Security-Hardening Exchange 2003 Servers

 

This section explains how to harden Exchange 2003 servers based on their role in your organization. This section is divided into three main sub-sections.

  • Hardening the Windows Infrastructure   This section provides the preliminary steps you must perform before hardening your Exchange servers.

  • Hardening Back-End Servers   This section provides the steps you must perform to harden the Exchange mailbox server, including how to disable non-essential services, restrict access to local directories, and other configurations.

  • Hardening Front-End Servers   This section provides the steps you must perform to harden an Exchange front-end server. This section also discusses front-end server roles and provides more granular configuration recommendations in accordance with these roles. In addition, this section includes information about URLScan—a tool that runs on IIS and allows you to specify exactly which HTTP requests can run against the computer.

This section, and the remainder of this guide, is written with the assumption that you have read the Windows Server 2003 Security Guide and have implemented the recommendations for hardening your domain, domain controllers, and member servers. In some cases, the Exchange 2003 configuration recommendations in this section are dependent on recommendations in the Windows Server 2003 Security Guide. These requirements are specified where appropriate.

Furthermore, all of the recommendations in this section are derived from the configurations in the Exchange Group Policy Security Templates. You can download these security templates from the Microsoft Download Center. (For detailed information about these templates, see "Deploying the Exchange Group Policy Security Templates.") Specifically, this section explains the settings within the security templates, in case you want to configure your servers manually.

Alternatively, you can import the provided templates in one of two ways:

  • You can import any security template to a local computer. To do this, open the Local Security Policy MMC snap-in, right-click Security Settings, and then click Import Policy. Navigate to and then double-click the appropriate Exchange Group Policy Security Template.

  • You can mirror the recommended Active Directory organizational structure (as recommended by both the Windows Server 2003 Security Guide and this guide) and then use the Group Policy Object Editor to import the policies into the appropriate organizational units. For specific information about this method, see "Deploying the Exchange Group Policy Security Templates."

    Important

    Because the "Deploying Exchange Group Policy Security Templates" section is written with the assumption that you understand how to harden Exchange 2003 servers, it is important that you read the topics in the "Security-Hardening Exchange 2003 Servers" section first.

As with all software deployments, be sure to thoroughly test all recommended configurations in a test environment before you deploy in a production environment.

Note

Running custom applications or third-party Exchange or Outlook plug-ins may require further configuration and testing.