How to secure Exchange Server services -- A quick guide

Exchange services, like many Windows Server 2003 add-on services, can open security holes if improperly configured. Secure your Exchange services with these recommended settings.

Exchange Server is one of the most popular and most common "add-on" services to machines running Windows Server 2003. Perhaps you're new to Exchange or you're setting up several machines at once and security is on your mind. Use the suggestions and tips in this article as a "quick hits" guide to securing your Exchange services via two avenues: policy-based security and service configuration security.

Policy-based security

Policy-based security is one of the easiest ways to establish wholesale hardening guidelines consistently across multiple machines. Microsoft has baseline security guides available in the form of security templates that you can apply as a security policy according to your Exchange Server's various roles. To apply them to your computers, you can simply import them into Group Policy via the Domain Group Policy or through a more granular object.

The Microsoft site with the security templates for Exchange Server machines is called the Security Operations Guide for Exchange 2000 Server.

For the machines that run Exchange Server itself, I recommend these steps. Under User Rights Assignment, do the following:

  • Grant the Access This Computer from the Network ability to the Authenticated Users, Backup Operators and Enterprise Domain Controllers groups.
  • Grant the Manage Auditing and Security Log ability to the Exchange Domain Servers group of your security domain.

Under Local Policies and Security Options:

  • Set the value of Number of Previous Logons to Cache to 3.
  • Disable the Shut Down System Immediately if Unable to Log Security Audits policy.

For plain domain controllers, I recommend the following procedure. Under Local Policies and Security Options, do the following:

  • Disable the Digitally Sign Client Communications (Always) policy.
  • Disable the Digitally Sign Server Communications (Always) policy.
  • Set the value of the LAN Manager Authentication Level policy to Send LM & NTLM -- Use NTLMv2 Session Security if Negotiated.

Service configuration security

The other way to secure Exchange machines is by taking a look at how their services are set. Exchange runs as a set of services that communicates both within the services and with the local computer. Additionally, the local computer and these processes act as a team when communicating with remote computers such as clients themselves, other Exchange servers within an organization and Active Directory domain controllers. There are two classifications of Exchange servers. The front-end servers host Outlook Web Access and are generally the machines that clients hit for data. The back-end servers hold the information store, mailboxes, public folder data and other information and data repositories.

The back-end servers need attention from you, particularly with regard to the state of their services. The following table shows my recommended service configuration for back-end Exchange Server computers to optimize their security:

Service Recommended state
Iisadmin Automatic
Imap4Svc Disabled
IPsec Policy Agent Automatic
Msexchangees Disabled
Msexchangeis Automatic
Msexchangemgmt Automatic
Msexchangemta Automatic
Msexchangesa Automatic
Msexchangesrs Disabled
Mssearch Automatic
NTLM Security Support Provider Automatic
POP3SVC Disabled
Print Spooler Disabled
Remote Procedure Call (RPC) Locator Automatic
RESVC Automatic
SMTPSVC Automatic
Task Scheduler Automatic
TermService Automatic
W3SVC Automatic
Windows Management Instrumentation Automatic


About the author:
Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell, a systems administrator and IT consultant residing in Raleigh, N.C., has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
 

This was first published in August 2006

Dig deeper on Email Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close