Deployment Security Checklist

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Microsoft Exchange Server 2007 is engineered to be secure-by-default for most customer scenarios. Generally for Exchange 2007, secure-by-default means that the following conditions are true:

  • Accounts that are used by Exchange 2007 have the minimum rights that are required to perform the given task sets.

  • By default, services are started only when they are required.

  • Access control list (ACL) rights for Exchange objects are minimized.

  • Administrative permissions are set according to the scope of change on the object that a given modification requires.

  • All internal, default message paths are encrypted.

  • Many other features have been designed to provide a relatively secure messaging environment upon initial installation.

This topic describes some recommended steps that you can take to better secure the messaging environment before and after you install Microsoft Exchange. We recommend that you refer to this checklist every time that you install a new Exchange server role.

As with all content in the Exchange 2007 Help file, the most up-to-date content can be found at the Exchange Server TechCenter.

Pre-Installation

Before installing Exchange 2007, perform the following procedures.

Procedures Check

Run Microsoft Update.

 

Run the Microsoft Malicious Software Removal Tool. The Malicious Software Removal Tool is included with Microsoft Update. More information about the tool can be found at Malicious Software Removal Tool.

 

Run the Microsoft Baseline Security Analyzer.

 

Post-Installation

We recommend that you run the Security Configuration Wizard (SCW) on all Exchange 2007 server roles. We also recommend that you modify the LAN Manager authentication level on servers that are running Windows Server 2003.

Security Configuration Wizard

The SCW is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1 (SP1). You can use the SCW to minimize the attack surface for servers by disabling Windows functionality that is not required for the Exchange 2007 server roles. The SCW automates the security best practice of reducing the attack surface for a server. The SCW uses a role-based metaphor to solicit services that are required for the applications on a server. This tool reduces the susceptibility of Windows environments to exploitation of security vulnerabilities. For more information, see Using the Security Configuration Wizard to Secure Windows for Exchange Server Roles.

LAN Manager Authentication Level

For each Exchange server that is running on Windows Server 2003, we recommend that you set the LAN Manager authentication level to the level that the Windows Server 2003 Security Guide recommends for your environment. This setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol that is used by client computers, the level of security that is negotiated, and the level of authentication that is accepted by servers. To modify the LAN Manager authentication level, you must modify the LmCompatibilityLevel entry in the registry.

Warning

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Following are the LAN Manager authentication levels that theWindows Server 2003 Security Guide recommends**:**

  • Legacy client environment   The Windows Server 2003 Security Guide defines a legacy client environment as an environment that consists of an Active Directory directory service domain with member servers and domain controllers that run Windows Server 2003 and some client computers that run Microsoft Windows 98 and Windows NT 4.0. Computers that run Windows 98 must have the Active Directory Client Extension (DSCLient) installed. For more information about installing DSClient, see Microsoft Knowledge Base article 288358, How to install the Active Directory client extension. If you have a legacy client environment, the Windows Server 2003 Security Guide recommends that you set the LmCompatibilityLevel entry to 3.

  • Enterprise client environment   The Windows Server 2003 Security Guide defines an enterprise client environment as an environment that consists of an Active Directory domain with member servers and domain controllers that run Windows Server 2003 with SP1 and client computers that run Windows 2000 Server and Windows XP. For an enterprise client environment, the Windows Server 2003 Security Guide recommends that you set the LmCompatibilityLevel entry to 4.

In addition, cluster environments also have requirements related to theLAN Manager authentication level.In a cluster continuous replication (CCR) environment, you must set the LmCompatibilityLevel entry of each domain controller in the organization to the same value as the LmCompatibilityLevel entry on your Exchange servers. If the LmCompatibilityLevel entry on a domain controller is not the same as the LmCompatibilityLevel entry on an Exchange server, you may experience errors with replication. We recommend that you first set the LmCompatibilityLevel entry on all domain controllers in a domain and then set the LmCompatibilityLevel entry for each cluster.

To set the LmCompatibilityLevel entry on a cluster, you must change the value on all nodes of the cluster at the same time, and then restart each node of the cluster. We recommend that you modify the registry entry and restart each computer in a cluster manually instead of by using a Group Policy object (GPO) so that you can ensure that all nodes of the cluster are restarted at the same time.

Note

By default, the LmCompatibilityLevel on computers that are running Windows Server 2008 is 3 or higher.

For more information about LAN Manager authentication levels, see "Chapter 4: The Member Server Baseline Policy" in the Windows Server 2003 Security Guide. For more information about modifying the LmCompatibilityLevel registry entry to set the LAN Manager authentication level, see How to Configure the LAN Manager Authentication Level. You can use a GPO to set the LmCompatibilityLevel registry entry on all computers in your organization. For detailed steps, see How to Configure the LAN Manager Authentication Level.