Exchange Server 2003 Security Hardening Guide Last Reviewed: Product Version: Reviewed By: Latest Content: Authors:
February 2005 Exchange Server 2003 Exchange Product Development www.microsoft.com/exchange/library Michael Grimm, Michael Nelte
Exchange Server 2003 Security Hardening Guide
Authors: Michael Grimm, Michael Nelte
Published: February 2004 Last Reviewed: February 2005 Applies To: Exchange Server 2003
Copyright The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
2004 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveSync, Microsoft Press, MSDN, Outlook, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Acknowledgments Project Editor: Brendon Bennett Contributing Writers: John Speare, Ross Smith IV, Christopher Budd (CISSP), Janine de Nysschen, Joey Masterson Technical Reviewers: Martin Hergett; Andrew Moss; Alexander MacLeod; Jason Urban; Eric Rosenberg; Giuseppe Di Silvestre Graphic Design: Kristie Smith, Paul Carew Production: Joe Orzech, Sean Pohtilla
Table of Contents
Exchange Server 2003 Security Hardening Guide.....................................1 Exchange Server 2003 Security Hardening Guide.....................................2 Table of Contents........................................................................i Introduction .................................................................... ..........................1 What Is Updated in This Guide?........................................................................... ..1 Scope of This Guide............................................................................................. ..1 Before You Get Started........................................................................... ...............2 Securing Your E-mail Environment......................................... ....................2 Securing the Client........................................................................................ ........3 Exchange 2003 Patch Management............................................. .........................3 Anti-Virus Measures....................................................................................... ........3 Protecting Against Unsolicited Commercial E-Mail (Spam)....................................4 Protecting Against Denial-of-Service Attacks................................................ .........7 Protecting Against Address Spoofing......................................................... ............7 Hardening Exchange 2003 Servers .......................................... ...............10 Hardening the Windows Infrastructure................................................ ................11 Hardening Back-End Servers................................................................. ..............13 Hardening Front-End Servers........................................................................... ....19 Deploying the Exchange Group Policy Security Templates..................................26
Appendixes...............................................................................................32 Appendix A: Using Permissions and Administrative Roles to Control Access33 Appendix B: Upgrading from Exchange 2000....................................... ....35 Message Limits................................................................................................. ...35 Services.............................................................................. ................................35 Outlook Mobile Access ...................................................................................... ..36 M: Drive............................................................................................................ ...36 Virtual Server Authentication..................................................... .........................36 Local Access Denied for Domain Users .......................................................... .....36 Top Level Public Folder Creation........................................................ ..................36 Access Control Configuration ............................................. ................................36 Appendix C: Ports Used in Exchange 2003........................................... ....38 Appendix D: Resources....................................................... .....................40 Exchange Server 2003 Books.................................................................... ..........40 Technical Articles............................................................................................ .....40 Websites............................................................................................................ ..40 Resource Kits..................................................................................................... ..41 Microsoft Knowledge Base Articles..................................................... .................41
Accessibility.......................................................................... ..............................42
Introduction This guide is designed to provide you with essential information about how to harden your Microsoft® Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003 messaging system. While most server administrators can benefit from reading this guide, it is designed to produce maximum benefits for administrators responsible for Exchange messaging, both at the mailbox and architect levels. This guide is a companion to the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638). Specifically, many of the procedures in this guide are related directly to security recommendations introduced in the Windows Server 2003 Security Guide. Therefore, before you perform the procedures presented in this guide, it is recommended that you first read the Windows Server 2003 Security Guide.
What Is Updated in This Guide? Since the previous version of this guide was released, modifications were made to the following section: •
Hardening Exchange 2003 Servers •
Removed references to the RPC Locator service. In the previous version of this guide, the RPC Locator service is listed as a required service for hardening your servers. While this is correct for Exchange 2000 Server, it is not necessary for Exchange Server 2003.
•
Updated content to reflect changes in version 1.1 of the Exchange Group Policy Security Templates.
•
Added description of service access control lists (ACLs) defined in the version 1.1 of the Exchange Group Policy Security Templates.
•
Clarified support for Windows Server 2003 Member Server Baseline policy (Enterprise Client Member Server Baseline.inf). If you plan to run Exchange 2003 in an environment where the Windows Server 2003 "High Security" GPO templates are deployed, additional testing and configurations may be necessary to provide full functionality.
•
Removed subsection, "Configuring URLScan." It is highly recommended that you configure URLScan in accordance with the instructions in Microsoft Knowledge Base article 823175, "Finetuning and known issues when you use the Urlscan utility in an Exchange 2003 environment" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823175).
In addition to these updates, the following companion topics are available online at http://go.microsoft.com/fwlink/?LinkId=25210: •
Running Exchange Server 2003 Clusters in a Security-Hardened Environment
•
How to Run Exchange Server 2003 Clusters in a Security-Hardened Environment
Scope of This Guide This guide focuses explicitly on the operations required to help create and maintain a secure Exchange 2003 environment. You should use this guide as part of your overall security strategy for Exchange 2003, not as a complete reference for creating and maintaining a secure environment.
