Exchange Server 2003 Security Hardening Guide

Exchange Server 2003
Security Hardening
Guide
Last Reviewed: February 2005
Product Version: Exchange Server 2003
Reviewed By: Exchange Product Development
Latest Content: www.microsoft.com/exchange/library
Authors: Michael Grimm, Michael Nelte
Exchange Server 2003
Security Hardening
Guide
Authors: Michael Grimm, Michael Nelte
Published: February 2004

Last Reviewed: February 2005
Applies To: Exchange Server 2003
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred.
 2004 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveSync, Microsoft Press, MSDN, Outlook, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Acknowledgments
Project Editor: Brendon Bennett

Contributing Writers: John Speare, Ross Smith IV, Christopher Budd (CISSP), Janine de Nysschen, Joey Masterson
Technical Reviewers: Martin Hergett; Andrew Moss; Alexander MacLeod; Jason Urban; Eric Rosenberg; Giuseppe Di Silvestre
Graphic Design: Kristie Smith, Paul Carew
Production: Joe Orzech, Sean Pohtilla
Table of Contents
Exchange Server 2003 Security Hardening Guide.....................................1

Exchange Server 2003 Security Hardening Guide.....................................2
Table of Contents........................................................................i
Introduction .................................................................... ..........................1
What Is Updated in This Guide?........................................................................... ..1
Scope of This Guide............................................................................................. ..1
Before You Get Started........................................................................... ...............2
Securing Your E-mail Environment......................................... ....................2
Securing the Client........................................................................................ ........3
Exchange 2003 Patch Management............................................. .........................3
Anti-Virus Measures....................................................................................... ........3
Protecting Against Unsolicited Commercial E-Mail (Spam)....................................4
Protecting Against Denial-of-Service Attacks................................................ .........7
Protecting Against Address Spoofing......................................................... ............7
Hardening Exchange 2003 Servers .......................................... ...............10
Hardening the Windows Infrastructure................................................ ................11
Hardening Back-End Servers................................................................. ..............13
Hardening Front-End Servers........................................................................... ....19
Deploying the Exchange Group Policy Security Templates..................................26
Appendixes...............................................................................................32
Appendix A: Using Permissions and Administrative Roles to Control Access33
Appendix B: Upgrading from Exchange 2000....................................... ....35
Message Limits................................................................................................. ...35
Services.............................................................................. ................................35
Outlook Mobile Access ...................................................................................... ..36
M: Drive............................................................................................................ ...36
Virtual Server Authentication..................................................... .........................36
Local Access Denied for Domain Users .......................................................... .....36
Top Level Public Folder Creation........................................................ ..................36
Access Control Configuration ............................................. ................................36
Appendix C: Ports Used in Exchange 2003........................................... ....38
Appendix D: Resources....................................................... .....................40
Exchange Server 2003 Books.................................................................... ..........40
Technical Articles............................................................................................ .....40
Websites............................................................................................................ ..40
Resource Kits..................................................................................................... ..41
Microsoft Knowledge Base Articles..................................................... .................41
Accessibility.......................................................................... ..............................42
Introduction
This guide is designed to provide you with essential information about how to harden your Microsoft®
Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this
guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003
messaging system. While most server administrators can benefit from reading this guide, it is designed to
produce maximum benefits for administrators responsible for Exchange messaging, both at the mailbox and
architect levels.
This guide is a companion to the Windows Server 2003 Security Guide
(http://go.microsoft.com/fwlink/?LinkId=21638). Specifically, many of the procedures in this guide
are related directly to security recommendations introduced in the Windows Server 2003 Security Guide.
Therefore, before you perform the procedures presented in this guide, it is recommended that you first read the
Windows Server 2003 Security Guide.
What Is Updated in This Guide?

Since the previous version of this guide was released, modifications were made to the following section:
• Hardening Exchange 2003 Servers
• Removed references to the RPC Locator service. In the previous version of this guide, the RPC
Locator service is listed as a required service for hardening your servers. While this is correct for
Exchange 2000 Server, it is not necessary for Exchange Server 2003.
• Updated content to reflect changes in version 1.1 of the Exchange Group Policy Security Templates.
• Added description of service access control lists (ACLs) defined in the version 1.1 of the Exchange
Group Policy Security Templates.
• Clarified support for Windows Server 2003 Member Server Baseline policy (Enterprise Client -
Member Server Baseline.inf). If you plan to run Exchange 2003 in an environment where the
Windows Server 2003 "High Security" GPO templates are deployed, additional testing and
configurations may be necessary to provide full functionality.
• Removed subsection, "Configuring URLScan." It is highly recommended that you configure
URLScan in accordance with the instructions in Microsoft Knowledge Base article 823175, "Fine-
tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment"
(http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823175).
In addition to these updates, the following companion topics are available online at
http://go.microsoft.com/fwlink/?LinkId=25210:
• Running Exchange Server 2003 Clusters in a Security-Hardened Environment
• How to Run Exchange Server 2003 Clusters in a Security-Hardened Environment
Scope of This Guide

This guide focuses explicitly on the operations required to help create and maintain a secure Exchange 2003
environment.
You should use this guide as part of your overall security strategy for Exchange 2003, not as a complete
reference for creating and maintaining a secure environment.
Exchange Server 2003 Security Hardening Guide 2
Specifically, this guide provides detailed answers to the following questions:

• What guidance is available to help prepare for a secure Exchange 2003 environment?
• What are some effective patch management processes?
• What are some anti-virus measures I can deploy?
• How can I protect against unsolicited commercial e-mail (spam), denial-of-service attacks, and address
spoofing?
• What are the recommended steps for hardening my Microsoft Windows Server™ 2003 infrastructure?
• What are the recommended steps for hardening my back-end and front-end servers?
• How do I organize my Microsoft Active Directory® directory service structure to support deployment of
the Exchange Group Policy Security Templates?
Before You Get Started

Before considering the configuration recommendations and security strategies presented in this guide, you
should familiarize yourself with the following resources:
Microsoft Operations Framework (MOF)
MOF is a collection of best practices, principles, and models that provide you with operations guidance.
For specific information, see the MOF website (http://go.microsoft.com/fwlink/?LinkId=21640).
Strategic Technology Protection Program (STPP)
The goal of STPP is to integrate Microsoft products, services, and support that focus on security. For
specific information, see the STPP website (http://go.microsoft.com/fwlink/?LinkId=21643).
Microsoft Security and Privacy
This website is the central clearinghouse for overall security and privacy information at Microsoft. For
specific information, see the Microsoft Security and Privacy website
(http://go.microsoft.com/fwlink/?LinkId=21633).
Security Resources for Exchange Server 2003
This website lists Exchange-specific resources that can help secure your environment. For specific
information, see the Security Resources for Exchange Server 2003 website
Securing Your E-mail Environment

E-mail is a mission critical service for nearly all organizations. Therefore, it is crucial that you provide your
customers with stable and reliable e-mail services.
Malicious attack, in the form of a virus, worm, or denial of service, is one area of risk in daily Exchange 2003
operations. Similarly, unsolicited commercial e-mail (spam) has become intrusive and sophisticated enough to
be considered a threat to e-mail operations.
To help you guard against these intrusions, this section provides you with the following information:
• Tips for securing the client
• Exchange 2003 patch management processes
• Anti-virus measures
• Protecting against spam, including new features in Microsoft Office Outlook® 2003 and Exchange 2003
that can help in this area
• Protecting against denial-of-service attacks
• Protecting against address spoofing
Securing the Client

Because Exchange 2003 is a distributed, client/server application, it is important to consider the client as you
develop a security plan for your e-mail environment. Specifically, consider the following:
• As part of your risk management strategy, you should examine which clients are strictly required and then
limit Exchange functionality to those clients. For example, Exchange 2003 does not configure all client
services during installation. To run POP3 or IMAP4 clients in your organization, you must first enable
these services in your Exchange 2003 environment.
• Ensure that your patch management plan extends beyond the operating system on the client desktop. Use
current and patched versions of the client software, regularly checking for client security updates.
• Users are important in helping keep the client secure. Therefore, you should educate your users about e-
mail viruses, virus hoaxes, chain letters, and spam, and then establish procedures that your users can
follow when they encounter such mail.
Exchange 2003 Patch Management

To keep Exchange as secure as possible, it is important that you remain current with the latest patches.
Specifically, you should ensure that both Exchange 2003 and the operating system are up to date. If the
operating system is vulnerable, then Exchange is also vulnerable.
Microsoft supplies two utilities to help you stay current with Microsoft Windows® service packs, hotfixes, and
patches: Microsoft Network Security Hotfix Checker (Hfnetchk) and Microsoft Baseline Security Analyzer
(MBSA). Hfnetchk is a tool that lists which patches have been applied to a computer; MBSA identifies
common security mis-configurations. Hfnetchk is available through the command line interface of the MBSA.
You can download both from the Microsoft Baseline Security Analyzer website
(http://go.microsoft.com/fwlink/?linkid=17809).
In addition, ensure that you are notified of any new patches applicable to your organization. To receive these
notifications automatically, subscribe to the Microsoft Security Bulletins at
http://go.microsoft.com/fwlink/?LinkId=21723.
For more information about Windows Server 2003 patch management processes, see the Windows Server 2003
Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638).
Anti-Virus Measures
Viruses transmitted through e-mail messages are one of the more significant threats to your organization. E-
mail viruses can attack individual computer systems or your entire e-mail environment. Therefore, you must
ensure that you have adequate protection against viruses in your Exchange 2003 environment.
The most effective mechanisms for combating viruses are installing anti-virus software and keeping the anti-
virus signature files up-to-date. With this in mind, you should consider protecting against viruses at the
firewall, at the Simple Mail Transfer Protocol (SMTP) gateway, at each Exchange server, and on every client
computer. The reason for installing anti-virus software at each destination in the message delivery chain is to
provide as much defensive coverage on each message as possible. For example, the virus-scanning engine at
the SMTP gateway uses a different Multipurpose Internet Mail Extensions (MIME) parser than the one that is
installed on the Exchange server, which, in turn, is different from the parser used by Outlook or Outlook
Express. From a MIME parsing perspective, this means that having a virus scanner (one that uses the native
MIME parser) at each destination increases the likelihood of exposing viruses. In addition, you should consider
running virus-scanning software from different vendors across your enterprise.
One common method virus writers use to transport viruses is to include the virus in an attachment. In the most
obvious cases, a virus can be delivered by attaching an executable program (.exe) to an e-mail message. In
some cases, viruses can be delivered by embedding them in a macro, which appears to users as a much more
benign document (such as a Word or Excel file). To protect against such viruses, Outlook and Outlook Web
Access provide the following attachment-blocking features:
Attachment blocking features in Outlook
Outlook 2002 and later versions include an attachment-blocking feature; this feature (enabled by default)
blocks the most obvious file types, such as .exe, .bat, and .vbs files. Previous versions of Outlook require the
Outlook E-mail Security Update, available on the Microsoft Office Online website
(http://go.microsoft.com/fwlink/?LinkId=24348). For information about how to configure Outlook
attachment blocking features by means of a group policy, see The Office 2003 Resource Kit
Attachment blocking features in Outlook Web Access
In Exchange 2000 Service Pack 2 (SP2), Outlook Web Access introduced the ability to block attachments by
file type and MIME type. In Outlook Web Access for Exchange 2000 and Microsoft Office® Outlook Web
Access 2003, attachment blocking is enabled by default. With this default configuration, users can send any
attachment type but will not receive dangerous file types, such as .exe, .bat, and .vbs files.
Note In their default configurations, both Outlook 2003 and Outlook Web Access 2003 block the
same attachment types.
In Outlook Web Access, there are two levels of attachment blocking that you can configure. These levels
correspond to the different risk levels posed by file types and MIME types. Outlook Web Access does not
allow Level 1 files or MIME types (specified by the attributes, Level1FileTypes and Level1MIMETypes
respectively) to be downloaded in any format. Level 2 file and MIME types are less severe; users are not
allowed to open them in Internet Explorer, but they can right-click the file, save it to disk, and then open it.
If you want to view or change blocked file types or MIME types in Outlook Web Access, perform the
following procedure.
Warning Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry incorrectly may not
be able to be resolved. Before editing the registry, back up any valuable data.
To view or change blocked file types or MIME types in Outlook Web Access
1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3. The Level1FileTypes value shows blocked attachments; the Level1MIMETypes show blocked MIME
types.
Protecting Against Unsolicited Commercial

E-Mail (Spam)
Unsolicited commercial e-mail (spam) is a major problem for many organizations. Spam is costly in a number
of ways, from lost user time in sorting and deleting it, to wasted bandwidth and storage space.
To minimize spam, you must combat it on a number of fronts. Therefore, to help you protect your
Exchange 2003 environment against spam, this section will:
• Discuss methods for educating your users about spam.
• Introduce you to spam-protection features in Outlook 2003 and Outlook Web Access 2003.
• Explain the spam confidence level (SCL) infrastructure.
• Show you how you restrict Exchange 2003 distribution Lists.
• Explain the different types of filtering you can apply in Exchange 2003.
Educating Users About Spam

The first step in combating spam is to educate your users about how to handle it. In fact, your users are
probably the most important defense against spam. Spam is often a result of social engineering tactics
employed against your users, and it is important to educate your users on how to avoid it. For example, your
users may receive spam that includes a disclaimer stating something similar to the following:
If you wish to be removed from this mailing list, you should respond to the mail with the word
"Remove" in the subject line.
Although this is a legitimate tool for some reputable companies, it is often a means of verifying that an e-mail
address is valid so that the address can then be used again (likely the address will be sold to other spammers).
For more information about what users can do to combat spam, see the Microsoft Security and Privacy Basics
website (http://go.microsoft.com/fwlink/?LinkId=24701).
Spam Protection Features in Outlook 2003 and Outlook Web

Access 2003
Both Outlook 2003 and Outlook Web Access 2003 include features that can help protect your users against
spam. These features include:
User-maintained block lists and safe lists
The block lists and safe lists used by both Outlook 2003 and Outlook Web Access are stored on the user's
mailbox. Because both client programs use the same list, users do not need to maintain two versions.
External content blocking
Outlook 2003 and Outlook Web Access 2003 make it more difficult for senders of junk e-mail messages to
use beacons to retrieve e-mail addresses. An incoming message that contains any content that could be
used as a beacon, regardless of whether the message actually contains a beacon, prompts Outlook and
Outlook Web Access to display a warning message. If users know that message is legitimate, they can
click the warning message to download the content. If users are unsure about the message, they can delete
it without triggering beacons that alert a sender of junk mail.
For more information about external content blocking in Outlook 2003 and Outlook Web Access 2003, see
"Client Features" in the book What's New in Exchange Server 2003
Improved junk e-mail management
With Outlook 2003, users can create rules that search e-mail messages for specific phrases and
automatically move messages containing these phrases from the Inbox to a specified folder (such as the
Junk E-mail or Deleted Items folders). Furthermore, users can select to permanently delete suspected junk
e-mail instead of moving it to a specified folder.
Junk e-mail filter
Outlook 2003 includes a junk e-mail filter that searches for common spam attributes. (These attributes are
updated in conjunction with Office updates.) For each suspicious attribute, Outlook increments a counter
—the higher the count for a given piece of mail, the more likely it is to be spam. To specify the level of
junk e-mail protection you want, use the Junk E-Mail Options dialog box (In Outlook 2003, from the
Action menu, point to Junk E-mail, and then click Junk E-mail Options). When your users first begin
using these junk e-mail features, or if they modify the options at any time, they should periodically check
for messages that have been removed from the Inbox to ensure that valid messages have not been moved.
Updates to the junk e-mail features in Outlook 2003 will be listed on the Microsoft Office Online website,
under Office Update (http://go.microsoft.com/fwlink/?LinkId=24393).
Spam Confidence Level Infrastructure

Together, Exchange 2003 and Outlook 2003 provide an infrastructure that supports an end-to-end solution to
combating spam. Specifically, this infrastructure includes native functionality in Exchange 2003 and
Outlook 2003 that allows software vendors to plug-in spam detection filters along the message path. Spam
filters evaluate messages and determine how likely it is that a given message is spam. A number between 0 and
9 is assigned; this number is the Spam Confidence Level (SCL). Essentially, the SCL is a normalized value
assigned to a message that indicates, based on the characteristics of a message (such as the content, message
header, and so on), the likelihood that the message is spam. A rating of 0 indicates that the message is highly
unlikely to be spam, while a rating of 9 indicates that the message is very likely spam. The SCL rating is stored
as an attribute of the message.
The administrator configures Exchange to handle messages with SCL ratings in way that is appropriate to the
environment. For example, a gateway server may discard all spam that has an SCL rating of greater or equal to
7 and pass all messages that rate less than 7 to the Exchange mailbox server. The mailbox administrator may
then decide that all messages rating greater or equal to 5 are transferred directly to the user's Junk E-mail
folder, while all messages with a rating of 4 or less are transferred to the Inbox. Finally, the user may have a
mailbox setting that treats all mail in the Junk E-mail folder as spam and deletes it. Alternatively, the Exchange
administrator may set up a mailbox recipient policy that lowers the retention period (by age or size) in the Junk
E-mail folder.
The SCL infrastructure also takes into account the user's safe, block, and recipient lists, as well as the
Exchange filtering lists. For more information about SCL, see the Spam Filter website on MSDN®
(http://go.microsoft.com/fwlink/?LinkId=24395)
Note The forthcoming release of the Exchange Intelligent Message Filter will also be a very
important component in combating spam. The Exchange Intelligent Message Filter is an SCL-
compatible filter that provides advanced server-side message filtering designed specifically to
combat the influx of spam. For specific information, see the Exchange Intelligent Message Filter
website (http://go.microsoft.com/fwlink/?linkid=21607).
Restricted Distribution Lists

Another effective deterrent against spam is to use restricted distribution lists within your Exchange
organization. A restricted distribution list allows only authenticated users to send messages. This is especially
important because, if spammers knew the alias of a distribution list, they could reach many of your employees
with one e-mail message. Restricting distribution lists is especially effective for large lists that contain many
nested distribution lists.
Note Be aware that many spammers use dictionary attacks (attacks using software that opens a
connection to the target mail server and then rapidly submits millions of random e-mail
addresses) as a mechanism to reach recipients. Distribution lists are often represented by an alias
that is a common dictionary word.
To set a distribution list as restricted
1. In Active Directory Users and Computers, open the property page of the distribution list.
2. Click the Exchange General tab, and then select the From authenticated users only check box.
Exchange 2003 Filtering

Exchange 2003 includes a set of features that allow the administrator to create sender, recipient, and
connection filtering lists in attempt to block spam at the perimeter of the organization, thereby reducing costs
by rejecting messages at the earliest opportunity. Exchanger 2003 supports the following filters:
• Connection filtering Filters inbound messages by comparing their IP address against a block list
provided by a real-time block list service. You can also enter your own set of accept/restrict IP addresses at
a global level.
• Sender filtering By default, SMTP connections that are created by senders on this list are dropped.
• Recipient filtering Allows you to set global restrictions on mail to specific recipients.
For more information about how filters are applied, see the book What's New in Exchange Server 2003
Protecting Against Denial-of-Service

Attacks
Denial-of-service attacks are generally difficult to guard against. However, Exchange 2003 includes settings
that can help you protect against such attacks.
The message limit parameters configured on the SMTP virtual server allow you to specify a maximum number
of recipients per message, a maximum message size, a maximum number of messages per connection, and so
on. These limits can help prevent denial-of-service attacks that stem from mail transport.
Another type of denial-of-service attack could originate from sending a large number of e-mail messages to a
particular server until it runs out of disk space. To minimize this possibility, you can set storage limits on
mailboxes and public folders. By default, Exchange 2003 does not accept messages larger than 10 MB. In
addition, you should configure the SMTP virtual servers on the Internet-facing gateway server to disallow
messages that are larger than 10 MB. The maximum message size that an SMTP virtual server accepts occurs
earlier in message processing than the Exchange-defined limit.
Note Because replication needs likely require the transfer of large messages, you should not
configure internal (non-Internet facing) SMTP virtual servers to disallow messages larger than
10 MB.
In addition, on a Windows Server 2003 installation, Exchange 2003 uses Internet Information Services (IIS)
application pools to mitigate denial of service attacks.
For information about how to administer these various settings, see the book Exchange Server 2003
Administration Guide (http://go.microsoft.com/fwlink/?linkid=21769).
Protecting Against Address Spoofing

A common technique spammers use is to configure the From line in an e-mail message to hide the sender's
identity. Although SMTP does not require verification of a sender's identity, Exchange 2003 provides the
following functionality to help minimize address spoofing:
Default authentication settings
By default, Exchange 2003 does not resolve a sender's e-mail address unless the sender uses a client program
such as Outlook or Outlook Web Access to authenticate against an Exchange server. When Exchange receives
a message from an authenticated client, it verifies that the sender is in the global address list (GAL), and if so,
resolves the user's display name (in the From line) on the message. If the original message was submitted
without authentication, Exchange 2003 marks the message as un-authenticated at its point of origin and
transfers that information from server to server. In this case, the sender's address is not resolved to the GAL
display name (for example Ted Bremer); instead, it is displayed to the recipient in its SMTP format (for
example, ted@contoso.com). You should educate your users to be suspicious of messages that claim to be
from other users in your organization but are not resolved to the GAL display name.
However, Exchange 2000 does resolve messages submitted anonymously. For this reason, if you are upgrading
from Exchange 2000, it is recommended that you upgrade gateway servers to Exchange 2003 before upgrading
mailbox and other Exchange servers. Alternatively, to prevent your Exchange 2000 servers from resolving
anonymous mail, you can perform the following procedure.
To prevent Exchange 2000 from resolving anonymous e-mail messages

