Securing Exchange 2000 Servers Resource Guide

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
  1. Before you begin: Verify that your server operating system, systems architecture, and network infrastructure are secure. Refer to Securing Windows 2000 Server Resource Guide and Securing IIS 5.0 Resource Guide for more information. The remainder of this document will provide only information relating directly to Exchange 2000 Server. However, it is critical to follow the guidelines in these documents to create a secure environment for Exchange 2000 Server to operate.

  2. Install the latest Exchange 2000 Server service packs.

  3. Use the HotFix & Security Bulletin Service to find updates released since the latest service pack. Search for updates by specifying the current service pack level.

  4. Subscribe to the Microsoft Security Notification Service to receive notifications of future security updates.

  5. Disable all unnecessary services, including unused Exchange services. Refer to Chapter 3 of the Security Operations Guide for Exchange 2000 Server, “Securing Exchange 2000 Servers Based on Role” for more information.

  6. Minimize the users with Exchange Administrator or Exchange Full Administrator privileges.

    Organizations with multiple Exchange administrators should delegate Exchange administrative roles to groups using the Exchange Administration Delegation Wizard. Place individual Exchange administrator accounts in those groups instead of assigning rights directly to the user accounts.

  7. Restrict user storage limits to prevent denial-of-service attacks.

  8. Use the Baseline Security Analyzer to scan and evaluate the security of your Exchange Server.

  9. Secure the Active Directory infrastructure, as described in Chapter 5 of the Securing Windows 2000 Server Guide.

  10. If you are using Outlook Web Access, secure Internet Information Services (IIS). Refer to the IIS 5.0 Security Checklist for more information. Read Microsoft Knowledge Base article 309508, “IIS Lockdown and URLscan Configurations in Exchange Environment.”

Ongoing Security Maintenance

Without ongoing maintenance, your system can become vulnerable to new forms of attacks. Further, the security of your system will degrade over time due to human error of administrators managing the system. Follow these recommended steps on a regular basis:

  1. Use the Baseline Security Analyzer regularly to scan and evaluate the security of Exchange Server.

  2. Subscribe to the Microsoft Security Notification Service. This is a free email notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.

  3. As new security fixes become available, it is important to apply these new fixes. Microsoft has created the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.

Additional Security Resources

You can find additional information about keeping your Exchange servers secure in the following sources: