Checklist - Securing Exchange 2000 Servers Based on Role
Updated : February 3, 2004
On This Page
How to Use This Checklist
Securing Exchange using Group Policy Settings
Installing and Updating Exchange
Additional Security Measures
Stores on OWA Front-End Servers
SMTP Banner
Exchange Server Group Lockdown
How to Use This Checklist
This checklist is a companion to the module, "Securing Exchange 2000 Servers Based on Role." Use it to help you to secure your Exchange 2000 servers, or as a quick reference for the corresponding module. This checklist should develop as you discover steps that help you to implement your secure Exchange organization.
Securing Exchange using Group Policy Settings
Check |
Description |
|---|---|
Test environment setup and Group Policy settings thoroughly tested. |
|
Organizational unit (OU) structure modified as recommended in module and servers moved into appropriate OUs. |
|
Security templates contained in ExSecurityOps.exe included with this guidance downloaded. |
|
New Group Policy object "Exchange DC Policy" created in domain controller OU and Exchange document controller incremental.inf imported. |
|
Replication forced between domain controllers. |
|
All domain controllers have new policy. |
|
Domain controllers restarted sequentially. |
|
New Group Policy object "OWA Policy" created in Outlook Web Access (OWA) front-end server OU. |
|
OWA front-end Incremental.inf imported. |
|
New Group Policy object "Exchange Back-End Policy" created in Exchange back-end server OU. |
|
Exchange back-end Incremental.inf imported. |
|
Replication forced between domain controllers. |
|
Policy downloaded on Exchange servers by using secedit /refreshpolicy machine_policy /enforce command. |
|
All Exchange servers restarted. |
|
Specified services disabled on OWA front-end and Exchange back-end servers. |
|
Changes to Exchange back-end server file access control lists (ACLs). |
|
Network News Transport Protocol (NNTP) service disabled if not in use. |
|
Necessary services re-enabled for Exchange environment to function. |
Installing and Updating Exchange
Check |
Description |
|---|---|
System Attendant service on OWA front-end servers enabled and started. |
|
Distributed Transaction Coordinator service on all Exchange servers enabled and started. |
|
NNTP service on all Exchange servers enabled and started. |
|
Microsoft Windows operating system Installer service on all Exchange servers enabled and started. |
|
Windows Management Instrumentation (WMI) service on OWA front-end servers enabled and started. |
Additional Security Measures
Check |
Description |
|---|---|
IIS Lockdown Tool IISLockd.exe on all Exchange servers installed and started. |
|
Only Web Service Hypertext Transfer Protocol (HTTP) is enabled. |
|
Virtual directories removed. |
|
URLScan installed. |
|
IIS Lockdown and URLScan settings modified for your organization. |
|
Change Password feature in OWA removed. |
Stores on OWA Front-End Servers
Check |
Description |
|---|---|
System Attendant and NTLM Security Support Provider services started. |
|
Mailbox Store dismounted and "Do not mount this store at start-up" checked. |
|
Public Folder Store dismounted and deleted. |
SMTP Banner
Check |
Description |
|---|---|
Metabase edited to remove SMTP Banner. |
|
Simple Mail Transfer Protocol (SMTP) service restarted. |
Exchange Server Group Lockdown
Check |
Description |
|---|---|
EDSLock script run. |