1. Start Registry Editor (regedit)
2. Navigate to or create the following key in the registry (where one 1 is the SMTP virtual server number):
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/
MsExchangeTransport/Parameters/1
Note You may need to create both the Parameters key and the 1 key.
3. On the Edit menu, click Add Value, and then add the following registry value:
Value name: ResolveP2
Data type: REG_DWORD
4. Use the following flags to determine which value to use:

Field Value

FROM: 2
TO: and CC: 16
REPLY TO: 32
5. To determine the value that you want to use, add the values for all of the elements that you want to be
resolved. For example, to resolve all of the fields except the sender, type 48 (16+32=48). To resolve only
the recipients, type only 16. By default, Exchange 2000 resolves everything (you can specify this behavior
either by removing the key or by setting the value with this formula: 2+16+32=50).
6. Quit Registry Editor.
7. Restart the SMTP virtual server.
Be cautious when you select the servers on which you want to enable this setting. If you change the behavior
on the default SMTP virtual server, and there are multiple servers in your organization, all internal mail that
originates on other Exchange 2000 servers is also affected. Therefore, because Exchange 2000 uses SMTP to
route internal mail between servers, you may want to create a new SMTP virtual server, or perhaps apply this
setting only on an incoming SMTP bridgehead server.
Cross-forest authentication settings
If your organization contains multiple forests, you can configure trusts between forests such that SMTP
bridgehead servers require authentication.
Note Workflow applications may submit mail anonymously; therefore, before you configure
authentication in your organization, be sure to evaluate your workflow application needs.
For information about how to configure cross-forest authentication, see "Transport and Message Flow
Features" in the book What's New in Exchange Server 2003
Anonymous access settings
Although Exchange 2003 provides the ability for client-side users to recognize spoofed mail, you should turn
off anonymous SMTP access on all internal Exchange servers. Turning off anonymous access helps assure that
only authenticated users can submit messages within your organization. In addition, requiring authentication
forces client programs such as Outlook Express and Outlook using RPC over HTTP to authenticate before
sending mail.
Reverse Domain Name System lookups
If you receive messages directly from other domains on the Internet, you can configure your SMTP virtual
server to perform a reverse Domain Name System (DNS) lookup on incoming e-mail messages. This verifies
that the Internet Protocol (IP) address and fully qualified domain name (FQDN) of the sender's mail server
corresponds to the domain name listed in the message. However, consider the following limitations to reverse
DNS lookups:
• The sender's IP address may not be in the reverse DNS lookup record, or the sending server may have
multiple names for the same IP, not all of which may be available from the reverse DNS lookup record.
• Reverse DNS lookups place an additional load on the Exchange server.
• Reverse DNS lookups require that the Exchange server is able to contact the reverse lookup zones for the
sending domain.
• Performing reverse DNS lookups on each message can result in a substantial decrease in performance due
to increased latency.
Note For more information about using reverse DNS lookup, see Microsoft Knowledge Base
article 319356, "HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=319356).
Hardening Exchange 2003

Servers
This section explains how to harden Exchange 2003 servers based on their role in your organization. This
section is divided into three main sub-sections.
• Hardening the Windows Infrastructure This section provides the preliminary steps you must perform
before hardening your Exchange servers.
• Hardening Back-End Servers This section provides the steps you must perform to harden the Exchange
mailbox server, including how to disable non-essential services, restrict access to local directories, and
other configurations.
• Hardening Front-End Servers This section provides the steps you must perform to harden an Exchange
front-end server. This section also discusses front-end server roles and provides more granular
configuration recommendations in accordance with these roles. In addition, this section includes
information about URLScan—a tool that runs on IIS and allows you to specify exactly which HTTP
requests can run against the computer.
This section, and the remainder of this guide, is written with the assumption that you have read the Windows
Server 2003 Security Guide and have implemented the recommendations for hardening your domain, domain
controllers, and member servers. In some cases, the Exchange 2003 configuration recommendations in this
section are dependent on recommendations in the Windows Server 2003 Security Guide. These requirements
are specified where appropriate.
Furthermore, all of the recommendations in this section are derived from the configurations in the Exchange
Group Policy Security Templates, which are included with this guide. (For detailed information about these
templates, see "Deploying Exchange Group Policy Security Templates" later in this guide.) Specifically, this
section explains the settings within the security templates, in case you want to configure your servers manually.
Alternatively, you can import the provided templates in one of two ways:
• You can import any security template to a local computer. To do this, open the Local Security Policy
MMC snap-in, right-click Security Settings, and then click Import Policy. Navigate to and then double-
click the appropriate Exchange Group Policy Security Template.
• You can mirror the recommended Active Directory organizational structure (as recommended by both the
Windows Server 2003 Security Guide and this guide) and then use the Group Policy Object Editor to
import the policies into the appropriate organizational units. For specific information about this method,
see "Deploying Exchange Group Policy Security Templates" later in this guide
Important Because the "Deploying Exchange Group Policy Security Templates" section is
written with the assumption that you understand how to harden Exchange 2003 servers, it is
important that you read "Hardening Exchange 2003 Servers" first.
As with all software deployments, be sure to thoroughly test all recommended configurations in a test
environment before you deploy in a production environment.
Note Running custom applications or third-party Exchange or Outlook plug-ins may require
further configuration and testing.
Hardening the Windows Infrastructure

As previously mentioned, this guide assumes that you applied the configurations recommended in the
Windows Server 2003 Security Guide. Before you harden your Exchange environment, you must complete the
following two steps.
Important The recommendations and template settings in this guide were verified using the
Windows Server 2003 "Enterprise Client" Group Policy Object (GPO) templates. If you plan to run
an Exchange 2003 in an environment where the Windows Server 2003 "High Security" GPO
templates are deployed, additional testing and configurations may be necessary to provide full
functionality. As noted in the Windows Server 2003 Security Guide, the "High Security" templates
are very restrictive, and as a result, many applications may not function correctly. For this reason,
performance may be impacted, and server management will be more challenging.
1. Deploy the Domain, Domain Controller, and Member Server Baseline policy templates throughout your
forest. For information about how to deploy these templates, see Chapters 2, 3, and 4 in the Windows
Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638).
Note Exchange servers are considered to be member servers; therefore, be sure to apply
the appropriate Member Server Baseline policy (Enterprise Client - Member Server
Baseline.inf) to each Exchange server.
2. Deploy the Exchange Domain Controller Baseline Policy template (Exchange_2003-
DC_Incremental_V1_1.inf) in all of the domain controllers in your organization. The Exchange_2003-
DC_Incremental_V1_1.inf file is a security policy that allows Exchange to operate in a secured
environment. The next section explains this policy in detail, including specific deployment steps.
Exchange Domain Controller Baseline Policy

The Exchange Domain Controller Baseline Policy modifies the domain controllers in your forest so they can
support Exchange operations. This policy co-exists with the Domain Controller Baseline Policy that is
recommended in Chapter 4, "Hardening Domain Controllers," of the Windows Server 2003 Security Guide.
The Exchange Domain Controller Baseline Policy template (Exchange_2003-DC_Incremental_V1_1.inf) is
included with this guide. You should import this template into a Group Policy object (GPO) at the Domain
Controllers organizational unit in Active Directory Users and Computers and should precede the Domain
Controller Baseline Policy supplied by Windows Server 2003.
Note The sequence of the policies on the Group Policy tab determines the order in which
policies are applied; therefore, it is important that you place the Exchange Domain Controller
Baseline Policy above the Windows Server 2003 Domain Controller Baseline Policy.
Table 1 lists the differences between the Windows Server 2003 Domain Controller Baseline Policy and the
Exchange 2003Domain Controller Baseline Policy. The explanation for each difference is explained following
the table.
Table 1 Differences between the Windows Server 2003 and Exchange 2003 Domain
Controller Baseline Policies
Option Windows Server 2003 Exchange 2003Domain Controller Baseline

Domain Controller Baseline Policy
Additional restrictions for No access without explicit None. Rely on default permissions, because
anonymous connections anonymous connections Outlook versions previous to Outlook 2003
require anonymous connections
Shut down your system Enabled Disabled
immediately if unable to
log security audits
Account logon event Success and Failure Failure
auditing
Logon event auditing Success and Failure Failure
Additional restrictions for anonymous connections

The anonymous restriction setting in Exchange 2003 differs from that of Windows Server 2003 because
Outlook 2000 and Outlook 2002 clients contact the global catalog server anonymously for information.
With settings defined in the Windows Server 2003 Security Guide, where anonymous queries to the global
catalog server are restricted, Outlook 2000 and Outlook 2002 users are unable to send internal mail and
must use external addresses. However, because Outlook 2003 authenticates with the global catalog server,
it is not necessary to relax this security setting in a pure Outlook 2003 environment.
Note For more information about this issue, see Microsoft Knowledge Base article 309622,
"XADM: Clients Cannot Browse the Global Address List After You Apply the Q299687
Windows 2000 Security Hotfix" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=309622).
Shut down your system immediately if unable to log security events
This setting is disabled because the logs are likely to fill quickly for logon failures, such as mistyped
passwords.
Account logon event auditing and Logon event auditing
The Account logon event and Logon event auditing settings are modified because of the large number of
success logon events that Exchange 2003 generates during normal operations. If success auditing is
enabled for logon events, the security log is rapidly filled; therefore, the Exchange Domain Controller
Baseline Policy logs only failure events.
Deploying the Exchange Domain Controller Baseline Policy template is most efficient if you import the
Exchange_2003-DC_Incremental_V1_1.inf file into the Domain Controller organizational unit by means of the
Group Policy property page.
To create the domain controller GPO and import the Exchange Domain Controller
Baseline Policy template
1. In Active Directory Users and Computers, right-click Domain Controllers, and then click Properties.
2. On the Group Policy tab, click New to add a new Group Policy object.
3. Type Exchange DC Policy, and then press ENTER.
4. Click Edit. The Group Policy Object Editor opens.
5. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click
Security Settings, and click Import Policy.
Note If Import Policy does not appear on the menu, close Group Policy Object Editor
and repeat Steps 4 and 5.
6. In Import Policy From, navigate to the directory where you saved the Exchange Group Policy Security
Templates, and then double-click Exchange_2003-DC_Incremental_V1_1.inf.
7. Close Group Policy Object Editor, and then click OK.
8. In Domain Controllers Properties, select Exchange DC Policy, click Up until Exchange DC Policy is
at the top of the list, click Apply, and then click OK.
9. After importing the policy, you must wait for replication to other domain controllers or use the Active
Directory Sites and Services MMC snap-in to force replications. Replication ensures that all domain
controllers are updated with the policy.
Note Although replication applies the policy, you must reboot the servers for the policies to
take effect.
10. In the Event Log, to verify that the policy was downloaded successfully, search for the following
Application Information event: SceCli 1704. Then, verify that the server can communicate with the other
domain controllers in the domain.
11. Restart each domain controller one at a time to ensure that each reboots successfully and that the policies
have taken effect.
Hardening Back-End Servers

