Exchange Server 2003 Secure-By-Default: Upgrading from Exchange 2000 Server
Topic Last Modified: 2006-10-31
When upgrading from Exchange 2000 to Exchange 2003, Exchange 2003 ForestPrep and Exchange 2003 Setup configures most of the "secure-by-default" settings that are implemented with new Exchange 2003 installations. This topic explains which security settings are configured automatically during an upgrade and which should be configured manually.
One of the most effective denial-of-service attacks occurs when a messaging system is inundated with large messages (20+ MB). This type of attack forces the messaging server to move large blocks of data, which could impact a computer's input/output (I/O) to the extent that mail service is delayed or interrupted.
As a response to this type of attack, Exchange 2003 sets all message limits to 10 MB (10240 KB). This includes messages that are sent from and received by the Exchange organization. In addition, a 10 MB message size limit is imposed for all messages posted to public folders.
During an upgrade, Exchange Setup does not change limits that have already been set. Exchange Setup only imposes these settings if the limits are set to No limit.
To configure the settings for sending and receiving messages, in Exchange System Manager, use the Defaults tab in Global Message Delivery properties.
To configure the maximum message size settings for public folders, in Exchange System Manager, use the Limits tab in Public Folder Store properties.
Exchange 2003 also provides message limits for MIME. These limits are also imposed when upgrading to Exchange 2003. The following table describes these settings.
|If a MIME limits is reached, a non-delivery report (NDR) is sent back to the sender.|
Number of nested MIME parts per message.
Maximum number of body parts in any given message.
Message ID header size
Maximum size of the Message-ID header.
Subject header size
Maximum size of the subject header.
MIME header size
2000 bytes each
Maximum size of any one of the following headers: Content-Type, Content-Description, Content-Disposition, Content-Transfer-Encoding, Content-ID, Content-Base, Content-Location.
Exchange 2003 Setup does not make any changes to existing service configuration. It is highly recommended that you either apply the Exchange Security Group Policy Templates or configure the services in accordance with the server's role.
The setting to enable Outlook Mobile Access functionality is set when you run Exchange 2003 ForestPrep. By default, Exchange 2003 ForestPrep does not enable Outlook Mobile Access. However, during an upgrade, if Outlook Mobile Access is already enabled, Exchange 2003 ForestPrep does not disable it.
During an upgrade from Exchange 2000, Exchange 2003 Setup removes the M: drive.
During an upgrade from Exchange 2000, Exchange 2003 Setup hardens some virtual server instances of POP3, IMAP4, and NNTP.
When upgrading an Exchange 2000 computer that is configured as a front-end server, Exchange 2003 Setup disables anonymous access and enables Basic authentication on POP3 and IMAP4 virtual servers. If you are upgrading a back-end server, the virtual server instances are not be altered.
During an upgrade, Exchange 2003 Setup modifies the default instances of NNTP virtual servers. Specifically, anonymous authentication is disabled and Basic authentication and Integrated Windows authentication are enabled. Non-default virtual servers (virtual server instances that Setup does not create) are not altered during upgrade. If you created new NNTP virtual server instances, be sure that appropriate authentication is required.
In Exchange 2003, Domain Users cannot log on locally to the Exchange server. During an upgrade, Exchange 2003 Setup configures the local computer policy to deny local access for Domain Users.
In Exchange 2003, members of the Everyone group and Anonymous users cannot create a top-level public folder hierarchy. During an upgrade, Exchange 2003 ForestPrep configures this access control setting.
For both upgrades and new installations, Exchange 2003 Setup applies access control lists (ACLs) to directories that it creates according to the explicit ACLs that are set in the Program Files directory. If you or another administrator modified the default ACLs in the Program Files directory, Exchange 2003 Setup applies that modification to most of the directories created during Setup. Aside from the explicit changes, the directories are otherwise locked down. However, regardless of the explicit ACLs you may have in the Program Files directory, Exchange Setup configures the Mailroot directory (located in \Program Files\Exchsrvr) such that Guest account access and anonymous access is removed.
It is highly recommended that you configure access control on the Exchange directories. For information about how to configure access control on your Exchange directories, see Hardening Back-End Servers.