Exchange Server 2003 Security Hardening Guide
2
Specifically, this guide provides detailed answers to the following questions: • • • • • • •
What guidance is available to help prepare for a secure Exchange 2003 environment? What are some effective patch management processes? What are some anti-virus measures I can deploy? How can I protect against unsolicited commercial e-mail (spam), denial-of-service attacks, and address spoofing? What are the recommended steps for hardening my Microsoft Windows Server™ 2003 infrastructure? What are the recommended steps for hardening my back-end and front-end servers? How do I organize my Microsoft Active Directory® directory service structure to support deployment of the Exchange Group Policy Security Templates?
Before You Get Started Before considering the configuration recommendations and security strategies presented in this guide, you should familiarize yourself with the following resources: Microsoft Operations Framework (MOF) MOF is a collection of best practices, principles, and models that provide you with operations guidance. For specific information, see the MOF website (http://go.microsoft.com/fwlink/?LinkId=21640). Strategic Technology Protection Program (STPP) The goal of STPP is to integrate Microsoft products, services, and support that focus on security. For specific information, see the STPP website (http://go.microsoft.com/fwlink/?LinkId=21643). Microsoft Security and Privacy This website is the central clearinghouse for overall security and privacy information at Microsoft. For specific information, see the Microsoft Security and Privacy website (http://go.microsoft.com/fwlink/?LinkId=21633). Security Resources for Exchange Server 2003 This website lists Exchange-specific resources that can help secure your environment. For specific information, see the Security Resources for Exchange Server 2003 website (http://go.microsoft.com/fwlink/?LinkId=21660).
Securing Your E-mail Environment E-mail is a mission critical service for nearly all organizations. Therefore, it is crucial that you provide your customers with stable and reliable e-mail services. Malicious attack, in the form of a virus, worm, or denial of service, is one area of risk in daily Exchange 2003 operations. Similarly, unsolicited commercial e-mail (spam) has become intrusive and sophisticated enough to be considered a threat to e-mail operations. To help you guard against these intrusions, this section provides you with the following information: • • •
Tips for securing the client Exchange 2003 patch management processes Anti-virus measures
Exchange Server 2003 Security Hardening Guide
• • •
3
Protecting against spam, including new features in Microsoft Office Outlook® 2003 and Exchange 2003 that can help in this area Protecting against denial-of-service attacks Protecting against address spoofing
Securing the Client Because Exchange 2003 is a distributed, client/server application, it is important to consider the client as you develop a security plan for your e-mail environment. Specifically, consider the following: •
• •
As part of your risk management strategy, you should examine which clients are strictly required and then limit Exchange functionality to those clients. For example, Exchange 2003 does not configure all client services during installation. To run POP3 or IMAP4 clients in your organization, you must first enable these services in your Exchange 2003 environment. Ensure that your patch management plan extends beyond the operating system on the client desktop. Use current and patched versions of the client software, regularly checking for client security updates. Users are important in helping keep the client secure. Therefore, you should educate your users about email viruses, virus hoaxes, chain letters, and spam, and then establish procedures that your users can follow when they encounter such mail.
Exchange 2003 Patch Management To keep Exchange as secure as possible, it is important that you remain current with the latest patches. Specifically, you should ensure that both Exchange 2003 and the operating system are up to date. If the operating system is vulnerable, then Exchange is also vulnerable. Microsoft supplies two utilities to help you stay current with Microsoft Windows® service packs, hotfixes, and patches: Microsoft Network Security Hotfix Checker (Hfnetchk) and Microsoft Baseline Security Analyzer (MBSA). Hfnetchk is a tool that lists which patches have been applied to a computer; MBSA identifies common security mis-configurations. Hfnetchk is available through the command line interface of the MBSA. You can download both from the Microsoft Baseline Security Analyzer website (http://go.microsoft.com/fwlink/?linkid=17809). In addition, ensure that you are notified of any new patches applicable to your organization. To receive these notifications automatically, subscribe to the Microsoft Security Bulletins at http://go.microsoft.com/fwlink/?LinkId=21723. For more information about Windows Server 2003 patch management processes, see the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638).