After hardening the domain, domain controllers, and all member servers (in accordance with the Windows
Server 2003 Security Guide), and after deploying the Exchange Domain Controller Baseline Policy, you are
ready to harden your Exchange 2003 servers.
There are four general configuration areas for hardening back-end servers:
Hardening services
Many services are not used, but are enabled by default and should be disabled
Hardening file access control lists
(ACLs)There are some directories that can be hardened more securely than the default installation
provides.
Changing privilege rights
To allow Outlook Web Access users to log on, you must make one change in user privileges.
Enabling additional services (optional)
Enable any additional services that are required for your organization..
Applying the Exchange_2003-Backend_V1_1.inf security template to your back-end servers is the most
efficient mechanism for performing the hardening configurations that are described in this section.
For information about how to deploy the Exchange Group Policy Security Templates, see "Deploying
Exchange Group Policy Security Templates" later in this guide.
Important Before hardening the Exchange 2003 back-end servers, you should delete any public
folder stores from all local Exchange computers that will not be used as public folder access
points. Deleting the public folder stores before hardening the Exchange infrastructure allows
replication of the deletions to occur. For information about how to delete the public folder store,
see "Dismounting the Mailbox Store and Deleting the Public Folder Store" later in this guide.
Services
Table 2 lists the recommended baseline settings you should start with when hardening the services for an
Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings
automatically). All Internet-based mail retrieval protocols are disabled. The reason for this is to implement a
hardened start-up configuration that requires you to enable each service as it is required.
Table 2 Service settings configured by Exchange_2003-Backend_V1_1.inf

Service Name Startup Mode Reason
Microsoft Exchange IMAP4 Disabled Server not configured for IMAP4
Microsoft Exchange Information Automatic Needed to access mailbox and public folder
Store stores

Microsoft Exchange POP3 Disabled Server not configured for POP3
Microsoft Search Disabled Not required for core functionality
Microsoft Exchange Event Disabled Only needed for backwards compatibility with
Exchange 5.5
Microsoft Exchange Site Disabled Only needed for backwards compatibility with
Replication Service Exchange 5.5
Microsoft Exchange Management Automatic Required for message tracking to function and
Exchange Server Best Practices Analyzer
(ExBPA) functionality
Windows Management Automatic Required for Microsoft Exchange management
Instrumentation
Microsoft Exchange MTA Stacks Automatic Only needed for backwards compatibility,
mailbox moves, or if there are X.400 connectors
on the computer
Microsoft Exchange System Automatic Needed for Exchange maintenance and other
Attendant tasks
Microsoft Exchange Routing Automatic Needed to coordinate message transfer between
Engine Exchange servers
IPSEC Policy Agent Automatic Needed to implement IPSec policy on server
IIS Admin Service Automatic Required by HTTP, SMTP, and the Exchange
routing engine
NTLM Security Support Provider Automatic System Attendant depends on this service
Simple Mail Transfer Protocol Automatic Required for Exchange transport
(SMTP)
World Wide Web Publishing Automatic Required for communication with servers
Service running Outlook Web Access and Outlook
Mobile Access
HTTP SSL Manual Starts automatically when required for the World
Wide Web Publishing Service
Network News Transport Protocol Disabled Only needed for setup and newsgroup
(NNTP) functionality
Remote Registry Automatic Required for Exchange Setup and remote
administration
Note For the Exchange System Attendant to start, the following Windows services must be up
and running:
• Event Log
• NTLM Security Support Provider
• RPC
• Server
• Workstation
Service Access Control Lists

The Group Policy Security templates use Security Descriptor Definition Language (SDDL) to apply
permissions to services. This section describes which SDDL is used for specific services. For more information
about SDDL, see "Security Descriptor Definition Language"
• SDDL:
"D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
"
This SDDL applies permissions to the following Exchange services:
• MSExchangeES
• IMAP4Svc
• MSExchangeIS
• MSExchangeMGMT
• MSExchangeMTA
• RESvc
• MSExchangeSRS
• MSExchangeSA
• MSSEARCH
This SDDL sets the following permissions on each of the above services:
• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
• The SDDL defined for the following Windows services in the “Enterprise Client – Member Server
Baseline.inf” template are inherited and are not optimal for Exchange. Therefore, the SDDL defined for
the following services in the Exchange templates will be the same as the Exchange-specific SDDL defined
above:
• POP3Svc
• W3Svc
• ISSAdmin
• SMTPSvc
• NNTPSvc
• HTTPFilter
• ClusSvc
• The SDDL defined for the MSDTC service in the “Enterprise Client – Member Server Baseline.inf”
template is not optimal for Exchange. Therefore, the SDDL defined by the “Enterprise Client – Member
Server Baseline” template will be modified slightly for the Exchange templates.
The MSDTC service will be set with the following SDDL:
"D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPW
PDTLOCRSDRCWDWO;;;WD)"
This SDDL sets the following permissions on the MSDTC service:

• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
• Network Services – Write and Special Permissions
• The SDDL for the following Windows services have been copied directly from the “Enterprise Client -
Member Server Baseline.inf” template and applied explicitly:
• Winmgmt
• PolicyAgent
• RemoteRegistry
Key Services That Are Disabled

As previously mentioned, all non-essential services for a back-end Exchange server are disabled. In some
cases, depending on the functionality you require, you may need to re-enable some services. To be consistent
among your servers, you should use the security policies included with this guide or create your own policies
to apply at the organizational unit level.
The following list describes some of the services that are disabled:
Microsoft Exchange Event
Introduced in Exchange Server 5.5, the Microsoft Exchange Event service (MSExchangeES) supports
server-side scripts triggered by folder events, either in public folders or individual mailboxes.
MSExchangeES is provided in Exchange 2003 for backward compatibility with Exchange 5.5 event
scripts. However, new applications written specifically for Exchange 2003 should use native Exchange
store events instead of MSExchangeES. For more information about these new applications, see the
Exchange 2003 Software Development Kit (SDK) available on MSDN
Microsoft Search
To provide increased functionality when searching for documents that reside in a store, the Microsoft
Search service (MSSEARCH) creates and manages indexes for common key fields. An index allows
Outlook users to search for documents more rapidly. With full-text indexing, the index is built prior to the
client search, thereby enabling faster searches. Text attachments can also be included in the full-text
indexing. Both the Microsoft Exchange Information Store service and MSSEARCH must be running for
the index to be created, updated, or deleted.
Microsoft Exchange Site Replication Service
If an Exchange 2003 server belongs to an existing Exchange 5.5 site, the Microsoft Exchange Site
Replication Service (MSExchangeSRS) is responsible for replicating Exchange 5.x site and configuration
information to the configuration naming partition of Active Directory.
Microsoft Exchange POP3
The Microsoft Exchange POP3 service (POP3Svc) is responsible for providing POP3 access to mailboxes.
By default, this service is disabled on new Exchange Server 2003 installations.
Microsoft Exchange IMAP4
The Microsoft Exchange IMAP4 service (IMAP4Svc) is responsible for providing IMAP4 access to
mailboxes and public folders. By default, this service is disabled on new Exchange Server 2003
installations.
Network News Transfer Protocol (NNTP)
The NNTP service (NntpSvc) is responsible for providing NNTP access to newsgroups maintained in
public folders. By default, this service is disabled on new Exchange Server 2003 installations.
File Access Control Lists

Table 3 lists the recommended file access control list (ACL) permission settings (the Exchange_2003-
Backend_V1_1.inf file configures these settings automatically).
Table 3 File ACL settings configured by Exchange_2003-Backend_V1_1.inf

Directory Old ACL New ACL Applied to
Subdirectories?
%systremdrive%\Inetp Everyone: Administrators: Yes
ub\mailroot • Full Access • Full Access
Local System:
• Full Access
%systremdrive%\Inetp Everyone: Administrators: Yes
ub\nntpfile\
• Full Access • Full Access
Local System:
• Full Access
%systremdrive%\Inetp Everyone: Everyone: Yes
ub\nntpfile\ • Full Access • Full Access
root
%ProgramFiles%\exch Administrators: Administrators: All – except
srver\ ADDRESS, OMA,
BIN, EXCHWEB and
Users: Local System: RES subdirectories
• Read • Full Access
• Read & Execute Server Operators:
• List Folder • Modify
Contents • Read & Execute
Server Operators: • List Folder Contents
• Modify • Read
• Read & Execute • Write
• List Folder CREATOR OWNER:
Contents
• Full Access (Sub Folders and
• Read Files Only)
• Write
•
Directory Old ACL New ACL Applied to

Subdirectories?
%ProgramFiles%\exch Administrators: Administrators: Yes
srvr
Users: Local System:
\OMA • Read • Full Access
\ADDRESS • Read & Execute Users:
\BIN • List Folder • Read
\EXCHWEB Contents • Read & Execute
\RES Server Operators: • List Folder Contents
• Modify Server Operators:
• Read & Execute • Modify
• List Folder • Read & Execute
Contents • List Folder Contents
• Read • Read
• Write • Write
CREATOR OWNER:
• Full Control (Sub Folders
and Files Only)
Note The settings defined on the nntpfile directory and subdirectories are not strictly required
unless NNTP is configured to run on the server. However, the setting is defined in the
Exchange_2003-Backend_V1_1.inf security template because it increases restrictions on the file
system and is ready to use in case you want to enable NNTP at a later time.
Additionally, if you install Exchange in a directory other than %programfiles%\exchsrvr then you must
modify the INF files and change the path accordingly.
Privilege Rights
After applying the Windows Server 2003 security policies, you only need to configure one privilege right to
enable Outlook Web Access. Both the Outlook Web Access and public folders administration UI require that
the Guests network logon be enabled. The Windows Server 2003 security policy sets the "Deny network
logon" value to deny ANONYMOUS LOGON and the Guests group. The most efficient way to configure the
"Deny network logon" is to apply a group policy that denies only ANONYMOUS LOGON.
If you deploy the Exchange 2003 Group Policy Security Templates, then the Exchange_2003-
Backend_V1_1.inf file sets this value correctly.
If you are not deploying the Exchange 2003 Group Policy Security Templates, then you can edit the existing
Windows Server 2003 security policy.
To enable the Guests group in the Windows Server 2003 Baseline Security Policy
1. In Active Directory Users and Computers, right-click the organizational unit that contains both the
Windows Server 2003 Baseline Security Policy Exchange servers, and then click Properties.
2. In <Organizational Unit> Properties, on the Group Policy tab, select the Windows Server 2003 Baseline
Security Policy, and then click Edit. The Group Policy Object Editor opens.
3. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand
Security Settings, expand Local Policies, and then click User Rights Assignment.
4. In the details pane, double-click the Deny access to this computer from the network policy.
5. In Deny access to this computer from the network Properties, select Guests, and then click Remove.
6. Click Apply, and then click OK.
Note If you prefer to create your own group policy, you must add the following value under the
[Privilege Rights] section:
SeDenyNetworkLogonRight = *S157
This argument blocks only ANONYMOUS LOGON.
Enabling Additional Exchange Services

