Using the Security Configuration Wizard to Secure Windows for Exchange Server Roles

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 Topic Last Modified: 2007-03-23

The Security Configuration Wizard (SCW) is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. Use the SCW to minimize the attack surface for servers by disabling Windows functionality that is not required for Microsoft Exchange Server 2007 server roles. The SCW automates the security best practice of reducing attack surface for a server. The SCW uses a role-based metaphor to solicit services that are required for the applications on a server. This tool reduces the susceptibility of Windows environments to exploitation of security vulnerabilities.

Using the Security Configuration Wizard

Exchange 2007 provides an SCW template for each of the Exchange 2007 server roles. By using this template with the SCW, you can configure the Windows operating system to lock down services and ports that are not needed for each Exchange server role. When you run the SCW, you create a custom security policy for your environment. You can apply the custom policy to all Exchange servers in your organization. You can configure the following functionality by using the SCW:

Server role The SCW uses the server role information to enable services and open ports in the local firewall.
Client features Servers also act as clients to other servers. Select only the client features that are required for your environment.
Administration options Select the options that are required for your environment, such as backup and error reporting.
Services Select the services that are required for the server, and set the startup mode for services that are not specified by the policy. Unspecified services are not installed on the selected server and are not listed in the security configuration database. The security policy that you configure might be applied to servers that are running different services than the server where the policy is created. You can select the policy setting that determines the action to perform when an unspecified service is found on a server that this policy is applied to. The action can be set to not change the startup mode of the service or to disable the service.
Network security Select the ports to open for each network interface. Access to ports can be restricted based on the local network interface or based on remote IP addresses and subnets.
Registry settings Use the registry settings to configure protocols that are used to communicate with other computers.
Audit policy The audit policy determines which success and failure events are logged and the file system objects that are audited.

For more information about the SCW, see the SCW Help file or Windows Server 2003 Security Configuration Wizard.

For more information about the services and ports that are enabled by the Exchange 2007 SCW registration files, see Services and Port Executables Enabled by the Exchange 2007 SCW Registration Files.

Using the Exchange Server 2007 SCW Template

After you install an Exchange server role, follow these steps to configure a security policy by using the SCW:

Install the SCW. For detailed steps, see How to Install the Security Configuration Wizard.
Register the SCW extension. For detailed steps, see How to Register Exchange Server Role SCW Extensions.
Create a custom security policy and apply the policy to the local server. For detailed steps, see How to Create a New Exchange Server Role SCW Policy.
If you have more than one Exchange server in your organization running a given role, you can apply your custom security policy to each Exchange server. For detailed steps, see How to Apply an Existing SCW Policy to an Exchange Server Role.