Anti-Virus Measures Viruses transmitted through e-mail messages are one of the more significant threats to your organization. Email viruses can attack individual computer systems or your entire e-mail environment. Therefore, you must ensure that you have adequate protection against viruses in your Exchange 2003 environment. The most effective mechanisms for combating viruses are installing anti-virus software and keeping the antivirus signature files up-to-date. With this in mind, you should consider protecting against viruses at the firewall, at the Simple Mail Transfer Protocol (SMTP) gateway, at each Exchange server, and on every client computer. The reason for installing anti-virus software at each destination in the message delivery chain is to provide as much defensive coverage on each message as possible. For example, the virus-scanning engine at the SMTP gateway uses a different Multipurpose Internet Mail Extensions (MIME) parser than the one that is installed on the Exchange server, which, in turn, is different from the parser used by Outlook or Outlook
Exchange Server 2003 Security Hardening Guide
4
Express. From a MIME parsing perspective, this means that having a virus scanner (one that uses the native MIME parser) at each destination increases the likelihood of exposing viruses. In addition, you should consider running virus-scanning software from different vendors across your enterprise. One common method virus writers use to transport viruses is to include the virus in an attachment. In the most obvious cases, a virus can be delivered by attaching an executable program (.exe) to an e-mail message. In some cases, viruses can be delivered by embedding them in a macro, which appears to users as a much more benign document (such as a Word or Excel file). To protect against such viruses, Outlook and Outlook Web Access provide the following attachment-blocking features: Attachment blocking features in Outlook Outlook 2002 and later versions include an attachment-blocking feature; this feature (enabled by default) blocks the most obvious file types, such as .exe, .bat, and .vbs files. Previous versions of Outlook require the Outlook E-mail Security Update, available on the Microsoft Office Online website (http://go.microsoft.com/fwlink/?LinkId=24348). For information about how to configure Outlook attachment blocking features by means of a group policy, see The Office 2003 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=24349). Attachment blocking features in Outlook Web Access In Exchange 2000 Service Pack 2 (SP2), Outlook Web Access introduced the ability to block attachments by file type and MIME type. In Outlook Web Access for Exchange 2000 and Microsoft Office® Outlook Web Access 2003, attachment blocking is enabled by default. With this default configuration, users can send any attachment type but will not receive dangerous file types, such as .exe, .bat, and .vbs files. Note In their default configurations, both Outlook 2003 and Outlook Web Access 2003 block the same attachment types.
In Outlook Web Access, there are two levels of attachment blocking that you can configure. These levels correspond to the different risk levels posed by file types and MIME types. Outlook Web Access does not allow Level 1 files or MIME types (specified by the attributes, Level1FileTypes and Level1MIMETypes respectively) to be downloaded in any format. Level 2 file and MIME types are less severe; users are not allowed to open them in Internet Explorer, but they can right-click the file, save it to disk, and then open it. If you want to view or change blocked file types or MIME types in Outlook Web Access, perform the following procedure. Warning Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
To view or change blocked file types or MIME types in Outlook Web Access 1. 2.
Start Registry Editor (regedit). Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3.
The Level1FileTypes value shows blocked attachments; the Level1MIMETypes show blocked MIME types.
Protecting Against Unsolicited Commercial E-Mail (Spam) Unsolicited commercial e-mail (spam) is a major problem for many organizations. Spam is costly in a number of ways, from lost user time in sorting and deleting it, to wasted bandwidth and storage space. To minimize spam, you must combat it on a number of fronts. Therefore, to help you protect your Exchange 2003 environment against spam, this section will: •
Discuss methods for educating your users about spam.
Exchange Server 2003 Security Hardening Guide
• • • •
5
Introduce you to spam-protection features in Outlook 2003 and Outlook Web Access 2003. Explain the spam confidence level (SCL) infrastructure. Show you how you restrict Exchange 2003 distribution Lists. Explain the different types of filtering you can apply in Exchange 2003.
Educating Users About Spam The first step in combating spam is to educate your users about how to handle it. In fact, your users are probably the most important defense against spam. Spam is often a result of social engineering tactics employed against your users, and it is important to educate your users on how to avoid it. For example, your users may receive spam that includes a disclaimer stating something similar to the following: If you wish to be removed from this mailing list, you should respond to the mail with the word "Remove" in the subject line. Although this is a legitimate tool for some reputable companies, it is often a means of verifying that an e-mail address is valid so that the address can then be used again (likely the address will be sold to other spammers). For more information about what users can do to combat spam, see the Microsoft Security and Privacy Basics website (http://go.microsoft.com/fwlink/?LinkId=24701).
Spam Protection Features in Outlook 2003 and Outlook Web Access 2003 Both Outlook 2003 and Outlook Web Access 2003 include features that can help protect your users against spam. These features include: User-maintained block lists and safe lists The block lists and safe lists used by both Outlook 2003 and Outlook Web Access are stored on the user's mailbox. Because both client programs use the same list, users do not need to maintain two versions. External content blocking Outlook 2003 and Outlook Web Access 2003 make it more difficult for senders of junk e-mail messages to use beacons to retrieve e-mail addresses. An incoming message that contains any content that could be used as a beacon, regardless of whether the message actually contains a beacon, prompts Outlook and Outlook Web Access to display a warning message. If users know that message is legitimate, they can click the warning message to download the content. If users are unsure about the message, they can delete it without triggering beacons that alert a sender of junk mail. For more information about external content blocking in Outlook 2003 and Outlook Web Access 2003, see "Client Features" in the book What's New in Exchange Server 2003 (http://go.microsoft.com/fwlink/?LinkId=24402). Improved junk e-mail management With Outlook 2003, users can create rules that search e-mail messages for specific phrases and automatically move messages containing these phrases from the Inbox to a specified folder (such as the Junk E-mail or Deleted Items folders). Furthermore, users can select to permanently delete suspected junk e-mail instead of moving it to a specified folder. Junk e-mail filter Outlook 2003 includes a junk e-mail filter that searches for common spam attributes. (These attributes are updated in conjunction with Office updates.) For each suspicious attribute, Outlook increments a counter —the higher the count for a given piece of mail, the more likely it is to be spam. To specify the level of junk e-mail protection you want, use the Junk E-Mail Options dialog box (In Outlook 2003, from the Action menu, point to Junk E-mail, and then click Junk E-mail Options). When your users first begin using these junk e-mail features, or if they modify the options at any time, they should periodically check for messages that have been removed from the Inbox to ensure that valid messages have not been moved.
