords rather than more complex passwords. In our lab, we require users to have 14-character passwords -- minus any complexity requirements -- that expire every 90 days.
You should also consider whether you need to restrict sending sensitive information via email such as Social Security numbers and credit card numbers. You can configure these restrictions under Compliance Management > Data Loss Prevention. Microsoft provides a number of templates that can be used to help you get up and running quickly. In this example, I'm using the US FTC template to restrict sending credit card numbers.
Thoughts on other software
If you've followed through this far, you hopefully have a working on-premises Exchange system. Now you need to protect it, back it up, and generally make sure it stays online.
For antivirus solutions, you will want both a system-wide, real-time antivirus package as well as a package that scans messages in transit. Microsoft provides a list of required exclusions for both Active Directory domain controllers and Exchange Server systems. Make sure to follow Microsoft’s recommendations and not rely on your antivirus vendor to automatically implement these for you. I've seen too many antivirus packages trample mailbox database log files out-of-the-box to trust them to do it for you.
You also need to consider the type of backup and restore methods you want to support. Are you backing up to disk or tape? Do you need granular restore (which is far more resource intensive than it's usually worth)? How far back do your backups need to go? There are lots of questions you'll need to ask yourself, your team, and upper management.
Other product considerations include data loss prevention, antispam software, and email archiving. In some cases, this could all be included in a single package. But make sure it's certified to work with Exchange Server 2013 and has adequate vendor support. You don't want to buy a product only to find out it was built for Exchange Server 2007 and has email-only support.
Lastly, make sure to do your homework. Check to make sure your organization doesn't need to follow any specific laws for data retention, data loss prevention, or data access. Do test backups and restores on a regular basis. Use the EICAR test file to make sure your antivirus software is running correctly. Routinely check your performance monitors to make sure you don't need to rebalance a DAG or add a domain controller. Oh, and one more thing: learn to love PowerShell.
Sign up for Computerworld eNewsletters.