Introduction to the Exchange Server 2003 Security Hardening Guide
Topic Last Modified: 2006-01-06
This guide is designed to provide you with essential information about how to harden your Microsoft® Exchange Server 2003 environment. In addition to practical hands-on configuration recommendations, this guide includes strategies for combating spam, viruses, and other external threats to your Exchange Server 2003 messaging system. While most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators responsible for Exchange Server messaging, both at the mailbox and architect levels.
This guide is a companion to the Windows Server 2003 Security Guide. Specifically, many of the procedures in this guide are related directly to security recommendations introduced in the Windows Server 2003 Security Guide. Therefore, before you perform the procedures presented in this guide, it is recommended that you first read the Windows Server 2003 Security Guide.
This guide focuses explicitly on the operations required to help create and maintain a secure Exchange Server 2003 environment.
You should use this guide as part of your overall security strategy for Exchange Server 2003, not as a complete reference for creating and maintaining a secure environment.
Specifically, this guide provides detailed answers to the following questions:
What guidance is available to help prepare for a secure Exchange Server 2003 environment?
What are some effective patch management processes?
What are some anti-virus measures I can deploy?
How can I protect against unsolicited commercial e-mail (spam), denial-of-service attacks, and address spoofing?
What are the recommended steps for hardening my Microsoft Windows Server™ 2003 infrastructure?
What are the recommended steps for hardening my back-end and front-end servers?
How do I organize my Microsoft Active Directory® directory service structure to support deployment of the Exchange Group Policy Security Templates?
Since the previous release of this guide, the following additions and modifications were made:
The following Exchange Group Policy Security Template has been added to the downloadable security templates file: Exchange_2003-RPC-HTTP_V1_2.inf. You can download all the Exchange Group Policy Security Templates from the Microsoft Download Center.
The topic, How to Install Exchange 2003 on a Hardened Server, has been rewritten to simplify the procedure for installing and upgrading Exchange 2003 on servers that have been security-hardened.
Updated the topic, How to Dismount and Delete the Mailbox and Public Folder Stores, to clarify the procedure. If you are not running SMTP on an Exchange front-end server, then you can delete both the mailbox and public folder stores. Otherwise, if you are running SMTP, then the mailbox store must be mounted and circular logging turned on.
Before considering the configuration recommendations and security strategies presented in this guide, you should familiarize yourself with the following resources:
MOF is a collection of best practices, principles, and models that provide you with operations guidance. For specific information, see the MOF Web site.
The goal of STPP is to integrate Microsoft products, services, and support that focus on security. For specific information, see the Security Resources from Microsoft.
This Web site is the central clearinghouse for overall security and privacy information at Microsoft. For specific information, see the Microsoft Security and Privacy Web site.
This Web site lists Exchange-specific resources that can help secure your environment. For specific information, see the Security Resources for Exchange Server 2003 Web site.