Exchange Server 2003 Security Hardening Guide
6
Updates to the junk e-mail features in Outlook 2003 will be listed on the Microsoft Office Online website, under Office Update (http://go.microsoft.com/fwlink/?LinkId=24393).
Spam Confidence Level Infrastructure Together, Exchange 2003 and Outlook 2003 provide an infrastructure that supports an end-to-end solution to combating spam. Specifically, this infrastructure includes native functionality in Exchange 2003 and Outlook 2003 that allows software vendors to plug-in spam detection filters along the message path. Spam filters evaluate messages and determine how likely it is that a given message is spam. A number between 0 and 9 is assigned; this number is the Spam Confidence Level (SCL). Essentially, the SCL is a normalized value assigned to a message that indicates, based on the characteristics of a message (such as the content, message header, and so on), the likelihood that the message is spam. A rating of 0 indicates that the message is highly unlikely to be spam, while a rating of 9 indicates that the message is very likely spam. The SCL rating is stored as an attribute of the message. The administrator configures Exchange to handle messages with SCL ratings in way that is appropriate to the environment. For example, a gateway server may discard all spam that has an SCL rating of greater or equal to 7 and pass all messages that rate less than 7 to the Exchange mailbox server. The mailbox administrator may then decide that all messages rating greater or equal to 5 are transferred directly to the user's Junk E-mail folder, while all messages with a rating of 4 or less are transferred to the Inbox. Finally, the user may have a mailbox setting that treats all mail in the Junk E-mail folder as spam and deletes it. Alternatively, the Exchange administrator may set up a mailbox recipient policy that lowers the retention period (by age or size) in the Junk E-mail folder. The SCL infrastructure also takes into account the user's safe, block, and recipient lists, as well as the Exchange filtering lists. For more information about SCL, see the Spam Filter website on MSDN® (http://go.microsoft.com/fwlink/?LinkId=24395) Note The forthcoming release of the Exchange Intelligent Message Filter will also be a very important component in combating spam. The Exchange Intelligent Message Filter is an SCLcompatible filter that provides advanced server-side message filtering designed specifically to combat the influx of spam. For specific information, see the Exchange Intelligent Message Filter website (http://go.microsoft.com/fwlink/?linkid=21607).
Restricted Distribution Lists Another effective deterrent against spam is to use restricted distribution lists within your Exchange organization. A restricted distribution list allows only authenticated users to send messages. This is especially important because, if spammers knew the alias of a distribution list, they could reach many of your employees with one e-mail message. Restricting distribution lists is especially effective for large lists that contain many nested distribution lists. Note Be aware that many spammers use dictionary attacks (attacks using software that opens a connection to the target mail server and then rapidly submits millions of random e-mail addresses) as a mechanism to reach recipients. Distribution lists are often represented by an alias that is a common dictionary word.
To set a distribution list as restricted 1. 2.
In Active Directory Users and Computers, open the property page of the distribution list. Click the Exchange General tab, and then select the From authenticated users only check box.
Exchange 2003 Filtering Exchange 2003 includes a set of features that allow the administrator to create sender, recipient, and connection filtering lists in attempt to block spam at the perimeter of the organization, thereby reducing costs by rejecting messages at the earliest opportunity. Exchanger 2003 supports the following filters:
Exchange Server 2003 Security Hardening Guide
7
•
Connection filtering Filters inbound messages by comparing their IP address against a block list provided by a real-time block list service. You can also enter your own set of accept/restrict IP addresses at a global level. • Sender filtering By default, SMTP connections that are created by senders on this list are dropped. • Recipient filtering Allows you to set global restrictions on mail to specific recipients. For more information about how filters are applied, see the book What's New in Exchange Server 2003 (http://go.microsoft.com/fwlink/?LinkId=24402).
Protecting Against Denial-of-Service Attacks Denial-of-service attacks are generally difficult to guard against. However, Exchange 2003 includes settings that can help you protect against such attacks. The message limit parameters configured on the SMTP virtual server allow you to specify a maximum number of recipients per message, a maximum message size, a maximum number of messages per connection, and so on. These limits can help prevent denial-of-service attacks that stem from mail transport. Another type of denial-of-service attack could originate from sending a large number of e-mail messages to a particular server until it runs out of disk space. To minimize this possibility, you can set storage limits on mailboxes and public folders. By default, Exchange 2003 does not accept messages larger than 10 MB. In addition, you should configure the SMTP virtual servers on the Internet-facing gateway server to disallow messages that are larger than 10 MB. The maximum message size that an SMTP virtual server accepts occurs earlier in message processing than the Exchange-defined limit. Note Because replication needs likely require the transfer of large messages, you should not configure internal (non-Internet facing) SMTP virtual servers to disallow messages larger than 10 MB.
