Securing Exchange Server and Outlook

The following considerations are for Microsoft Exchange Server, and some are specific to Exchange Server in a Microsoft Dynamics CRM environment:

• Exchange Server contains a rich series of mechanisms for precise administrative control of its infrastructure. In particular, you can use administrative groups to collect Exchange Server objects, such as servers, connectors, or policies, and then modify the access control lists (ACL) on those administrative groups to make sure that only certain users can access them. You may, for example, want to give Microsoft Dynamics CRM administrators some control over servers that directly affect their applications. When you implement efficient use of administrative groups, you can make sure that you give Microsoft Dynamics CRM administrators only the rights that they require to perform their jobs.
• Frequently, you may find it convenient to create a separate organizational unit (OU) for Microsoft Dynamics CRM users, and give Microsoft Dynamics CRM administrators limited administrative rights over that OU. They can make the change for any user in that OU, but not for any user outside it.
• You should make sure that you adequately protect against unauthorized e-mail relay. E-mail relay is a feature that lets an SMTP client use an SMTP server to forward e-mail messages to a remote domain. By default, Exchange Server 2003, Exchange Server 2007, and Microsoft Exchange Server 2010 are configured to prevent e-mail relay. The settings that you configure will depend on your message flow and configuration of your Internet service provider's (ISP) e-mail server. However, the best way to approach this problem is to lock down your e-mail relay settings and then gradually open them to allow e-mail to flow successfully. For more information, see the Exchange Server Help.
• If you use forward mailbox monitoring, the E-mail Router requires an Exchange Server or POP3-compliant mailbox. We recommend that the ACLs on this mailbox be set to prevent other users from adding server-side rules.
• The Microsoft Dynamics CRM E-mail Router service operates under the Local System account. This enables the E-mail Router to access a specified user's mailbox and process e-mail in that mailbox.

For more information about how to make Exchange Server more secure, see the following:

• Microsoft Exchange Server 2003 Security Hardening Guide.
• Microsoft Exchange Server 2007, see Security and Protection information in the Microsoft TechNet Library.
• Microsoft Exchange Server 2010, see the Deployment Security Checklist on Microsoft TechNet.