Top 4 Exchange Server Security Best Practices


Topic Last Modified: 2007-12-26

Published: February 17, 2004

Use the recommendations listed on this page to help implement the best possible security practices in your Exchange Server environment.

File-level scanners scan a file when it is used or at a scheduled interval and can lock or quarantine an Exchange Server log or database file while Exchange Server tries to use the file. This can cause a sever failure in Exchange Server 2003 and earlier versions and can also generate -1018 errors.

Best practice   Make sure that you exclude the following directories on all the drives:

  • In Exchange Server 2003, exclude:

    • Exchsrvr\MDBData

    • SRS

  • In Exchange 2000 Server, exclude:

    • Exchsrvr\MDBData

    • SRS

    Do not scan the M: drive. File-level scanning of your M: drive can cause calendar items to disappear from users? folders.
  • In Exchange Server 5.5, exclude:

    • Exchsrvr\MDBData

    • DSAData

For more information, see the following Microsoft Knowledge Base articles:

When preparing for a disaster recovery situation, answering a few key questions helps direct you to the necessary steps:

  • Do you need to recover data from a backup (private or public store) and have questions about how to set up the recovery environment or about the restore itself?

  • What do you need to set up for Active Directory directory service and DNS?

  • Do you need to have the same organization, administrator group, server, and store names as the production environment?

Best practice   Test your backup files monthly and become familiar with the processes themselves. Should it ever become necessary to restore data to your production environment, your familiarity with the procedure will lessen the downtime of your servers.

For answers to your questions, see the following Knowledge Base articles:

Also, download the following white papers from the Microsoft Download Center:

The top causes for open relays with Exchange Server include:

  • The SMTP service is live on the Internet and not enforcing authentication to relay.

  • The SMTP server has accounts locally or is part of a domain that has poor passwords or no password at all.

Best practice   The following list of known accounts have the potential of being compromised and should either be disabled or should have a strong password. These accounts have been logged in past cases through the event viewer after turning up diagnostic logging. Remember, the passwords should never match the logon name.

  • Webmaster

  • Admin

  • Root

  • Test

  • Master

  • Web

  • www

  • administrator

  • backup

  • server

  • data

  • abc

  • guest

To help guide your configurations, prevent your servers running Exchange Server from becoming an open relay, and look for key clues in the future to ensure your SMTP server doesn't relay, read the following Knowledge Base articles:

Microsoft Outlook 2000 Service Pack 1 (SP1), Outlook 2000 without service packs, Outlook 98, and Outlook 97 do not have mechanisms to block attachments. If you are using one of these versions, virus and worm protection must be provided on the server running Exchange Server.

Best practice   Upgrade to Outlook 2000 Service Pack 2 (SP2) or later to protect the client or install the appropriate e-mail security update:

By default, Microsoft Office Outlook 2003, Outlook 2002 in Microsoft Office XP, and Outlook 2000 SP2 provide an attachment security feature. This security feature is designed to increase the security protection for certain types of e-mail attachments. This feature provides explicit warning language when attachments are opened, and you have to save the attachment to the file system before opening it. This can help you avoid accidentally releasing viruses that hide in certain file types.

While we do not recommend reducing e-mail client security levels, there might be instances when an organization wants to customize or remove the additional protections provided by Outlook.

Best practice   You can modify default security settings for the Outlook 2003 client by using the Outlook Security template, which you install as a form in Outlook. To install this form, see Knowledge Base article 290499, Administrator information about e-mail security features.

For additional information, see Microsoft Knowledge Base article 829982, Cannot open attachments in Microsoft Outlook.

As part of our commitment to help you improve and maintain security, Microsoft provides proactive information that can help you implement the best possible security practices and improve your security and availability. To learn more about security, see:

  • Exclude Certain Directories from File-level Virus Scanners

  • Prepare for an Exchange Server Disaster Recovery

  • Close an Open Relay

  • Configure Attachment Blocking Using Outlook

  • Get Help