How to Configure and Run Exchange Server 2003 Clusters in a Security-Hardened Environment
Topic Last Modified: 2006-08-16
This topic explains how to apply the Exchange 2003 Cluster Node Group Policy Object (GPO) templates to your Microsoft® Exchange Server 2003 cluster nodes. Before you perform the procedures in this topic, it is important that you first read Running Exchange Server 2003 Clusters in a Security-Hardened Environment.
|Applying and enabling the GPO policies on your cluster nodes requires a restart of the computers in your cluster. Therefore, it is recommended that you apply the policies during non-peak hours.|
|Download How to Configure and Run Microsoft Exchange Server 2003 Clusters in a Security-Hardened Environment to print or read offline.|
The procedures in this topic require the following prerequisites:
All Exchange cluster nodes are running Exchange Server 2003 Service Pack 1 (SP1) on Microsoft Windows Server™ 2003.
You have implemented the Windows Server 2003 Enterprise Client Member Server Security and the Exchange 2003 Backend GPO templates in your organization.
Your organizational unit (OU) hierarchy is configured in accordance with the recommendations in the Windows Server 2003 Security Guide and the Exchange Server 2003 Security Hardening Guide. If your hierarchy does not match the recommended OU hierarchy, the procedures in this topic will still apply, provided that your hierarchy (and the resulting GPO policy inheritance) enforces the same effective GPO policies recommended in the aforementioned guides.
You have downloaded the Exchange 2003 Cluster Node GPO files. The Exchange 2003 Cluster Node GPO files are available when you download the Exchange Server 2003 Security Hardening Guide. The Exchange 2003 Cluster Node GPO files must be available to the computer where you will be creating the Exchange Cluster Node Policy GPO.
Important: Applying the Exchange 2003 Cluster Node GPO templates in isolation does not harden your Exchange environment. The Exchange 2003 Cluster Node GPO templates assume that both the Exchange Backend and the Windows Server 2003 Enterprise Client Member Server Security GPO templates have been applied and are inherited by the OU where you placed your Exchange cluster nodes.
To enable Exchange clustering functionality environments where the Windows Server Security GPO templates and the Exchange Security GPO templates are deployed, you must perform the following steps sequentially.
Download and then install the NTLM version 2 (NTLMv2) Cluster hotfix on all cluster nodes that will be running Exchange Server. For more information about the NTLMv2 Cluster hotfix, see Microsoft Knowledge Base article 890761, "You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003."
Create and configure the Exchange Virtual Servers (EVS) organizational unit (OU). See How to Create and Configure the Exchange Virtual Server Organizational Unitfor detailed steps.
In addition, to ensure that no security policies are applied to the computer accounts in this OU, you must turn off GPO policy inheritance on the EVS OU.
Lastly, the Cluster service accounts in your organization must be able to manage the account properties of the EVS computer accounts. For this reason, you must grant the Cluster service accounts full control over the EVS OU.
If you have an existing EVS computer account or multiple EVS accounts, you must move these accounts into the EVS OU. See How to Create and/or Move Exchange Virtual Server Computer Accounts for detailed steps. If you already have EVS computer accounts, then disregard Steps 3 and 4 of that procedure. If you need to create new EVS computer accounts in the future, you can refer to the procedure after you harden your cluster environment.
Create the Exchange Cluster Node OU. Create the Exchange Cluster Node Policy GPO, and then import the Exchange_2003-Cluster_Node_Base_V1_1.inf file into the new GPO. The Exchange Cluster Node GPO configures the Exchange cluster as a back-end mailbox server. For detailed steps, see How to Create the Exchange Cluster Nodes OU and Policy GPO and to Import the GPO Template. For more information about the configurations made by the GPO security template, see Running Exchange Server 2003 Clusters in a Security-Hardened Environment.
Create and import the POP3 or IMAP4 GPO templates as required by your organization. For detailed steps, see How to Enable POP3 or IMAP4 Functionality on the Exchange Cluster Nodes. This step is optional. If clients in your Exchange organization require POP3 or IMAP4 access, you must enable these protocols by creating and importing the appropriate GPOs. This topic assumes you have already created the necessary client protocol cluster resources.
Enable and enforce the new security policies. For detailed steps, see How to Enable a New Security Policy on Exchange Cluster Nodes. After you create the new GPOs, you must force the policy updates on the clusters. Both the Windows® hotfix and enforcing the security policies require that you restart the cluster nodes. Therefore, you should wait until all updates are installed so that you only have to restart the cluster nodes once.
For more information, see the following resources: