Services for Hardening a Back-End Server
The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically). All Internet-based mail retrieval protocols are disabled. The reason for this is to implement a hardened start-up configuration that requires you to enable each service as it is required.
Service settings configured by Exchange_2003-Backend_V1_1.inf
| Service Name | Startup Mode | Reason |
|---|---|---|
Microsoft Exchange IMAP4 |
Disabled |
Server not configured for IMAP4 |
Microsoft Exchange Information Store |
Automatic |
Needed to access mailbox and public folder stores |
Microsoft Exchange POP3 |
Disabled |
Server not configured for POP3 |
Microsoft Search |
Disabled |
Not required for core functionality |
Microsoft Exchange Event |
Disabled |
Only needed for backwards compatibility with Exchange 5.5 |
Microsoft Exchange Site Replication Service |
Disabled |
Only needed for backwards compatibility with Exchange 5.5 |
Microsoft Exchange Management |
Automatic |
Required for message tracking to function and Exchange Server Best Practices Analyzer functionality |
Windows Management Instrumentation |
Automatic |
Required for Microsoft Exchange management |
Microsoft Exchange MTA Stacks |
Automatic |
Only needed for backwards compatibility, mailbox moves, or if there are X.400 connectors on the computer |
Microsoft Exchange System Attendant |
Automatic |
Needed for Exchange maintenance and other tasks |
Microsoft Exchange Routing Engine |
Automatic |
Needed to coordinate message transfer between Exchange servers |
IPSEC Policy Agent |
Automatic |
Needed to implement IPSec policy on server |
IIS Admin Service |
Automatic |
Required by HTTP, SMTP and the Exchange routing engine |
NTLM Security Support Provider |
Automatic |
System Attendant depends on this service |
Simple Mail Transfer Protocol (SMTP) |
Automatic |
Required for Exchange transport |
World Wide Web Publishing Service |
Automatic |
Required for communication with servers running Outlook Web Access and Outlook Mobile Access |
HTTP SSL |
Manual |
Starts automatically when required for the World Wide Web Publishing Service |
Network News Transport Protocol (NNTP) |
Disabled |
Only needed for setup and newsgroup functionality |
Remote Registry |
Automatic |
Required for Exchange Setup and remote administration |
Note
For the Exchange System Attendant to start, the following Windows services must be up and running:
Event Log
NTLM Security Support Provider
RPC
Server
Workstation