Updated : February 3, 2004
On This Page
How to Use This Checklist
Securing Exchange using Group Policy Settings
Installing and Updating Exchange
Additional Security Measures
Stores on OWA Front-End Servers
SMTP Banner
Exchange Server Group Lockdown
How to Use This Checklist
This checklist is a companion to the module, "Securing Exchange 2000 Servers Based on Role." Use it to help you to secure your Exchange 2000 servers, or as a quick reference for the corresponding module. This checklist should develop as you discover steps that help you to implement your secure Exchange organization.
Securing Exchange using Group Policy Settings
|
Check
|
Description
|
|---|
|
|
Test environment setup and Group Policy settings thoroughly tested.
|
|
|
Organizational unit (OU) structure modified as recommended in module and servers moved into appropriate OUs.
|
|
|
Security templates contained in ExSecurityOps.exe included with this guidance downloaded.
|
|
|
New Group Policy object "Exchange DC Policy" created in domain controller OU and Exchange document controller incremental.inf imported.
|
|
|
Replication forced between domain controllers.
|
|
|
All domain controllers have new policy.
|
|
|
Domain controllers restarted sequentially.
|
|
|
New Group Policy object "OWA Policy" created in Outlook Web Access (OWA) front-end server OU.
|
|
|
OWA front-end Incremental.inf imported.
|
|
|
New Group Policy object "Exchange Back-End Policy" created in Exchange back-end server OU.
|
|
|
Exchange back-end Incremental.inf imported.
|
|
|
Replication forced between domain controllers.
|
|
|
Policy downloaded on Exchange servers by using secedit /refreshpolicy machine_policy /enforce command.
|
|
|
All Exchange servers restarted.
|
|
|
Specified services disabled on OWA front-end and Exchange back-end servers.
|
|
|
Changes to Exchange back-end server file access control lists (ACLs).
|
|
|
Network News Transport Protocol (NNTP) service disabled if not in use.
|
|
|
Necessary services re-enabled for Exchange environment to function.
|
Installing and Updating Exchange
|
Check
|
Description
|
|---|
|
|
System Attendant service on OWA front-end servers enabled and started.
|
|
|
Distributed Transaction Coordinator service on all Exchange servers enabled and started.
|
|
|
NNTP service on all Exchange servers enabled and started.
|
|
|
Microsoft Windows operating system Installer service on all Exchange servers enabled and started.
|
|
|
Windows Management Instrumentation (WMI) service on OWA front-end servers enabled and started.
|
Additional Security Measures
|
Check
|
Description
|
|---|
|
|
IIS Lockdown Tool IISLockd.exe on all Exchange servers installed and started.
|
|
|
Only Web Service Hypertext Transfer Protocol (HTTP) is enabled.
|
|
|
Virtual directories removed.
|
|
|
URLScan installed.
|
|
|
IIS Lockdown and URLScan settings modified for your organization.
|
|
|
Change Password feature in OWA removed.
|
Stores on OWA Front-End Servers
|
Check
|
Description
|
|---|
|
|
System Attendant and NTLM Security Support Provider services started.
|
|
|
Mailbox Store dismounted and "Do not mount this store at start-up" checked.
|
|
|
Public Folder Store dismounted and deleted.
|
SMTP Banner
|
Check
|
Description
|
|---|
|
|
Metabase edited to remove SMTP Banner.
|
|
|
Simple Mail Transfer Protocol (SMTP) service restarted.
|
Exchange Server Group Lockdown
|
Check
|
Description
|
|---|
|
|
EDSLock script run.
|