If you performed the procedures properly up to this point, you should have successfully hardened your
Exchange back-end servers. Although your MAPI client, HTTP (Outlook Web Access) client, and SMTP
should now function with your back-end server, your POP3 and IMAP4 clients will not be able to retrieve
mail. If you have a front-end and back-end deployment that includes these protocols, you must also enable the
appropriate POP3 and IMAP4 services on the Exchange back-end server. If this server is an NNTP server, you
must also enable the NNTP service. The easiest way to enable these services is to import the corresponding
Exchange 2003 protocol-specific security templates to the back-end servers that require additional client
access.
For example, if your organization provides POP3 access to mailboxes, after applying the Exchange 2003
security templates (or the recommended configurations) to the front-end POP3 server, you must apply the
Exchange 2003 POP3 security template to the back-end server.
This section discusses the services that you must enable to support NNTP. All other protocols are discussed in
"Hardening Front-End Servers" later in this guide.
Exchange 2003 NNTP Server Policy

Table 4 lists the services that must be enabled to support NNTP (the Exchange 2003 NNTP.inf file configures
these settings automatically). This security policy is applied only on an Exchange back-end server because
NNTP is not deployed in the same manner as HTTP, POP3, and IMAP4, where a front-end protocol handler
proxies requests to the back-end data store. In this context, NNTP is a "back-end" only protocol; therefore, for
front-end servers, you should not enable NNTP in accordance with the settings in Table 4.
Table 4 Services configured to enable NNTP

Network News Transport Protocol Automatic Server is used for NNTP
(NNTP)
Hardening Front-End Servers

Hardening your Exchange front-end servers is similar to hardening the back-end server, with the optional (but
recommended) step of configuring and running URLScan on your HTTP front-end servers.
There are six general configuration areas for hardening font-end servers:
Hardening services
Many services are not used, but are enabled by default and should be disabled if the corresponding
functionality is not required.
Hardening file access control lists (ACLs)
The file ACL configuration for the front-end servers is identical to that of the back-end servers.
Enabling additional services (optional)

Enable any additional front-end services that are required for your organization
Running URLScan (optional, but recommended)
Although running URLScan is not required for the services to run, it is highly recommended as a
mechanism for further hardening your front-end HTTP servers.
Dismounting the mailbox store and deleting the public folder store (optional, but
recommended)
For front-end servers that are not SMTP front-end servers, you can dismount and delete these stores.
Note If you plan to delete the public folder store, you should delete it before applying the
Exchange security policies so the changes can replicate to the other Exchange servers.
Applying the Exchange_2003-Frontend_V1_1.inf security template (included with this guide) to your front-
end servers is the most efficient mechanism for performing the hardening configurations that are described in
this section. Furthermore, after you apply the Exchange_2003-Frontend_V1_1.inf template, you can use the
protocol-specific security templates to enable the appropriate services.
For information about how to deploy the Exchange Group Policy Security Templates, see "Deploying
Exchange Group Policy Security Templates" later in this guide.
Before You Get Started

Before you begin hardening the front-end servers in your organization, consider the following:
• Exchange 2003 includes the following applications:
• Outlook Web Access
• Outlook Mobile Access
• Exchange Server ActiveSync®
These applications allow your users to access Exchange information from their personal computers or
mobile devices. These applications all use a combination of Hypertext Transfer Protocol (HTTP) and
WebDAV. By default, Outlook Web Access and Exchange Server ActiveSync are enabled. Outlook Mobile
Access is also installed by default, but the service is disabled on new installations of Exchange 2003.
• POP3 and IMAP4 clients may also use front-end servers to access mailboxes. In these cases, they also use
a front-end server as an SMTP gateway.
• Using a firewall server such as Internet Security and Acceleration (ISA) Server 2004 to regulate access for
HTTP, RPC over HTTP, POP3, and IMAP4 protocol traffic is an essential building block for a more
secure messaging system. For information about how to deploy ISA 2000 with Exchange 2003, see the
technical article Using ISA Server 2000 with Exchange Server 2003
(http://go.microsoft.com/fwlink/?linkid=23232). For information about how to deploy ISA 2004
with Exchange 2003, see "Using ISA Server 2004 with Exchange Server 2003"
• It is recommended that you isolate your ISA server in a perimeter network (also known as DMZ,
demilitarized zone, and screened subnet), allowing only the essential ports into your organization. The
Exchange front-end server can then communicate freely with all Windows and Exchange services over
IPSec. For a list of ports that Exchange 2003 may use, see Appendix C, "Ports Used in Exchange 2003"
later in this guide.
• The IIS Lockdown (IISlockd.exe) tool is needed only for Windows 2000 Server. In Windows Server 2003,
IIS Lockdown is a core part of Internet Information Services (IIS). If you are running Exchange 2003 on a
server running Windows 2000, see the Microsoft Knowledge Base article 309677, "XADM: Known Issues
and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment"
• It is recommended that you use Secure Sockets Layer (SSL) and cookie authentication for Outlook Web
Access. SSL helps maintain confidentially by encrypting message traffic between the client and
Exchange 2003. Cookie authentication improves security by timing out inactive, non-domain connections
and forcing the user to re-authenticate after a period of inactivity. For more information about cookie
authentication, see the book Exchange Server 2003 Administration Guide
Services
Similar to hardening your back-end servers, it is important that you disable all non-essential front-end services.
Afterward, you can enable these services on an "as-needed" basis.
This section assumes that you have done one of the following:
• You already used Exchange System Manager to designate the server as an Exchange front-end server.
• You already configured the server as an SMTP gateway or bridgehead server.
Important Designating a computer as a front-end server reconfigures the protocol stacks to
enable front-end and back-end deployments. If you deployed the Exchange_2003-
Frontend_V1_1.inf security template before designating the server as a front-end server, you must
manually start the Microsoft System Attendant service (and its dependencies), use Exchange
System Manager to designate the server as a front-end server, and then restart the computer.
Table 5 lists the recommended baseline settings you should start with when hardening the services for an
Exchange front-end server (the Exchange_2003-Frontend_V1_1.inf file configures these settings
automatically)
Table 5 Service settings configured by Exchange_2003-Frontend_V1_1.inf

Microsoft Exchange IMAP4 Disabled Server not configured for IMAP4
Microsoft Exchange Information Disabled Not required as there is no mailbox store or
Store public folder store
Microsoft Exchange POP3 Disabled Server not configured for POP3
Microsoft Search Disabled No message stores to search
Microsoft Exchange Event Disabled Only needed for backwards compatibility with
Exchange 5.5
Microsoft Exchange Site Disabled Only needed for backwards compatibility with
Replication Service Exchange 5.5
Microsoft Exchange Management Automatic Required for message tracking and Exchange
Server Best Practices Analyzer (ExBPA) tool
functionality
Windows Management Automatic Required for Microsoft Exchange management
Instrumentation
Microsoft Exchange MTA Stacks Disabled Only needed for backwards compatibility or if
there are X.400 connectors on the machine
Microsoft Exchange System Disabled Only needed if running Exchange maintenance
Attendant and other tasks on this server
Microsoft Exchange Routing Disabled Needed to coordinate message transfer between

IPSEC Policy Agent Automatic Needed to implement IPSec policy on server
IIS Admin Service Disabled Required if running the World Wide Web
Publishing Service, SMTP, POP3, IMAP4, or
NNTP services.
NTLM Security Support Provider Automatic System Attendant depends on this service
Simple Mail Transfer Protocol Disabled Required for Exchange transport
(SMTP)
World Wide Web Publishing Disabled Required for communication with Outlook Web
Service Access and Outlook Mobile Access servers
Network News Transport Protocol Disabled Only needed for setup and newsgroup
(NNTP) functionality
Remote Registry Automatic Required for Exchange Setup and remote
administration
Key Services That Are Disabled

As with the back-end configuration, you may need to re-enable some services to provide the functionality you
require. The following list describes some of the services that are disabled:
Microsoft Exchange POP3, Microsoft Exchange IMAP4
If you do not have POP3 or IMAP4 clients, you can ensure that these services are disabled by group
policy. However, before disabling these services, ensure that there are not any customized programs
running in your environment that require these services.
Simple Mail Transfer Protocol (SMTP)
When a front-end server acts as an HTTP, POP3, or IMAP4 server, it does not strictly require SMTP.
However, if you configured your front-end server to receive SMTP mail (either as a gateway server or as
an SMTP submission server for IMAP4 or POP3 clients), you must enable the SMTP service
(SMTPSVC). For virus scanners, the Microsoft Exchange Information Store service (MSExchangeIS) and
the Microsoft Exchange System Attendant service (MSExchangeSA) are also required.
Microsoft Exchange System Attendant
On a front-end server, the System Attendant is required only if you want to make configuration changes to
the server. Specifically, to make any changes to a server that uses the Exchange 2003 Front-end Security
Policy (including designating the server as a front-end server), you must temporarily start the Microsoft
Exchange System Attendant service (MSExchangeSA) and associated services first.
Microsoft Exchange Information Store
Because mail is not delivered to this server, the Microsoft Exchange Information Store service
(MSExchangeIS) is not required. However, if the server is configured as an SMTP gateway server
(without any user mailboxes or public folders), MSExchangeIS is required for virus scanning and to
reliably route public folder mail.
Service Access Control Lists

The service access control list (ACL) settings for front-end servers are identical to the service ACL settings for
back-end servers. For information about these service ACL settings, see "Service Access Control Lists" earlier
in this guide.
Note The Exchange_2003-Frontend_V1_1.inf security template configures these settings
automatically.
File Access Control Lists

The file access control list (ACLs) settings for front-end servers are identical to the file ACLs settings for
back-end servers. For information about these file ACL settings, see "File Access Control Lists" in the
"Hardening Back-End Servers" section.
Note The Exchange_2003-Frontend_V1_1.inf security template configures these settings
automatically.
Enabling Additional Exchange Services

If you performed the procedures properly up to this point, you should have successfully hardened your
Exchange front-end servers. However, to take advantage of Exchange 2003 services and features, you must
enable protocol support for each type of client. This section explains which services you must enable to
support the client protocols.
Important For POP3 and IMAP4 to function, you must configure both protocols on the front-end
and the back-end servers.
Each of the following subsections corresponds to a specific security template included in the Exchange Group
policy Security Templates. Installing these templates is the most efficient way to enable a protocol.
Exchange 2003 HTTP Server Policy

