This tip was submitted to the SearchWin2000.com tip exchange by member Tim Fenner. Please let others know how useful it is by rating it below.
Fully protecting your Exchange server cannot be explained in a simple tip, but I will provide you with some advanced knowledge on some of the issues you will face and where you can go to get help.
By default, an install of Exchange 2000 on a Windows 2000 server has the following ports open to its interfaces:
|25||SMTP||Used for sending and receiving of e-mail|
|80||HTTP||Used for Outlook Web Access to host Web-enabled mailboxes|
|110||POP3||Used by clients to retrieve and store messages locally|
|119||NNTP||Used by clients and servers for managing the notes posted on newsgroups|
|135||EPMAP||Used by Microsoft for RPC locator service|
|139||NetBIOS-SSN||Used by NETBIOS Session Service|
|Used by clients to retrieve and store|
|messages locally, yet leave a copy on server|
These are available to allow clients to use specific types of server access to the Exchange/Windows server. They can and should be disabled/filtered/blocked if they are not in use to avoid exposure to many known exploits.
You can further secure your Exchange environment if you filter or block all nonessential TCP/IP ports on the outside router, firewall and server. Use this site to get an idea what ports are used for what.
To further reduce your exposure to these risks and others, I recommend placing your externally accessible Exchange server, which will be receiving SMTP messages for internal redirection in a demilitarized zone (DMZ), whether it is a front-end server in a multi-server environment or just a single server used for your entire organization.
You should also dual home the server (install two NICs, with one configured for the internal network and the other to the external/public network) and disable the NetBIOS, Server, and Workstation bindings on that external/public network interface card.
Use this Exchange security operations guide to perform the above changes.
Finally, disable services such as Alerter, Computer Browser, FTP publishing service, Messenger, TCP/IP NetBIOS Helper, Scheduler and any other unnecessary services if they are not needed in your environment. Check out this Searchwin2000.com tip on Windows default services and their uses.
Stop e-mail relaying/Avoid being blacklisted
Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers.
One common use for this is in setting up two virtual server: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on for a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays.
You can go to this Web site to find out more.
This was first published in August 2003