Exchange Server is one of the most popular and most common "add-on" services to machines running Windows Server 2003. Perhaps you're new to Exchange or you're setting up several machines at once and security is on your mind. Use the suggestions and tips in this article as a "quick hits" guide to securing your Exchange services via two avenues: policy-based security and service configuration security.
Policy-based security
Policy-based security is one of the easiest ways to establish wholesale hardening guidelines consistently across multiple machines. Microsoft has baseline security guides available in the form of security templates that you can apply as a security policy according to your Exchange Server's various roles. To apply them to your computers, you can simply import them into Group Policy via the Domain Group Policy or through a more granular object.
The Microsoft site with the security templates for Exchange Server machines is called the Security Operations Guide for Exchange 2000 Server.
For the machines that run Exchange Server itself, I recommend these steps. Under User Rights Assignment, do the following:
- Grant the Access This Computer from the Network ability to the Authenticated Users, Backup Operators and Enterprise Domain Controllers groups.
- Grant the Manage Auditing and Security Log ability to the Exchange Domain Servers group of your security domain.
Under Local Policies and Security Options:
Set the value of Number of Previous Logons to Cache to 3.
Disable the Shut Down System Immediately if Unable to Log Security Audits policy.
For plain domain controllers, I recommend the following procedure. Under Local Policies and Security Options, do the following:
- Disable the Digitally Sign Client Communications (Always) policy.
- Disable the Digitally Sign Server Communications (Always) policy.
- Set the value of the LAN Manager Authentication Level policy to Send LM & NTLM -- Use NTLMv2 Session Security if Negotiated.
Service configuration security
The other way to secure Exchange machines is by taking a look at how their services are set. Exchange runs as a set of services that communicates both within the services and with the local computer. Additionally, the local computer and these processes act as a team when communicating with remote computers such as clients themselves, other Exchange servers within an organization and Active Directory domain controllers. There are two classifications of Exchange servers. The front-end servers host Outlook Web Access and are generally the machines that clients hit for data. The back-end servers hold the information store, mailboxes, public folder data and other information and data repositories.
The back-end servers need attention from you, particularly with regard to the state of their services. The following table shows my recommended service configuration for back-end Exchange Server computers to optimize their security:
| Service | Recommended state |
| Iisadmin | Automatic |
| Imap4Svc | Disabled |
| IPsec Policy Agent | Automatic |
| Msexchangees | Disabled |
| Msexchangeis | Automatic |
| Msexchangemgmt | Automatic |
| Msexchangemta | Automatic |
| Msexchangesa | Automatic |
| Msexchangesrs | Disabled |
| Mssearch | Automatic |
| NTLM Security Support Provider | Automatic |
| POP3SVC | Disabled |
| Print Spooler | Disabled |
| Remote Procedure Call (RPC) Locator | Automatic |
| RESVC | Automatic |
| SMTPSVC | Automatic |
| Task Scheduler | Automatic |
| TermService | Automatic |
| W3SVC | Automatic |
| Windows Management Instrumentation | Automatic |
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell, a systems administrator and IT consultant residing in Raleigh, N.C., has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
