Protect Exchange

This tip was submitted to the SearchWin2000.com tip exchange by member Tim Fenner. Please let others know how useful it is by rating it below.

Fully protecting your Exchange server cannot be explained in a simple tip, but I will provide you with some advanced knowledge on some of the issues you will face and where you can go to get help.

Ports

By default, an install of Exchange 2000 on a Windows 2000 server has the following ports open to its interfaces:

Port	Protocol	Typical Use
25	SMTP	Used for sending and receiving of e-mail
80	HTTP	Used for Outlook Web Access to host Web-enabled mailboxes
110	POP3	Used by clients to retrieve and store messages locally
119	NNTP	Used by clients and servers for managing the notes posted on newsgroups
135	EPMAP	Used by Microsoft for RPC locator service
139	NetBIOS-SSN	Used by NETBIOS Session Service
143	IMAP	Used by clients to retrieve and store messages locally, yet leave a copy on server

These are available to allow clients to use specific types of server access to the Exchange/Windows server. They can and should be disabled/filtered/blocked if they are not in use to avoid exposure to many known exploits.

You can further secure your Exchange environment if you filter or block all nonessential TCP/IP ports on the outside router, firewall and server. Use this site to get an idea what ports are used for what.

DMZ

To further reduce your exposure to these risks and others, I recommend placing your externally accessible Exchange server, which will be receiving SMTP messages for internal redirection in a demilitarized zone (DMZ), whether it is a front-end server in a multi-server environment or just a single server used for your entire organization.

You should also dual home the server (install two NICs, with one configured for the internal network and the other to the external/public network) and disable the NetBIOS, Server, and Workstation bindings on that external/public network interface card.

Use this Exchange security operations guide to perform the above changes.

Services

Finally, disable services such as Alerter, Computer Browser, FTP publishing service, Messenger, TCP/IP NetBIOS Helper, Scheduler and any other unnecessary services if they are not needed in your environment. Check out this Searchwin2000.com tip on Windows default services and their uses.

Stop e-mail relaying/Avoid being blacklisted

Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers.

One common use for this is in setting up two virtual server: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on for a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays. You can go to this Web site to find out more.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Security Tips How to protect an Exchange journaling mailbox from email spoofing Lock down Microsoft Outlook 2007 to prevent .PST file access Using Exchange Server journaling as an email-archiving solution Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Grant or deny permissions to access a user's Exchange 2007 mailbox Create a global Safe Senders List in Exchange 2007 to filter spam Migrating antispam settings from Exchange 2003 to Exchange 2007 Antivirus Software and Virus Protection How effective is tracking the IP address of an email hacker? Minimize remote and mobile Outlook Web Access (OWA) security risks Secure Edge Transport servers using the Security Configuration Wizard The six-layered secret of effective Exchange Server email filtering Microsoft Outlook and Exchange Server 2003 Email Security Guide How to install and configure an Edge Transport server for Exchange 2007 Process, compress and block Microsoft Outlook email attachments How to configure attachment blocking in Outlook Web Access Beware of bare linefeeds in Exchange Server email Dell, Symantec simplify Secure Exchange for SMBs SMTP How to lock down an SMTP relay to prevent spam in Exchange Server 2003 Tool helps identify inbound Exchange Server email flow issues Exchange email sent to a domain using SPF authentication is returned Configure SMTP relay restrictions in Exchange Server 2003 to stop spam Why can't POP3 clients receive Exchange Server email? Exchange event sink scripting error when configuring email disclaimer Configure SMTP connection limits in Exchange Server 2003 and SBS Reconfigure an existing Exchange Server user account for a new user Improve Exchange 2003 Internet connectivity, mail flow and performance Troubleshoot Exchange 2003 email that gets stuck in the SMTP queue RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.