In addition, on a Windows Server 2003 installation, Exchange 2003 uses Internet Information Services (IIS) application pools to mitigate denial of service attacks. For information about how to administer these various settings, see the book Exchange Server 2003 Administration Guide (http://go.microsoft.com/fwlink/?linkid=21769).
Protecting Against Address Spoofing A common technique spammers use is to configure the From line in an e-mail message to hide the sender's identity. Although SMTP does not require verification of a sender's identity, Exchange 2003 provides the following functionality to help minimize address spoofing: Default authentication settings By default, Exchange 2003 does not resolve a sender's e-mail address unless the sender uses a client program such as Outlook or Outlook Web Access to authenticate against an Exchange server. When Exchange receives a message from an authenticated client, it verifies that the sender is in the global address list (GAL), and if so, resolves the user's display name (in the From line) on the message. If the original message was submitted without authentication, Exchange 2003 marks the message as un-authenticated at its point of origin and transfers that information from server to server. In this case, the sender's address is not resolved to the GAL display name (for example Ted Bremer); instead, it is displayed to the recipient in its SMTP format (for example,
[email protected]). You should educate your users to be suspicious of messages that claim to be from other users in your organization but are not resolved to the GAL display name. However, Exchange 2000 does resolve messages submitted anonymously. For this reason, if you are upgrading from Exchange 2000, it is recommended that you upgrade gateway servers to Exchange 2003 before upgrading
Exchange Server 2003 Security Hardening Guide
mailbox and other Exchange servers. Alternatively, to prevent your Exchange 2000 servers from resolving anonymous mail, you can perform the following procedure.
8
Exchange Server 2003 Security Hardening Guide
9
To prevent Exchange 2000 from resolving anonymous e-mail messages Warning Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
1. 2.
Start Registry Editor (regedit) Navigate to or create the following key in the registry (where one 1 is the SMTP virtual server number): HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ MsExchangeTransport/Parameters/1
3.
On the Edit menu, click Add Value, and then add the following registry value:
Note You may need to create both the Parameters key and the 1 key. Value name: ResolveP2 Data type: REG_DWORD
4.
Use the following flags to determine which value to use: Field Value FROM: 2 TO: and CC: 16 REPLY TO: 32
5.
6. 7.
To determine the value that you want to use, add the values for all of the elements that you want to be resolved. For example, to resolve all of the fields except the sender, type 48 (16+32=48). To resolve only the recipients, type only 16. By default, Exchange 2000 resolves everything (you can specify this behavior either by removing the key or by setting the value with this formula: 2+16+32=50). Quit Registry Editor. Restart the SMTP virtual server.
Be cautious when you select the servers on which you want to enable this setting. If you change the behavior on the default SMTP virtual server, and there are multiple servers in your organization, all internal mail that originates on other Exchange 2000 servers is also affected. Therefore, because Exchange 2000 uses SMTP to route internal mail between servers, you may want to create a new SMTP virtual server, or perhaps apply this setting only on an incoming SMTP bridgehead server. Cross-forest authentication settings If your organization contains multiple forests, you can configure trusts between forests such that SMTP bridgehead servers require authentication. Note Workflow applications may submit mail anonymously; therefore, before you configure authentication in your organization, be sure to evaluate your workflow application needs.
For information about how to configure cross-forest authentication, see "Transport and Message Flow Features" in the book What's New in Exchange Server 2003 (http://go.microsoft.com/fwlink/?LinkId=24402). Anonymous access settings Although Exchange 2003 provides the ability for client-side users to recognize spoofed mail, you should turn off anonymous SMTP access on all internal Exchange servers. Turning off anonymous access helps assure that only authenticated users can submit messages within your organization. In addition, requiring authentication forces client programs such as Outlook Express and Outlook using RPC over HTTP to authenticate before sending mail. Reverse Domain Name System lookups If you receive messages directly from other domains on the Internet, you can configure your SMTP virtual server to perform a reverse Domain Name System (DNS) lookup on incoming e-mail messages. This verifies
Exchange Server 2003 Security Hardening Guide
10
that the Internet Protocol (IP) address and fully qualified domain name (FQDN) of the sender's mail server corresponds to the domain name listed in the message. However, consider the following limitations to reverse DNS lookups: • • • •
The sender's IP address may not be in the reverse DNS lookup record, or the sending server may have multiple names for the same IP, not all of which may be available from the reverse DNS lookup record. Reverse DNS lookups place an additional load on the Exchange server. Reverse DNS lookups require that the Exchange server is able to contact the reverse lookup zones for the sending domain. Performing reverse DNS lookups on each message can result in a substantial decrease in performance due to increased latency. Note For more information about using reverse DNS lookup, see Microsoft Knowledge Base article 319356, "HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=319356).
Hardening Exchange 2003 Servers This section explains how to harden Exchange 2003 servers based on their role in your organization. This section is divided into three main sub-sections. • •
•
Hardening the Windows Infrastructure This section provides the preliminary steps you must perform before hardening your Exchange servers. Hardening Back-End Servers This section provides the steps you must perform to harden the Exchange mailbox server, including how to disable non-essential services, restrict access to local directories, and other configurations. Hardening Front-End Servers This section provides the steps you must perform to harden an Exchange front-end server. This section also discusses front-end server roles and provides more granular configuration recommendations in accordance with these roles. In addition, this section includes information about URLScan—a tool that runs on IIS and allows you to specify exactly which HTTP requests can run against the computer.
This section, and the remainder of this guide, is written with the assumption that you have read the Windows Server 2003 Security Guide and have implemented the recommendations for hardening your domain, domain controllers, and member servers. In some cases, the Exchange 2003 configuration recommendations in this section are dependent on recommendations in the Windows Server 2003 Security Guide. These requirements are specified where appropriate. Furthermore, all of the recommendations in this section are derived from the configurations in the Exchange Group Policy Security Templates, which are included with this guide. (For detailed information about these templates, see "Deploying Exchange Group Policy Security Templates" later in this guide.) Specifically, this section explains the settings within the security templates, in case you want to configure your servers manually. Alternatively, you can import the provided templates in one of two ways: • You can import any security template to a local computer. To do this, open the Local Security Policy MMC snap-in, right-click Security Settings, and then click Import Policy. Navigate to and then doubleclick the appropriate Exchange Group Policy Security Template. • You can mirror the recommended Active Directory organizational structure (as recommended by both the Windows Server 2003 Security Guide and this guide) and then use the Group Policy Object Editor to import the policies into the appropriate organizational units. For specific information about this method, see "Deploying Exchange Group Policy Security Templates" later in this guide
Exchange Server 2003 Security Hardening Guide
11
Important Because the "Deploying Exchange Group Policy Security Templates" section is written with the assumption that you understand how to harden Exchange 2003 servers, it is important that you read "Hardening Exchange 2003 Servers" first.
As with all software deployments, be sure to thoroughly test all recommended configurations in a test environment before you deploy in a production environment. Note Running custom applications or third-party Exchange or Outlook plug-ins may require further configuration and testing.
Hardening the Windows Infrastructure As previously mentioned, this guide assumes that you applied the configurations recommended in the Windows Server 2003 Security Guide. Before you harden your Exchange environment, you must complete the following two steps. Important The recommendations and template settings in this guide were verified using the Windows Server 2003 "Enterprise Client" Group Policy Object (GPO) templates. If you plan to run an Exchange 2003 in an environment where the Windows Server 2003 "High Security" GPO templates are deployed, additional testing and configurations may be necessary to provide full functionality. As noted in the Windows Server 2003 Security Guide, the "High Security" templates are very restrictive, and as a result, many applications may not function correctly. For this reason, performance may be impacted, and server management will be more challenging.
1.
Deploy the Domain, Domain Controller, and Member Server Baseline policy templates throughout your forest. For information about how to deploy these templates, see Chapters 2, 3, and 4 in the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638). Note Exchange servers are considered to be member servers; therefore, be sure to apply the appropriate Member Server Baseline policy (Enterprise Client - Member Server Baseline.inf) to each Exchange server.
2.
Deploy the Exchange Domain Controller Baseline Policy template (Exchange_2003DC_Incremental_V1_1.inf) in all of the domain controllers in your organization. The Exchange_2003DC_Incremental_V1_1.inf file is a security policy that allows Exchange to operate in a secured environment. The next section explains this policy in detail, including specific deployment steps.
Exchange Domain Controller Baseline Policy The Exchange Domain Controller Baseline Policy modifies the domain controllers in your forest so they can support Exchange operations. This policy co-exists with the Domain Controller Baseline Policy that is recommended in Chapter 4, "Hardening Domain Controllers," of the Windows Server 2003 Security Guide. The Exchange Domain Controller Baseline Policy template (Exchange_2003-DC_Incremental_V1_1.inf) is included with this guide. You should import this template into a Group Policy object (GPO) at the Domain Controllers organizational unit in Active Directory Users and Computers and should precede the Domain Controller Baseline Policy supplied by Windows Server 2003. Note The sequence of the policies on the Group Policy tab determines the order in which policies are applied; therefore, it is important that you place the Exchange Domain Controller Baseline Policy above the Windows Server 2003 Domain Controller Baseline Policy.
Table 1 lists the differences between the Windows Server 2003 Domain Controller Baseline Policy and the Exchange 2003Domain Controller Baseline Policy. The explanation for each difference is explained following the table. Table 1 Differences between the Windows Server 2003 and Exchange 2003 Domain Controller Baseline Policies
Exchange Server 2003 Security Hardening Guide
12
Option
Windows Server 2003 Domain Controller Baseline
Exchange 2003Domain Controller Baseline Policy
Additional restrictions for anonymous connections
No access without explicit anonymous connections
None. Rely on default permissions, because Outlook versions previous to Outlook 2003 require anonymous connections
Shut down your system immediately if unable to log security audits
Enabled
Disabled
Account logon event auditing
Success and Failure
Failure
Logon event auditing
Success and Failure
Failure
Additional restrictions for anonymous connections The anonymous restriction setting in Exchange 2003 differs from that of Windows Server 2003 because Outlook 2000 and Outlook 2002 clients contact the global catalog server anonymously for information. With settings defined in the Windows Server 2003 Security Guide, where anonymous queries to the global catalog server are restricted, Outlook 2000 and Outlook 2002 users are unable to send internal mail and must use external addresses. However, because Outlook 2003 authenticates with the global catalog server, it is not necessary to relax this security setting in a pure Outlook 2003 environment. Note For more information about this issue, see Microsoft Knowledge Base article 309622, "XADM: Clients Cannot Browse the Global Address List After You Apply the Q299687 Windows 2000 Security Hotfix" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=309622).