The Exchange 2003 HTTP security policy enables the HTTP service on the front-end servers.
Note If you followed the recommendations in this section, or if you are deploying the
Exchange 2003 Group Policy Security Templates included with this guide, it is not necessary that
you enable this policy on the back-server; both the security templates and the recommendations
in this section assume HTTP access for the back-end server.
Table 6 lists the services that must be enabled to support HTTP (the Exchange 2003 HTTP.inf file configures
these settings automatically).
Table 6 Services configured to enable HTTP

World Wide Web Publishing Automatic Server is used for HTTP
Service
HTTP SSL Manual Starts automatically when required for the World
Wide Web Publishing Service
IIS Admin Service Automatic Required if running the World Wide Web
NNTP services.
Exchange 2003 POP3 Server Policy

The Exchange 2003 POP3 security policy enables the POP3 service. If you are using POP3, you must apply
this policy on the back-end server as well.
Table 7 lists the services that must be enabled to support POP3 (the Exchange 2003 POP3.inf file configures
these settings automatically).
Table 7 Services configured to enable POP3

Microsoft Exchange POP3 Automatic Server is used for POP3
NNTP services.
Exchange 2003 IMAP4 Server Policy

The Exchange 2003 IMAP4 security policy enables the IMAP4 service. If you are using IMAP4, you must
apply this policy on the back-end server as well.
Table 8 lists the services that must be enabled to support IMAP4 (the Exchange 2003 IMAP4.inf file
configures these settings automatically).
Table 8 Services configured to enable IMAP4

Microsoft Exchange IMAP4 Automatic Server is used for IMAP4
NNTP services.
Exchange 2003 SMTP Server Policy

The Exchange 2003 SMTP security policy enables the SMTP service.
Note If you followed the recommendations in this section, or if you are deploying the
Exchange 2003 Group Policy Security Templates included with this guide, it is not necessary to
enable this policy on the back-server; both the security templates and the recommendations in
this section assume SMTP functionality for the back-end server.
Table 9 lists the services that must be enabled to support SMTP (the Exchange 2003 SMTP.inf file configures
these settings automatically). These settings are also the default settings after a typical Exchange 2003
installation
Table 9 Services configured to enable SMTP

Simple Mail Transport Protocol Automatic Server is used for SMTP
(SMTP)
NNTP services.
Microsoft Exchange Information Automatic Used by virus scanners, SMTP.
Store
Microsoft Exchange System Automatic Required for Exchange maintenance and other
Attendant tasks
Microsoft Exchange MTA Stacks Enabled Used for error handling of some messages

Microsoft Exchange Routing Automatic Used to coordinate message transfer between
URLScan
URLScan.exe screens all incoming HTTP requests to an IIS server and allows only those that comply with a
specific rule set to pass. This helps ensure that the server responds only to valid requests, thereby significantly
improving security. URLScan allows you to filter requests based on length, character set, content, and other
factors. For more information about URLScan, including download and installation instructions, see the
URLScan Security Tool website (http://go.microsoft.com/fwlink/?LinkId=24490).
Configuring Exchange 2003 URLScan

URLScan is configured manually by editing a configuration text file called urlscan.ini. After you install
URLScan, this file is located in the following folder:<WinDir>\System32\Inetsrv\Urlscan
It is highly recommended that you configure URLScan in accordance with the instructions in Microsoft
Knowledge Base article 823175, "Fine-tuning and known issues when you use the Urlscan utility in an
Exchange 2003 environment" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823175).
Dismounting the Mailbox Store and Deleting the Public

Folder Store
Because a front-end server's role is to forward requests to the back-end servers, you may not need Exchange
mailboxes or public folders on the front-end servers. The back-end Exchange server manages these stores. If
the front-end server is not an SMTP front-end server, you can dismount and delete these stores.
To replicate the public folder deletions to other Exchange servers, you should delete the public folder stores
before you harden the servers.
To dismount and delete the mailbox and public folder databases
1. Start the Services administrative tool.
2. In the details pane, right-click NT LM Security Support Provider, and then click Properties.
3. On the General tab, in the Startup Type list, select Automatic.
4. Click Apply, click Start, and then click OK.
5. Repeat Steps 2 through 4 for the Microsoft Exchange System Attendant service. If SMTP is running on
this server, you must also start the Microsoft Exchange Information Store service.
6. Start Exchange System Manager on the front-end server.
7. Expand Servers, expand the front-end server, and then expand First Storage Group.
8. If the mailbox store is mounted, right-click Mailbox Store, click Dismount Store, and then click Yes to
dismount the mailbox store.
9. Right-click Mailbox Store, and then click Properties.
10. On the Database tab, select the Do not mount this store at start-up check box, and then click OK.
11. If the public folder store is mounted, right-click Public Folder Store, click Dismount Store, and then
click Yes to dismount the public folder store.
12. Right-click Public Folder Store, and then click Delete.
13. Click Yes, click OK, select a back-end server, and then click OK.
14. Click Yes to delete the public folder store, and then click OK.
15. Restart the front-end server.

Note If you installed the Exchange_2003-Frontend_V1_1.inf security template on this computer,
you do not need to disable the NTLM Security Support Provider and the Microsoft Exchange
System Attendant again—this occurs automatically when the server is rebooted.
Deploying the Exchange Group Policy

Security Templates
In Windows Server 2003, you can define many security settings, including auditing, security options, registry
settings, file permissions, and service settings using group policy objects. The Windows Server 2003 Security
Guide provides recommendations for many of these settings, and many of these settings apply for
Exchange 2003. As previously mentioned, the main area where additional settings are applied is for services,
although there are some file permission changes and, for domain controllers, registry changes.
This section explains how to organize your Active Directory structure to support deployment of the Exchange
Group Policy Security Templates at the organizational unit level. The previous sections provided steps for
installing the individual security templates on each local machine or manually configuring the recommended
settings. In comparison, deploying the Exchange Group Policy Security Templates (in accordance with the
recommended organizational unit structure presented in this section) is more predictable and less prone to
configuration problems. Using organizational units and Group Policy objects (GPOs) to deploy the security
templates helps ensure that all servers within a given organizational unit are configured identically.
Important This section is intended to build directly on the specific organizational unit
recommendations of the Windows Server 2003 Security Guide. It is critical, however, that you
read "Hardening Exchange 2003 Servers" in its entirety.
Active Directory Structure to Support Exchange 2003

Server Roles
The Windows Server 2003 Security Guide recommends an organizational unit structure that allows you to
easily adopt the security templates supplied with that guide. Because Exchange 2003 is a directory-enabled
application, the Windows Server 2003 organizational unit structure can be easily extended to incorporate the
new server roles defined in this section.
• Within the Member Servers organizational unit, create two new organizational units called Exchange
Back-end Servers and Exchange Front-end Servers. If you have numerous NNTP servers, you may
want to create an organizational unit for them within the Exchange Back-end Servers organizational unit.
• Within the Exchange Front-end Servers organizational unit, create separate organizational units for the
following (as necessary for the client services in your organization):
• Exchange 2003 SMTP Servers
• Exchange 2003 HTTP Servers
• Exchange 2003 POP3 Servers
• Exchange 2003 IMAP4 Servers
You can also combine server roles into a single organizational unit. For example, if your organization runs
IMAP4 and POP3 services on the same computer, you can create a single organizational unit called IMAP4
and POP3 Servers. The security policies included with this guide are additive; therefore, providing that you
pay close attention to the sequence of the policies, you can apply multiple policies to a single organizational
unit.
Figure 1 illustrates the recommended organizational unit structure to accommodate the new server roles,
including which security policy and security template (.inf file) corresponds to each organizational unit.
Figure 1 Organizational unit structure with additional Exchange 2003 organizational

units
Note Creating the organizational unit structure to support the recommendations in this guide is
discussed in much more detail in the Windows Server 2003 Security Guide
Because the Exchange 2003 servers reside in organizational units below the Member Servers organizational
unit, the servers inherit settings that are defined in the Windows Server 2003 Member Server Baseline Policy.
The Exchange policies modify these settings in two ways:
• Some services that are not required for basic Windows Server 2003 functionality are necessary in
Exchange 2003.
• Exchange 2003 introduces many additional services, not all of which are required to allow the Exchange
servers to function in their particular roles.
Securing Server Roles in Exchange 2003

The Exchange Group Policy Security Templates are included with this guide to help you secure server roles in
your Exchange 2003 environment. To apply the templates, you must import them into your Group Policy
settings.
Table 12 lists how server roles correspond to the security templates.
Important In Table 12, the sequence of the security templates corresponds to the order in
which they are applied, not the order in which they should appear in the GPO list. In fact, because
the Group Policies are implemented from the top of the list down, the order in which the
templates should appear in the GPO list is exactly opposite.
Table 12 Exchange 2003 server roles and corresponding security templates

Server Role Description Security Templates
Exchange 2003 back-end Server for mailbox and • Windows Server 2003 baseline template
server public folder access; when (Enterprise Client)
using POP, IMAP4, or • Exchange_2003-Backend_V1_1.inf
NNTP, include the
corresponding incremental
template
Exchange 2003 front-end Common settings for all • Windows Server 2003 baseline template
server front-end servers; disables (Enterprise Client)
all protocols; must apply a • Exchange_2003-Frontend_V1_1.inf
specific protocol for the
server to function.
Exchange 2003 HTTP Dedicated front-end server • Windows Server 2003 baseline template
server for HTTP; used by (Enterprise Client)
Outlook Web Access, • Exchange_2003-Frontend_V1_1.inf
Outlook Mobile Access,
Exchange Server • Exchange_2003-HTTP_V1_1.inf
ActiveSync, and WebDAV
applications
Exchange 2003 Dedicated front- • Windows Server 2003 baseline template
POP3 server end server for (Enterprise Client)
POP3, or added
• Exchange_2003-Frontend_V1_1.inf
incrementally to
an • Exchange_2003-POP3_V1_1.inf
Exchange 2003
back-end server
Exchange 2003 IMAP4 Dedicated front-end server • Windows Server 2003 baseline template
server for IMAP4, or added (Enterprise Client)
incrementally to an • Exchange_2003-Frontend_V1_1.inf
Exchange 2003 back-end
Server Role Description Security Templates

server • Exchange_2003-IMAP4_V1_1.inf
Exchange 2003 NNTP Added incrementally to an • Windows Server 2003 baseline template
server Exchange 2003 back-end (Enterprise Client)
server • Exchange_2003-Backend_V1_1.inf
• Exchange_2003-NNTP_V1_1.inf
Exchange 2003 SMTP Dedicated Internet-facing • Windows Server 2003 baseline template
server gateway server for SMTP (Enterprise Client)
or bridgehead • Exchange_2003-Frontend_V1_1.inf
• Exchange_2003-SMTP_V1_1.inf
For front-end servers, any combination of HTTP, POP3, IMAP4, and SMTP policies can be applied on top of
the Exchange_2003-Frontend_V1_1.inf policy. In fact, because the Exchange_2003-Frontend_V1_1.inf
security policy turns off all Internet client protocols, you must apply all of those protocol security policies after
deploying Exchange_2003-Frontend_V1_1.inf. For back-end servers, any combination of POP3, IMAP4, and
NNTP can be applied on top of the Exchange_2003-Backend_V1_1.inf policy.
Importing the Exchange Group Policy Security Templates

The Exchange Group Policy Security Templates are contained in the E2k3SecOps.exe file (included with this
guide). You must extract this file prior to importing the security templates.
These security templates are designed to increase the security in your Exchange 2003 environment. However,
when you import these templates, you may lose functionality in your environment—this could include the
failure of mission-critical applications. Therefore, it is essential that you thoroughly test these templates and
make any appropriate changes before deploying them in a production environment. Be sure to include custom
applications, third-party applications, and other software that interacts with your messaging system in your
testing. Also, be sure to back up each domain controller and server prior to applying new security settings.
Ensure that the system state is included in the backup, including registry data and Active Directory databases.
Note The Domain Controller Baseline Policy and the Member Server Baseline Policy (included in
the Windows Server 2003 Security Guide) sets the LAN Manager Authentication level at NTLMv2
only. For Outlook clients to successfully communicate with Exchange servers and domain
controllers, they must also be configured to use NTLMv2.
The following procedure imports the Exchange Group Policy Security Templates included with this guide into
the organizational unit structure suggested earlier in this chapter.
To create the Exchange GPOs and import the Exchange Group Policy Security
Templates
1. In Active Directory Users and Computers, expand Member Servers, right-click Exchange Back-End
Servers, and then click Properties.
2. On the Group Policy tab, click New to add a new Group Policy object (GPO).
3. Type Exchange Back-End Policy, and then press ENTER.
4. Click Edit.
5. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click
Security Settings, and the click Import Policy.
Note If Import Policy does not appear on the menu, close Group Policy Object Editor
and repeat Steps 4 and 5.
6. In Import Policy From, navigate to the location where you saved the Exchange Group Policy Security
Templates, and then double-click Exchange_2003-Backend_V1_1.inf.
7. Close Group Policy Object Editor, and then click OK.

8. Repeat Steps 1 through 7 for the Exchange 2003 Front-end Servers organizational unit (using the
Exchange_2003-Frontend_V1_1.inf template) and for each protocol that your organization uses.
9. In the Active Directory site where the Exchange servers reside, verify that all domain controllers are
updated with the new Exchange Group Policy Security templates. Depending on your Active Directory
environment, it may take several minutes for the new Exchange Group Policy Security templates to be
replicated to all domain controllers in the site. To force Active Directory replication within the site, you
can use the Active Directory Sites and Services MMC snap-in or the Windows Support tool,
Repadmin.exe.
For more information about both methods, see Microsoft Knowledge Base article 232072, "Initiating
Replication Between Active Directory Direct Replication Partners"
10. If you have not yet moved the servers from the root Member Server organizational unit, move a server
for each role into the appropriate organizational unit.
11. On the server, download the policy: at the command prompt, type gpupdate /force.
12. Restart each server to ensure that each reboots successfully and that the policies have taken effect.
Working with a Hardened Exchange Server

If you successfully performed the procedure from the previous section, you have moved your existing
Exchange servers into the appropriate organizational units, thereby increasing the level of security in your
environment. To maximize your security, you must move new servers into the appropriate organizational unit
prior to installing Exchange.
Note Any configuration changes that you make on a hardened front-end server require that the
Microsoft Exchange System Attendant service is running. The Microsoft Exchange System
Attendant service writes configuration changes to the IIS metabase, which is essential for most
configuration changes made to a front-end server.
Although your hardened Exchange environment allows core Exchange services to run, it does not, by default,
allow you to install or upgrade Exchange. The following procedure shows you how to install or upgrade
Exchange on hardened servers.
Note When installing Exchange 2003 on a hardened server, you will receive "Digital Signature
Not Found" errors. This error results from the increased security on the server and can be
bypassed.
To install Exchange 2003 on a hardened server
2. In the details pane, right-click Distributed Transaction Coordinator, and then click Properties.
3. On the General tab, in the Startup Type list, select Automatic.
4. Click Apply.
5. Click Start.
6. Click OK.
7. Repeat Steps 2 through 6 for the Network News Transport Protocol (NNTP) and Windows Installer
services.
Note If you are performing these steps on a server in the Exchange 2003 Front-End
organizational unit, repeat Steps 2 through 6 for the Windows Management
Instrumentation service.
8. Install Exchange 2003
Note When installing Exchange 2003, at the end of Setup, a dialog box may appear
indicating a non-fatal setup error occurred because the Microsoft Search service did not start.
This is expected when installing a hardened server and can be bypassed.

10. In the details pane, right-click Distributed Transaction Coordinator, and then click Properties.
11. On the General tab, in the Startup Type list, select Disabled.
12. Click Apply.
13. Click Stop.
14. Click OK.
15. Repeat Steps 9 through 14 for the Network News Transport Protocol (NNTP) and Windows Installer
services.
The incremental policies for Exchange front-end and back-end servers enable NTLMv2. This allows the
Exchange servers to communicate with your hardened domain controllers. If you do not place your servers in
the appropriate organizational unit prior to installing Exchange, the servers will not be able to contact domain
controllers.
Appendixes
Appendix A: Using Permissions
and Administrative Roles to
Control Access
As with any application in your environment, when you define the permissions for Exchange, you should
consider the roles of your Exchange administrators and assign them only the necessary permissions. To
simplify the process, Exchange 2003 uses administrative roles. An administrative role is a collection of
Exchange 2003 objects for the purpose of managing and delegating permissions. An administrative role may
contain policies, routing groups, public folder hierarchies, and servers.
For example, if your organization has two sets of administrators who manage two sets Exchange 2003 servers,
you can create two administrative groups that contain both sets of servers. Based on your administrative
model, you can develop an administrative plan that fits your needs.
To easily assign role permissions to administrative groups (and to the Exchange organization), you can use the
Exchange Administration Delegation Wizard. To use the wizard, you must be logged on as a user with Full
Control over the Exchange organization. To start the Exchange Administration Delegation Wizard, in
Exchange System Manager, right-click the organization or administrative group, and then click Delegate
Control.
Table A.1 lists the administrative roles in Exchange 2003.
Table A.1 Administrative Roles in Exchange Server 2003

Role Description
Exchange View Only Grants permissions to list and read the properties of all objects below
that container. Unless the administrator will need to modify object
properties, always assign this role.
Exchange Administrator Grants all permissions except for ability to take ownership, change
permissions, or open user mailboxes. If the administrator will need to
add objects or modify object properties, but will not be required to
delegate permissions on the objects, assign this role.
Exchange Full Administrator Grants all permissions to all objects below that container except for the
ability to open user mailboxes or impersonate a user's mailbox,
including the ability to change permissions. Assign this role only to
administrators who are required to delegate permissions to objects.
Installing Exchange 2003 requires Exchange Full Administrator
permissions. The first server in any domain (including the very first in
the forest) requires Exchange Full Administrative privileges at the
organization level. Additional servers in the same domain can be
installed with accounts that have Exchange Full Administrative
privileges at the Administrative Group level.
In some cases, the Exchange Administration Delegation Wizard does not provide enough granularity for
assigning security permissions. Therefore, for individual objects within Exchange, you can modify the settings
on the Security tab. However, by default, the Security tab is displayed only on the following objects:
• Address lists
• Global address lists
Appendix A: Using Permissions and Administrative Roles to Control Access 34
• Databases (mailbox stores and public folder stores)

• Top level public folder hierarchy
Normally, it is not necessary to modify the security options on other Exchange objects; however, it is possible
to display the Security tab on all Exchange objects. The following procedure shows you how to display the
Security tab on all Exchange objects.
Note Use caution when changing permissions on Exchange objects. If you incorrectly assign
"deny" permissions, you may not be able to view some objects in Exchange System Manager.
To display the Security tab on all Exchange objects
1. Start Registry Editor (regedit).
2. Navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name : ShowSecurityPage
Data Type : REG_DWORD
Value : 1
4. Close Registry Editor.
This change takes effect immediately; you do not need to restart Exchange System Manager.
Note Because you are modifying a key within HKEY_CURRENT_USER, the change only affects
the user who is logged on to the computer on which you are working.
Appendix B: Upgrading from
Exchange 2000
When upgrading from Exchange 2000 to Exchange 2003, Exchange 2003 ForestPrep and Exchange 2003
Setup configures most of the "secure-by-default" settings that are implemented with new Exchange 2003
installations. This section explains which security settings are configured automatically during an upgrade and
which should be configured manually.
Message Limits
One of the most effective denial-of-service attacks occurs when a messaging system is inundated with large
messages (20+ MB). This type of attack forces the messaging server to move large blocks of data, which could
impact a computer's input/output (I/O) to the extent that mail service is delayed or interrupted.
As a response to this type of attack, Exchange 2003 sets all message limits to 10 MB (1024 KB). This includes
messages that are sent from and received by the Exchange organization. In addition, a 10 MB message size
limit is imposed for all messages posted to public folders.
During an upgrade, Exchange Setup does not change limits that have already been set. Exchange Setup only
imposes these settings if the limits are set to No limit.
To configure the settings for sending and receiving messages, in Exchange System Manager, use the Defaults
tab in Global Message Delivery properties.
To configure the maximum message size settings for public folders, in Exchange System Manager, use the
Limits tab in Public Folder Store properties.
Exchange 2003 also provides message limits for MIME. These limits are also imposed when upgrading to
Exchange 2003. Table B.1 describes these settings.
Note If a MIME limits is reached, a non-delivery report (NDR) is sent back to the sender.
Table B.1 MIME Limits

Limit Value Description
Nesting levels 30 Number of nested MIME parts per message.
Body parts 250 Maximum number of body parts in any given message.
Message ID header 1877 bytes Maximum size of the Message-ID header.
size
Subject header size 2000 bytes Maximum size of the subject header.
MIME header size 2000 bytes Maximum size of any one of the following headers: Content-Type,
each Content-Description, Content-Disposition, Content-Transfer-
Encoding, Content-ID, Content-Base, Content-Location.
Services
Exchange 2003 Setup does not make any changes to existing service configuration. It is highly recommended
that you either apply the Exchange Security Group Policy Templates or configure the services in accordance
with the server's role.
Appendix B: Upgrading from Exchange 2000 36
Outlook Mobile Access

The setting to enable Outlook Mobile Access functionality is set when you run Exchange 2003 ForestPrep. By
default, Exchange 2003 ForestPrep does not enable Outlook Mobile Access. However, during an upgrade, if
Outlook Mobile Access is already enabled, Exchange 2003 ForestPrep does not disable it.
M: Drive
During an upgrade from Exchange 2000, Exchange 2003 Setup removes the M: drive.
Virtual Server Authentication

During an upgrade from Exchange 2000, Exchange 2003 Setup hardens some virtual server instances of POP3,
IMAP4, and NNTP.
POP3 and IMAP4 Virtual Servers

