Protect Exchange

This tip was submitted to the SearchWin2000.com tip exchange by member Tim Fenner. Please let others know how useful it is by rating it below.

Fully protecting your Exchange server cannot be explained in a simple tip, but I will provide you with some advanced knowledge on some of the issues you will face and where you can go to get help.


By default, an install of Exchange 2000 on a Windows 2000 server has the following ports open to its interfaces:

Port Protocol Typical Use
25 SMTP Used for sending and receiving of e-mail
80 HTTP Used for Outlook Web Access to host Web-enabled mailboxes
110 POP3 Used by clients to retrieve and store messages locally
119 NNTP Used by clients and servers for managing the notes posted on newsgroups
135 EPMAP Used by Microsoft for RPC locator service
139 NetBIOS-SSN Used by NETBIOS Session Service


Used by clients to retrieve and store

    Requires Free Membership to View

messages locally, yet leave a copy on server

These are available to allow clients to use specific types of server access to the Exchange/Windows server. They can and should be disabled/filtered/blocked if they are not in use to avoid exposure to many known exploits.

You can further secure your Exchange environment if you filter or block all nonessential TCP/IP ports on the outside router, firewall and server. Use this site to get an idea what ports are used for what.


To further reduce your exposure to these risks and others, I recommend placing your externally accessible Exchange server, which will be receiving SMTP messages for internal redirection in a demilitarized zone (DMZ), whether it is a front-end server in a multi-server environment or just a single server used for your entire organization.

You should also dual home the server (install two NICs, with one configured for the internal network and the other to the external/public network) and disable the NetBIOS, Server, and Workstation bindings on that external/public network interface card.

Use this Exchange security operations guide to perform the above changes.


Finally, disable services such as Alerter, Computer Browser, FTP publishing service, Messenger, TCP/IP NetBIOS Helper, Scheduler and any other unnecessary services if they are not needed in your environment. Check out this Searchwin2000.com tip on Windows default services and their uses.

Stop e-mail relaying/Avoid being blacklisted

Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers.

One common use for this is in setting up two virtual server: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on for a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays. You can go to this Web site to find out more.

This was first published in August 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.