Shut down your system immediately if unable to log security events This setting is disabled because the logs are likely to fill quickly for logon failures, such as mistyped passwords. Account logon event auditing and Logon event auditing The Account logon event and Logon event auditing settings are modified because of the large number of success logon events that Exchange 2003 generates during normal operations. If success auditing is enabled for logon events, the security log is rapidly filled; therefore, the Exchange Domain Controller Baseline Policy logs only failure events. Deploying the Exchange Domain Controller Baseline Policy template is most efficient if you import the Exchange_2003-DC_Incremental_V1_1.inf file into the Domain Controller organizational unit by means of the Group Policy property page.
To create the domain controller GPO and import the Exchange Domain Controller Baseline Policy template 1. 2. 3. 4. 5.
In Active Directory Users and Computers, right-click Domain Controllers, and then click Properties. On the Group Policy tab, click New to add a new Group Policy object. Type Exchange DC Policy, and then press ENTER. Click Edit. The Group Policy Object Editor opens. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click Security Settings, and click Import Policy. Note If Import Policy does not appear on the menu, close Group Policy Object Editor and repeat Steps 4 and 5.
6. 7. 8.
In Import Policy From, navigate to the directory where you saved the Exchange Group Policy Security Templates, and then double-click Exchange_2003-DC_Incremental_V1_1.inf. Close Group Policy Object Editor, and then click OK. In Domain Controllers Properties, select Exchange DC Policy, click Up until Exchange DC Policy is at the top of the list, click Apply, and then click OK.
Exchange Server 2003 Security Hardening Guide
9.
13
After importing the policy, you must wait for replication to other domain controllers or use the Active Directory Sites and Services MMC snap-in to force replications. Replication ensures that all domain controllers are updated with the policy. Note Although replication applies the policy, you must reboot the servers for the policies to take effect.
10. In the Event Log, to verify that the policy was downloaded successfully, search for the following Application Information event: SceCli 1704. Then, verify that the server can communicate with the other domain controllers in the domain. 11. Restart each domain controller one at a time to ensure that each reboots successfully and that the policies have taken effect.
Hardening Back-End Servers After hardening the domain, domain controllers, and all member servers (in accordance with the Windows Server 2003 Security Guide), and after deploying the Exchange Domain Controller Baseline Policy, you are ready to harden your Exchange 2003 servers. There are four general configuration areas for hardening back-end servers: Hardening services Many services are not used, but are enabled by default and should be disabled Hardening file access control lists (ACLs)There are some directories that can be hardened more securely than the default installation provides. Changing privilege rights To allow Outlook Web Access users to log on, you must make one change in user privileges. Enabling additional services (optional) Enable any additional services that are required for your organization.. Applying the Exchange_2003-Backend_V1_1.inf security template to your back-end servers is the most efficient mechanism for performing the hardening configurations that are described in this section. For information about how to deploy the Exchange Group Policy Security Templates, see "Deploying Exchange Group Policy Security Templates" later in this guide. Important Before hardening the Exchange 2003 back-end servers, you should delete any public folder stores from all local Exchange computers that will not be used as public folder access points. Deleting the public folder stores before hardening the Exchange infrastructure allows replication of the deletions to occur. For information about how to delete the public folder store, see "Dismounting the Mailbox Store and Deleting the Public Folder Store" later in this guide.
