Originally used in Windows Server 2003 SP1, the Security Configuration Wizard (SCW) can be extended to secure Exchange 2007 servers. This tutorial explains how to extend and install the Security Configuration Wizard and use it to secure an Edge Transport server in Exchange 2007.
SECURE EDGE TRANSPORT SERVERS USING THE SCW
Part 1: Install and extend Windows SCW for Exchange Server 2007
Part 2: Secure an Edge Transport server for Exchange 2007
Part 3: Configure security settings on Exchange 2007 Edge Transport servers
Part 4: Harden Edge Transport servers with the Security Configuration Wizard
Part 1: Install and extend Windows SCW for Exchange Server 2007Although the Security Configuration Wizard (SCW) is part of Windows Server 2003 SP1 and subsequent service packs, installing the service pack doesn't automatically install the wizard. To install the Security Configuration Wizard:
- Open the server's Control Panel and click on Add or Remove Programs.
- When the Add or Remove Programs window opens, click Add/Remove Windows Components. Windows will display a list of all optional Windows components. Scroll through the list until you locate the Security Configuration Wizard option (Figure 1).
- Select the Security Configuration Wizard checkbox and click Next. Windows will copy the necessary files.
- Click Finish when the process completes.
Figure 1. The Security Configuration Wizard is not installed by default.
Extend the Security Configuration Wizard for Exchange Server
Because the Security Configuration Wizard was originally intended as a Windows security tool, it's completely unaware of Exchange Server's presence. Before we can use the wizard to secure Exchange, we have to extend it so that it's Exchange-aware.
Exchange Server 2007 ships with two files that you can use to extend the Security Configuration Wizard: Exchange2007.xml and Exchange2007Edge.xml. To secure an Edge Transport server with the Security Configuration Wizard, use the Exchange2007Edge.xml file. The Exchange2007.xml file should be used to secure Exchange 2007 servers hosting other roles.
This article uses the Exchange2007Edge.xml file. However, if you want to use the Security Configuration Wizard to secure an Exchange 2007 Server that's hosting another role, use the following procedure but substitute Exchange2007.xml for Exchange2007Edge.xml.
- Open Windows Explorer and navigate through the file system to \Program Files\Microsoft\Exchange Server\Scripts
- Locate the Exchange2007Edge.xml file and copy it to the %windir%\Security\msscw\kbs folder.
- Open a Command Prompt window (Figure 2) and enter the following commands:
CD\Windows\SYSTEM32 SCWCMD Register \kbname:MSExchangeEdge kbfile:%windir%\security\msscw\kbs\Exchange2007Edge.xml
Figure 2. You must register the Exchange2007Edge.xml file before you can use the Security Configuration Wizard to secure an Edge Transport server.
To use the Exchange2007.xml file, enter:
CDWindows\SYSTEM32 SCWCMD Register \kbname:MSExchange kbfile:%windir%\security\msscw\kbs\Exchange2007.xml
Part 2: Secure an Edge Transport server for Exchange 2007To secure the Edge Transport Server for Exchange 2007:
- Open the Security Configuration Wizard. A shortcut to the wizard can be found at:
Start -> All Programs -> Administrative Tools.
- The wizard's welcome screen displays a warning message noting that it detects the inbound ports used by the server (Figure 3). Make sure that any applications requiring the use of inbound ports are running simultaneously with the wizard. No other applications should be running on the Edge Transport server, so ensure that various Exchange-related services are running and then click Next.
- A screen appears asking you if you want to create a new security policy, edit an existing security policy, apply an existing security policy, or roll back the most recently applied security policy. Choose the Create a New Security Policy option, assuming that no policies exist. Note the roll-back option. This option is not a substitute for a good back up, but can be extremely helpful if you make a mistake.
- Click Next to view a screen similar to that in Figure 4. This screen lets you choose the server that you're going to secure. In this case, secure the local server -- Edge. Keep in mind that you can use the wizard to secure remote servers using the Exchange2007.xml file.
- Click Next and the Security Configuration Wizard will begin configuring the Security Configuration Database. When this process completes, click on the View Configuration Database button to see all of the server roles that the Security Configuration Wizard supports. If you imported the Exchange2007Edge.xml file correctly, you will see an entry for Exchange 2007 Edge Transport (Figure 5).
- After verifying the existence of the Exchange 2007 Edge Transport entry, click Next and the screen will inform you that you'll be securing the server based on its role. This screen warns that answering questions incorrectly could potentially disable desirable functions.