When upgrading an Exchange 2000 computer that is configured as a front-end server, Exchange 2003 Setup
disables anonymous access and enables Basic authentication on POP3 and IMAP4 virtual servers. If you are
upgrading a back-end server, the virtual server instances are not be altered.
NNTP Virtual Servers

During an upgrade, Exchange 2003 Setup modifies the default instances of NNTP virtual servers. Specifically,
anonymous authentication is disabled and Basic authentication and Integrated Windows authentication are
enabled. Non-default virtual servers (virtual server instances that Setup does not create) are not altered during
upgrade. If you created new NNTP virtual server instances, be sure that appropriate authentication is required.
Local Access Denied for Domain Users

In Exchange 2003, Domain Users cannot log on locally to the Exchange server. During an upgrade,
Exchange 2003 Setup configures the local computer policy to deny local access for Domain Users.
Top Level Public Folder Creation

In Exchange 2003, members of the Everyone group and Anonymous users cannot create a top-level public
folder hierarchy. During an upgrade, Exchange 2003 ForestPrep configures this access control setting.
Access Control Configuration

For both upgrades and new installations, Exchange 2003 Setup applies access control lists (ACLs) to
directories that it creates according to the explicit ACLs that are set in the Program Files directory. If you or
another administrator modified the default ACLs in the Program Files directory, Exchange 2003 Setup applies
that modification to most of the directories created during Setup. Aside from the explicit changes, the
directories are otherwise locked down. However, regardless of the explicit ACLs you may have in the Program
Files directory, Exchange Setup configures the Mailroot directory (located in \Program Files\Exchsrvr) such
that Guest account access and anonymous access is removed.
Appendix B: Upgrading from Exchange 2000 37
It is highly recommended that you configure access control on the Exchange directories. For information about
how to configure access control on your Exchange directories, see "Hardening Back-End Servers" earlier in
this guide.
Appendix C: Ports Used in
Exchange 2003
Table C.1 lists Exchange 2003 services and their corresponding ports. For more information about how to
configure Exchange front-end Exchange servers, including the ports that are associated with various scenarios,
see the technical article, Using Microsoft Exchange 2000 Front-End Servers
(http://go.microsoft.com/fwlink/?linkid=14575). Although that article relates to Exchange 2000, the
information applies to Exchange 2003 as well.
Table C.1 Ports used in Exchange 2003

Services Ports Ports Notes
(Dependencies) inbound outbound
(initiate
connections
to)
Microsoft Exchange 135 & other All core Exchange services require the Microsoft
System Attendant RPC Exchange System Attendant.
Other ports For more information about RPC over HTTP
required for port configuration, see the guide Exchange
RPC over Server 2003 RPC over HTTP Deployment
HTTP Scenarios
(http://go.microsoft.com/fwlink/?LinkId
=24823).
Microsoft Exchange 135 & other User Datagram Runs the Exchange databases.
Information Store RPC Protocol (UDP) For more information about RPC over HTTP
packets to
(Microsoft Exchange Other ports port configuration, see the guide Exchange
random ports for
System Attendant) required for Server 2003 RPC over HTTP Deployment
new mail
RPC over Scenarios
notification
HTTP (http://go.microsoft.com/fwlink/?LinkId
=24823).
Microsoft Exchange 135 & other 135 & other Microsoft Exchange MTA Stacks are required for
MTA Stacks RPC RPC legacy connections to Exchange 5.5 servers. Port
102 opened only for active X.400 connections.
(Microsoft Exchange 102 for 102 for X.400
System Attendant) X.400 over over TCP
TCP
Simple Mail Transfer 25 25 Exchange store requires SMTP

Protocol (SMTP)
(IIS Admin Service)
Microsoft Exchange 691 691 Routing Engine service

Routing Engine
(IIS Admin Service)
Appendix C: Ports Used in Exchange 2003 39
Services Ports Ports Notes

(Dependencies) inbound outbound
(initiate
connections
to)
World Wide Web 80 & 443 80 on the front- Required for Outlook Web Access and public
Publishing Service end server folder administration
(IIS Admin Service)
Microsoft Exchange 110 & 995 110 on the Required for POP3 access
POP3 (SSL) front-end server
(IIS Admin Service)
Microsoft Exchange 143 & 993 143 on the Required for IMAP4 access
IMAP4 (SSL) front-end server
(IIS Admin Service)
Network News 119 & (563 N/A

Transfer Protocol SSL)
(NNTP)
(IIS Admin Service)
Microsoft Exchange 379, 135 & 135 & other Depends whether Exchange 5.5 servers are in the
Site Replication other RPC RPC organization.
Service
Active Directory NA 379, 389, can be Depends whether Exchange 5.5 servers are in the
Connector configured organization
Microsoft Exchange Not automatic by default

Event
(Microsoft Exchange
Information Store)
Exchange This is not a required service; however,

Management Microsoft Operations Manager and other
programs do not function without this service.
(Windows
Management
Instrumentation)
Appendix D: Resources
For information about Microsoft Exchange Server, see the Microsoft Exchange Server website
(http://go.microsoft.com/fwlink/?linkid=81). Additionally, the following resources provide valuable
information regarding security concepts and processes.
Note To download a self-extracting executable of all Exchange Product Team technical articles
and online books, see
http://go.microsoft.com/fwlink/?LinkId=10687
Exchange Server 2003 Books

What's New in Exchange Server 2003
(http://go.microsoft.com/fwlink/?linkid=21765)
Exchange Server 2003 Administration Guide
Technical Articles
Windows Server 2003 Security Guide
Using Microsoft Exchange 2000 Front-end Servers
Microsoft Operations Framework (MOF) Service Management Function Library Overview
Using ISA Server 2000 with Exchange Server 2003
Security Operations Guide for Exchange 2000 Server
Customizing Outlook 2003 to Help Prevent Viruses
Exchange Server 2003 RPC over HTTP Deployment Scenarios
Websites
Microsoft Operations Framework
Microsoft Strategic Technology Protection Program
Microsoft Security and Privacy
Microsoft Security and Privacy Basics
Security Resources for Exchange Server 2003
Appendix D: Resources 41
Microsoft Baseline Security Analyzer

Spam Filter on MSDN
Exchange Intelligent Message Filter
URLScan Security Tool
Microsoft Office Online
For a detailed discussion about native Web Storage System Events, see the Microsoft Exchange Software
Development Kit (SDK)
Exchange Server Technical Documentation Library
Resource Kits
Microsoft Exchange 2000 Server Resource Kit
You can order a copy of Microsoft Exchange 2000 Server Resource Kit from Microsoft Press® at
Windows 2000 Resource Kit
You can order a copy of Microsoft Windows 2000 Server Resource Kit from Microsoft Press at
Microsoft Office 2003 Editions Resource Kit
You can order a copy of Microsoft Office 2003 Editions Resource Kit from Microsoft Press at
http://go.microsoft.com/fwlink/?linkid=21757.
Microsoft Knowledge Base Articles

The following Microsoft Knowledge Base articles are available on the Web at
http://go.microsoft.com/fwlink/?linkid=14898:
319356, "HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=319356)
309622, "XADM: Clients Cannot Browse the Global Address List After You Apply the Q299687
Windows 2000 Security Hotfix"
313807, "XADM: Enhancing the Security of Exchange 2003 for the Exchange Domain Servers Group"
309677, "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an
Exchange 2000 Environment"
Appendix D: Resources 42
316685, "Active Directory-Integrated Domain Name Is Not Displayed in DNS Snap-in with Event ID 4000
and 4013 Messages". (This article provides details about enabling success auditing for logon events in the
security log.)
259373, "XADM: W3SVC Logs Event ID 101 in the System Event Log"
Accessibility
For information about accessibility for people with disabilities, see the Microsoft Accessibility website
Does this book help you? Give us your feedback. On a scale of 1 (poor) to 5 (excellent), how do you rate
this book?
Mail feedback to exchdocs@microsoft.com.
For the latest information about Exchange, see the following websites:
• Exchange Product Team technical articles and books
http://go.microsoft.com/fwlink/?linkid=21277
• Exchange Tools and Updates
• Self-extracting executable containing all Exchange Product Team technical articles and books
http://go.microsoft.com/fwlink/?LinkId=10687
• Exchange Server Community

Exchange Server 2003 Security Hardening Guide

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Exchange Server 2003 Security Hardening Guide

Загружено:

Авторское право:

Доступные форматы

Exchange Server 2003

Authors: Michael Grimm, Michael Nelte

Published: February 2004

 2004 Microsoft Corporation. All rights reserved.

Project Editor: Brendon Bennett

Exchange Server 2003 Security Hardening Guide.....................................1

What Is Updated in This Guide?

Scope of This Guide

Specifically, this guide provides detailed answers to the following questions:

Before You Get Started

Securing Your E-mail Environment

Securing the Client

Exchange 2003 Patch Management

Protecting Against Unsolicited Commercial

Educating Users About Spam

Spam Protection Features in Outlook 2003 and Outlook Web

Spam Confidence Level Infrastructure

Restricted Distribution Lists

Exchange 2003 Filtering

Protecting Against Denial-of-Service

Protecting Against Address Spoofing

To prevent Exchange 2000 from resolving anonymous e-mail messages

4. Use the following flags to determine which value to use:

Hardening Exchange 2003

Hardening the Windows Infrastructure

Exchange Domain Controller Baseline Policy

Option Windows Server 2003 Exchange 2003Domain Controller Baseline

Additional restrictions for anonymous connections

Hardening Back-End Servers

Table 2 Service settings configured by Exchange_2003-Backend_V1_1.inf

Service Name Startup Mode Reason

Service Access Control Lists

This SDDL sets the following permissions on the MSDTC service:

Key Services That Are Disabled

File Access Control Lists

Table 3 File ACL settings configured by Exchange_2003-Backend_V1_1.inf

Directory Old ACL New ACL Applied to

Enabling Additional Exchange Services

Exchange 2003 NNTP Server Policy

Table 4 Services configured to enable NNTP

Hardening Front-End Servers

Enabling additional services (optional)

Before You Get Started

Table 5 Service settings configured by Exchange_2003-Frontend_V1_1.inf

Service Name Startup Mode Reason

Key Services That Are Disabled

Service Access Control Lists

File Access Control Lists

Enabling Additional Exchange Services

Exchange 2003 HTTP Server Policy

Table 6 Services configured to enable HTTP

Exchange 2003 POP3 Server Policy

Table 7 Services configured to enable POP3

Exchange 2003 IMAP4 Server Policy

Table 8 Services configured to enable IMAP4

Exchange 2003 SMTP Server Policy

Table 9 Services configured to enable SMTP

Service Name Startup Mode Reason

Configuring Exchange 2003 URLScan

Dismounting the Mailbox Store and Deleting the Public

15. Restart the front-end server.

Deploying the Exchange Group Policy

Active Directory Structure to Support Exchange 2003