Tip

How to secure Exchange Server services -- A quick guide

Exchange Server is one of the most popular and most common "add-on" services to machines running Windows Server 2003. Perhaps you're new to Exchange or you're setting up several machines at once and security is on your mind. Use the suggestions and tips in this article as a "quick hits" guide to securing your Exchange services via two avenues: policy-based security and service configuration security.

Policy-based security
Policy-based security is one of the easiest ways to establish wholesale hardening guidelines consistently across multiple machines. Microsoft has baseline security guides available in the form of security templates that you can apply as a security policy according to your Exchange Server's various roles. To apply them to your computers, you can simply import them into Group Policy via the Domain Group Policy or through a more granular object.

The Microsoft site with the security templates for Exchange Server machines is called the

    Requires Free Membership to View

Security Operations Guide for Exchange 2000 Server.

For the machines that run Exchange Server itself, I recommend these steps. Under User Rights Assignment, do the following:

  • Grant the Access This Computer from the Network ability to the Authenticated Users, Backup Operators and Enterprise Domain Controllers groups.
  • Grant the Manage Auditing and Security Log ability to the Exchange Domain Servers group of your security domain.

Under Local Policies and Security Options:

  • Set the value of Number of Previous Logons to Cache to 3.
  • Disable the Shut Down System Immediately if Unable to Log Security Audits policy.

    For plain domain controllers, I recommend the following procedure. Under Local Policies and Security Options, do the following:

    • Disable the Digitally Sign Client Communications (Always) policy.
    • Disable the Digitally Sign Server Communications (Always) policy.
    • Set the value of the LAN Manager Authentication Level policy to Send LM & NTLM -- Use NTLMv2 Session Security if Negotiated.

    Service configuration security
    The other way to secure Exchange machines is by taking a look at how their services are set. Exchange runs as a set of services that communicates both within the services and with the local computer. Additionally, the local computer and these processes act as a team when communicating with remote computers such as clients themselves, other Exchange servers within an organization and Active Directory domain controllers. There are two classifications of Exchange servers. The front-end servers host Outlook Web Access and are generally the machines that clients hit for data. The back-end servers hold the information store, mailboxes, public folder data and other information and data repositories.

    The back-end servers need attention from you, particularly with regard to the state of their services. The following table shows my recommended service configuration for back-end Exchange Server computers to optimize their security:

    ServiceRecommended state
    IisadminAutomatic
    Imap4SvcDisabled
    IPsec Policy AgentAutomatic
    MsexchangeesDisabled
    MsexchangeisAutomatic
    MsexchangemgmtAutomatic
    MsexchangemtaAutomatic
    MsexchangesaAutomatic
    MsexchangesrsDisabled
    MssearchAutomatic
    NTLM Security Support ProviderAutomatic
    POP3SVCDisabled
    Print SpoolerDisabled
    Remote Procedure Call (RPC) LocatorAutomatic
    RESVCAutomatic
    SMTPSVCAutomatic
    Task SchedulerAutomatic
    TermServiceAutomatic
    W3SVCAutomatic
    Windows Management InstrumentationAutomatic


    About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell, a systems administrator and IT consultant residing in Raleigh, N.C., has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

    This was first published in August 2006

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.