- Click Next to acknowledge the warning, and a screen will prompt you to select the roles that the server must perform (Figure 6). Selections that you make will vary from one organization to another, but normally the server should only host the Exchange 2007 Edge Transport Server role.
- De-select any checkboxes associated with roles that the server isn't performing and then click Next. You will see a screen similar to that in Figure 7. Every Windows Server also acts as a workstation. This screen allows you to select the client features that you want to use on the server. It seems that the wizard chose the correct features, but I recommend looking through the feature list before accepting the defaults.
- Click Next and you'll be asked to select Administration options as well as other options. Figure 8 shows that this list partially mimics the list of installed services. However, the list doesn't represent all of the services that are installed. Instead, it lists services and related features that administer the server.
- Click Next and the screen prompts you to select additional services the server requires. On my lab server, the services related to the .NET Runtime Optimization Service were listed (Figure 9). Leave these services enabled.
Figure 3. Verify that Exchange-related services are running before continuing.
Figure 4. Choose the server that you want to secure.
Figure 5. Verify that the Security Configuration Database contains an entry for Exchange 2007 Edge Transport server.
Figure 6. Select the roles that the server must perform.
Figure 7. Make sure that the appropriate client features are selected.
A few of the administrative features on this list may seem out of place. For example, the Audio option doesn't work with server administration, but it's included on the features list.
Figure 8. Choose which administrative options you want to enable.
The Security Configuration Wizard selects some of these items by default based on server roles that were specified earlier. Administrative options that were selected typically are correct, but check the list to verify that nothing that has been disabled should be enabled.
Figure 9. Leave the .NET Runtime Optimization-related services enabled.
Part 3: Configure security settings on Exchange 2007 Edge Transport serversAn Edge Transport server should act as a server appliance, meaning that you should use dedicated hardware to perform a single task. Running additional services or applications on an Edge Transport server may undermine its security.
Assuming that the server acts solely as an Edge Transport server, the two services shown in Figure 10 should be the only ones listed. If other services are listed, check if Exchange server requires them. You must select any services that the Edge Transport server requires. Failure to do so may cause the Security Configuration Wizard to apply a security change that prevents the service from running. Ultimately, this may cause the Edge Transport server to fail.
Figure 10. Select services on which the server depends.
Once you're satisfied with the selected services, click Next to view a screen similar to that in Figure 11. The wizard must know how to handle unspecified services.
Figure 11. Decide how Windows should handle unspecified services.
This screen displays various services and components that the server is currently running, so you can decide which ones you want to continue using. There is a chance that the wizard might miss a service, or that a service might be installed later. When this happens, the wizard must know how to handle the situation.
As you can see in Figure 11, you can either allow the service to continue running via the Do not change the startup mode of the service option or disable it completely.
After you've made your decision, click Next and you'll be taken to the screen shown in Figure 12. The wizard lists all of the services for which the startup type has been modified. Review the list of services and verify that you agree with the changes to service startup types. The wizard tends to disable several services. If an incorrect service is disabled, the server won't work as planned.
NOTE: This screen is your last chance to ensure that you agree with the proposed security changes to the various services.
Figure 12. Confirm changes to service startup types.
Click Next and you'll be taken to the wizard's Network Security screen, which explains that the wizard will help you configure inbound and outbound port usage. The screen contains a checkbox that allows you to choose to skip the Network Security portion of the wizard. Because you're configuring an Edge Transport server, it's a good idea to work through Network Security screens.
Click Next and the wizard will display a list of ports that are being used (Figure 13). Go through the list and determine which ports should remain open. If you find any ports that should be closed, de-select the checkbox corresponding to that port. When you're satisfied with these selections, click Next.
Figure 13. Deselect checkboxes that correspond to any ports that you want to disable.
The summary screen displays the status of various ports. Verify entries to ensure that changes you've made are reflected. If they're correct, click Next.
The wizard displays an introductory screen for the Registry Settings section, which also contains a checkbox that allows you to skip this section. We're going to work through the Registry Settings section.
Click Next to view a screen similar to that in Figure 14 containing two checkboxes. Although it may seem simpler to use the default settings, there are serious consequences to making incorrect choices on the screen.
Figure 14. Verify the operating systems that computers connecting to the server use, and decide if you want to sign file and print traffic.
