Securing Your Infrastructure
Topic Last Modified: 2005-05-24
This topic focuses on important infrastructure components that you can implement for greater security. It discusses the following:
Securing your Internet Information Services (IIS) framework to protect Internet services.
The importance of firewalls in protecting servers from direct Internet access.
Using virtual private networks as a secure means of accessing private network resources.
As discussed in "Internet Information Services" in Transport Dependencies for Exchange Server 2003, IIS provides a framework for Internet services such as HTTP, Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), and Network News Transfer Protocol (NNTP). Therefore, it is essential that you ensure IIS is secure. The way in which you can secure IIS differs depending on which version of Microsoft® Windows® you are running on your Exchange server. Windows 2000 Server provides the IIS Lockdown Wizard; Windows Server 2003™ provides URLScan. Use the appropriate tool for your version of Windows to secure IIS.
On Windows 2000 Server, the IIS Lockdown Wizard provided for IIS 5.0 disables unnecessary IIS services, thereby reducing your exposure to attack through these services. To defend against attackers, IIS Lockdown Wizard integrates URLScan with customized templates for Exchange servers. IIS Lockdown Wizard is designed primarily to secure Microsoft Office Outlook® Web Access servers and front-end servers; however, it is also useful for checking the security configuration on any Exchange server.
For optimal security, run IIS Lockdown Wizard on each Exchange server and domain controller in your organization. You can download IIS Lockdown Wizard from the Microsoft Download Center.
For more information about IIS Lockdown Wizard, see Microsoft Knowledge Base article 309508, "XCCC: IIS Lockdown and URLscan Configurations in an Exchange Environment."
Some issues exist when running IIS Lockdown Wizard twice. For more information, about running IIS Lockdown Wizard twice, see Microsoft Knowledge Base article 317052, "HOW TO: Undo Changes Made by the IIS Lockdown Wizard."
IIS Lockdown Wizard is not available for Windows Server 2003; however, you can run URLScan to secure IIS on Windows Server 2003. URLScan version 2.5 is a security tool that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, the URLScan security tool helps prevent potentially harmful requests from reaching your Exchange server.
For more information about the URLScan tool, see Microsoft Knowledge Base article 823175, "Fine-Tuning and Known Issues When You Use the Urlscan Utility in an Exchange 2003 Environment."
A firewall prevents unauthorized access to data on servers that reside behind the firewall. Whether your organization has an existing network or is setting up a new one, firewall planning is extremely important.
With software such as Microsoft Internet Security and Acceleration (ISA) Server, you can route all Internet traffic through a single location. Although this requires more setup and planning than a simple direct Internet connection, it provides increased security for the servers in your organization.
You can use a firewall to allow only essential Internet traffic through ports that you specify. For example, you can configure your network to allow only SMTP (port 25) traffic to pass through your firewall, thereby preventing connections on all other ports.
For Exchange to operate properly in a firewall environment, specifically in regard to remote clients, certain requirements are necessary to maintain Internet connectivity. For instance, firewalls can filter certain TCP ports or block them entirely. Therefore, for remote clients and servers to communicate through a firewall, you cannot change or block the port assignments for the various protocols that Exchange supports. For more information about the ports that Exchange requires, see "Common Ports Used by Exchange" in SMTP Commands and Definitions and Microsoft Knowledge Base article 278339, "XGEN: TCP/UDP Ports Used By Exchange 2000 Server." Although this article was written for Exchange 2000 Server, the same information applies to Exchange 2003.
If you need a simple SMTP server in the perimeter network of a firewall, often a Windows 2000 Server or Windows Server 2003 SMTP service computer is all that is necessary. Exchange 2003 Enterprise Server, Windows 2000 Server or Windows Server 2003 Network Address Translation (NAT), Microsoft ISA Server, or any solution that buffers the Internet from the internal LAN can add additional security.
If you do not implement a firewall connection to the Internet, you must consider how security will be affected. All Exchange servers within a network that have a direct connection to the Internet are exposed to the Internet.
The Windows 2000 Server and Windows Server 2003 Routing and Remote Access Service (RRAS) is an open, extensible platform for routing and internetworking. RRAS offers remote access over the Internet and to organizations in LAN and WAN environments by using secure virtual private network (VPN) connections. VPNs are secure, authenticated links across public or private networks, such as the Internet.
The Windows 2000 Server and Windows Server 2003 Remote Access Service (RAS) and RRAS tools offer options that remote users can use for dial-up Internet access. To function properly, these access services require the following:
A remote connection method called Point-to-Point Tunneling Protocol (PPTP).
An Internet connection to create a VPN.
PPTP is designed to support VPNs. Because of Digital Subscriber Line (DSL) and cable modem Internet connections, VPNs are less expensive to establish and support than traditional WANs. A VPN eliminates long-distance telephone charges and offers secure connections, mutual authentication, and packet filtering.
After a PPTP server authenticates a remote client, the VPN connection opens. The PPTP session acts as a tunnel through which network packets flow. The packets are first encrypted when sent. The packets then travel through the tunnel and are decrypted upon receipt. For example, an organization can allow remote clients to connect to a corporate network across the Internet using a VPN. Although a broadband connection is not required for a VPN, a broadband VPN connection can benefit remote VPN users. By using a broadband VPN connection, users can connect to a corporate network over the Internet and then use the corporate network as if they were directly logged on to it.