Exchange Server 2003 Secure-By-Default: Upgrading from Exchange 2000 Server
When upgrading from Exchange 2000 to Exchange 2003, Exchange 2003 ForestPrep and Exchange 2003 Setup configures most of the "secure-by-default" settings that are implemented with new Exchange 2003 installations. This topic explains which security settings are configured automatically during an upgrade and which should be configured manually.
Message Limits
One of the most effective denial-of-service attacks occurs when a messaging system is inundated with large messages (20+ MB). This type of attack forces the messaging server to move large blocks of data, which could impact a computer's input/output (I/O) to the extent that mail service is delayed or interrupted.
As a response to this type of attack, Exchange 2003 sets all message limits to 10 MB (10240 KB). This includes messages that are sent from and received by the Exchange organization. In addition, a 10 MB message size limit is imposed for all messages posted to public folders.
During an upgrade, Exchange Setup does not change limits that have already been set. Exchange Setup only imposes these settings if the limits are set to No limit.
To configure the settings for sending and receiving messages, in Exchange System Manager, use the Defaults tab in Global Message Delivery properties.
To configure the maximum message size settings for public folders, in Exchange System Manager, use the Limits tab in Public Folder Store properties.
Exchange 2003 also provides message limits for MIME. These limits are also imposed when upgrading to Exchange 2003. The following table describes these settings.
Note
If a MIME limits is reached, a non-delivery report (NDR) is sent back to the sender.
MIME Limits
Limit |
Value |
Description |
Nesting levels |
30 |
Number of nested MIME parts per message. |
Body parts |
250 |
Maximum number of body parts in any given message. |
Message ID header size |
1877 bytes |
Maximum size of the Message-ID header. |
Subject header size |
2000 bytes |
Maximum size of the subject header. |
MIME header size |
2000 bytes each |
Maximum size of any one of the following headers: Content-Type, Content-Description, Content-Disposition, Content-Transfer-Encoding, Content-ID, Content-Base, Content-Location. |
Services
Exchange 2003 Setup does not make any changes to existing service configuration. It is highly recommended that you either apply the Exchange Security Group Policy Templates or configure the services in accordance with the server's role.
Outlook Mobile Access
The setting to enable Outlook Mobile Access functionality is set when you run Exchange 2003 ForestPrep. By default, Exchange 2003 ForestPrep does not enable Outlook Mobile Access. However, during an upgrade, if Outlook Mobile Access is already enabled, Exchange 2003 ForestPrep does not disable it.
M: Drive
During an upgrade from Exchange 2000, Exchange 2003 Setup removes the M: drive.
Virtual Server Authentication
During an upgrade from Exchange 2000, Exchange 2003 Setup hardens some virtual server instances of POP3, IMAP4, and NNTP.
POP3 and IMAP4 Virtual Servers
When upgrading an Exchange 2000 computer that is configured as a front-end server, Exchange 2003 Setup disables anonymous access and enables Basic authentication on POP3 and IMAP4 virtual servers. If you are upgrading a back-end server, the virtual server instances are not be altered.
NNTP Virtual Servers
During an upgrade, Exchange 2003 Setup modifies the default instances of NNTP virtual servers. Specifically, anonymous authentication is disabled and Basic authentication and Integrated Windows authentication are enabled. Non-default virtual servers (virtual server instances that Setup does not create) are not altered during upgrade. If you created new NNTP virtual server instances, be sure that appropriate authentication is required.
Local Access Denied for Domain Users
In Exchange 2003, Domain Users cannot log on locally to the Exchange server. During an upgrade, Exchange 2003 Setup configures the local computer policy to deny local access for Domain Users.
Top Level Public Folder Creation
In Exchange 2003, members of the Everyone group and Anonymous users cannot create a top-level public folder hierarchy. During an upgrade, Exchange 2003 ForestPrep configures this access control setting.
Access Control Configuration
For both upgrades and new installations, Exchange 2003 Setup applies access control lists (ACLs) to directories that it creates according to the explicit ACLs that are set in the Program Files directory. If you or another administrator modified the default ACLs in the Program Files directory, Exchange 2003 Setup applies that modification to most of the directories created during Setup. Aside from the explicit changes, the directories are otherwise locked down. However, regardless of the explicit ACLs you may have in the Program Files directory, Exchange Setup configures the Mailroot directory (located in \Program Files\Exchsrvr) such that Guest account access and anonymous access is removed.
It is highly recommended that you configure access control on the Exchange directories. For information about how to configure access control on your Exchange directories, see Hardening Back-End Servers.