The first checkbox on this screen asks if all computers that will be connecting to the server satisfy certain minimal operating system requirements. Deciding to select this checkbox requires a thorough analysis of your organization to ensure that various clients and servers meet minimal requirements.
The only machines that should be connecting to the Edge Transport server are other Exchange 2007 servers. Because Exchange 2007 won't run on any older versions of Windows listed, select the first checkbox.
The second checkbox asks you if the server has enough surplus processing capacity to sign file and print traffic. Digitally signing file and print traffic allows the server to prove that the traffic originated from that server, and no one has tampered with it.
Although digitally signing file and print traffic sounds feasible, the signing process is processor-intensive. Edge Transport servers generally handle a heavy workload. If you're considering digitally signing file and print traffic, I recommend administering performance monitoring first to ensure that your server can handle the load.
After making selections, click Next to view the screen that is shown in Figure 15. This screen asks you to choose authentication methods that the server uses to authenticate with remote computers. This can be tricky when dealing with Edge servers, because an Edge server communicates only with other Exchange servers (internally) and an Edge Subscription file authorizes this communication.
Figure 15. Select the methods that the server uses to authenticate with remote computers.
Edge subscriptions aren't listed in the authentication list. Instead, select the types of user accounts that are used. For an Edge Transport Server, I recommend selecting only the Domain Accounts option.
The next screen you will see depends on the options that were chosen on the previous screen. If you only selected the Domain Accounts option, you will see the screen shown in Figure 16.
Figure 16. Direct the wizard to the types of domain controllers that are in use.
Confirm that all of your domain controllers are running Windows NT 4.0 Service Pack 6A, or a newer Windows operating system. You must also confirm that the server's clock is synchronized to other server clocks. Assuming that all servers are running Windows Server 2003, inform the wizards that the clocks are synchronized.
Earlier Windows versions only required that clocks be within 30 minutes of one another. If you're unsure if your server's clocks are synchronized with one another, do not select the checkbox.
Click Next to see a summary of the changes that the Security Configuration Wizard will make, based on answers to questions in the Registry Settings section. Make sure that the changes are correct, based on your network configuration.
Part 4: Harden Edge Transport servers with the Security Configuration Wizard
The Registry Settings Summary screen allows you to verify the wizard's settings. Study each summary screen. As you can see in Figure 17, this screen shows you how various settings are configured as well as changes that the wizard intends to make to those settings.
Figure 17. The Registry Settings Summary screen gives you one last chance to verify that the wizard's proposed changes are correct.
After reviewing the changes, click Next to view the introductory screen for the Audit Policy settings. This screen features a checkbox that, when selected, enables you to skip this section. Skipping this isn't advised because auditing is an important portion of a server's overall security.
Click Next to see the System Audit Policy screen (Figure 18). There are two things to note on this screen. First, the wizard doesn't allow administrators to configure auditing with any sort of granularity -- you can only choose disabling auditing, enabling success auditing or enabling success and failure auditing. Therefore, you can use the wizard to enable auditing, but you should go back and fine-tune your audit policy.
Figure 18. The Security Audit Policy screen gives you the choice to disable auditing, enable success auditing, or enable success and failure auditing.
Second, the wizard is configured by default to audit successful activities. Auditing only successful events produces a smaller log file than auditing successes and failures produces. Auditing only successful events also has less effect on server performance.
If your server has the resources to spare though, I recommend auditing both successes and failures. Because the Edge Transport server sits at your network perimeter, it's subject to attack. Auditing successes and failures enables you to spot attempted attacks and take steps to protect your server against those types of attacks.
Click Next to see the Audit Policy Summary screen (Figure 19). Although the wizard doesn't allow much control over auditing settings, this screen gives specific information on which auditing settings it will enable. I recommend writing down the proposed policy settings because it's simpler to fine-tune audit policy settings later, if you know what the policy mandates.
Figure 19. The Audit Policy Summary screen shows you how the audit policy will be applied.
Click Next to view the Save Security Policy screen, which informs you that you've completed the wizard and you should save your settings.
Click Next and you will be prompted to enter a name and an optional security policy description. This screen also allows you to view the new policy in its entirety.
Click Next to see a screen asking if you want to apply the policy now or later. You can apply the policy now, but the new policy won't go into effect until the server is rebooted.
Click Next and then Finish to apply the policy and complete the wizard.
|ABOUT THE AUTHOR:|
Brien M. Posey, MCSE|
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in April 2008