Services Table 2 lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically). All Internet-based mail retrieval protocols are disabled. The reason for this is to implement a hardened start-up configuration that requires you to enable each service as it is required. Table 2 Service settings configured by Exchange_2003-Backend_V1_1.inf Service Name
Startup Mode
Reason
Microsoft Exchange IMAP4
Disabled
Server not configured for IMAP4
Microsoft Exchange Information Store
Automatic
Needed to access mailbox and public folder stores
Exchange Server 2003 Security Hardening Guide
14
Service Name
Startup Mode
Reason
Microsoft Exchange POP3
Disabled
Server not configured for POP3
Microsoft Search
Disabled
Not required for core functionality
Microsoft Exchange Event
Disabled
Only needed for backwards compatibility with Exchange 5.5
Microsoft Exchange Site Replication Service
Disabled
Only needed for backwards compatibility with Exchange 5.5
Microsoft Exchange Management
Automatic
Required for message tracking to function and Exchange Server Best Practices Analyzer (ExBPA) functionality
Windows Management Instrumentation
Automatic
Required for Microsoft Exchange management
Microsoft Exchange MTA Stacks
Automatic
Only needed for backwards compatibility, mailbox moves, or if there are X.400 connectors on the computer
Microsoft Exchange System Attendant
Automatic
Needed for Exchange maintenance and other tasks
Microsoft Exchange Routing Engine
Automatic
Needed to coordinate message transfer between Exchange servers
IPSEC Policy Agent
Automatic
Needed to implement IPSec policy on server
IIS Admin Service
Automatic
Required by HTTP, SMTP, and the Exchange routing engine
NTLM Security Support Provider
Automatic
System Attendant depends on this service
Simple Mail Transfer Protocol (SMTP)
Automatic
Required for Exchange transport
World Wide Web Publishing Service
Automatic
Required for communication with servers running Outlook Web Access and Outlook Mobile Access
HTTP SSL
Manual
Starts automatically when required for the World Wide Web Publishing Service
Network News Transport Protocol (NNTP)
Disabled
Only needed for setup and newsgroup functionality
Remote Registry
Automatic
Required for Exchange Setup and remote administration
Note For the Exchange System Attendant to start, the following Windows services must be up and running:
• • • • •
Event Log NTLM Security Support Provider RPC Server Workstation
Exchange Server 2003 Security Hardening Guide
15
Service Access Control Lists The Group Policy Security templates use Security Descriptor Definition Language (SDDL) to apply permissions to services. This section describes which SDDL is used for specific services. For more information about SDDL, see "Security Descriptor Definition Language" (http://go.microsoft.com/fwlink/?LinkId=36849). •
SDDL: "D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) " This SDDL applies permissions to the following Exchange services: •
MSExchangeES
•
IMAP4Svc
•
MSExchangeIS
•
MSExchangeMGMT
•
MSExchangeMTA
•
RESvc
•
MSExchangeSRS
•
MSExchangeSA
•
MSSEARCH
This SDDL sets the following permissions on each of the above services:
•
•
•
Authenticated Users – Read
•
System – Full Control
•
Builtin Administrators – Full Control
•
Auditing for failures against the Everyone security principal
The SDDL defined for the following Windows services in the “Enterprise Client – Member Server Baseline.inf” template are inherited and are not optimal for Exchange. Therefore, the SDDL defined for the following services in the Exchange templates will be the same as the Exchange-specific SDDL defined above: •
POP3Svc
•
W3Svc
•
ISSAdmin
•
SMTPSvc
•
NNTPSvc
•
HTTPFilter
•
ClusSvc
The SDDL defined for the MSDTC service in the “Enterprise Client – Member Server Baseline.inf” template is not optimal for Exchange. Therefore, the SDDL defined by the “Enterprise Client – Member Server Baseline” template will be modified slightly for the Exchange templates. The MSDTC service will be set with the following SDDL: "D:AR(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPW PDTLOCRSDRCWDWO;;;WD)"
Exchange Server 2003 Security Hardening Guide
16
This SDDL sets the following permissions on the MSDTC service:
•
•
Authenticated Users – Read
•
System – Full Control
•
Builtin Administrators – Full Control
•
Auditing for failures against the Everyone security principal
•
Network Services – Write and Special Permissions
The SDDL for the following Windows services have been copied directly from the “Enterprise Client Member Server Baseline.inf” template and applied explicitly: •
Winmgmt
•
PolicyAgent
•
RemoteRegistry
Key Services That Are Disabled As previously mentioned, all non-essential services for a back-end Exchange server are disabled. In some cases, depending on the functionality you require, you may need to re-enable some services. To be consistent among your servers, you should use the security policies included with this guide or create your own policies to apply at the organizational unit level. The following list describes some of the services that are disabled: Microsoft Exchange Event Introduced in Exchange Server 5.5, the Microsoft Exchange Event service (MSExchangeES) supports server-side scripts triggered by folder events, either in public folders or individual mailboxes. MSExchangeES is provided in Exchange 2003 for backward compatibility with Exchange 5.5 event scripts. However, new applications written specifically for Exchange 2003 should use native Exchange store events instead of MSExchangeES. For more information about these new applications, see the Exchange 2003 Software Development Kit (SDK) available on MSDN (http://go.microsoft.com/fwlink/?LinkId=21641). Microsoft Search To provide increased functionality when searching for documents that reside in a store, the Microsoft Search service (MSSEARCH) creates and manages indexes for common key fields. An index allows Outlook users to search for documents more rapidly. With full-text indexing, the index is built prior to the client search, thereby enabling faster searches. Text attachments can also be included in the full-text indexing. Both the Microsoft Exchange Information Store service and MSSEARCH must be running for the index to be created, updated, or deleted. Microsoft Exchange Site Replication Service If an Exchange 2003 server belongs to an existing Exchange 5.5 site, the Microsoft Exchange Site Replication Service (MSExchangeSRS) is responsible for replicating Exchange 5.x site and configuration information to the configuration naming partition of Active Directory. Microsoft Exchange POP3 The Microsoft Exchange POP3 service (POP3Svc) is responsible for providing POP3 access to mailboxes. By default, this service is disabled on new Exchange Server 2003 installations. Microsoft Exchange IMAP4 The Microsoft Exchange IMAP4 service (IMAP4Svc) is responsible for providing IMAP4 access to mailboxes and public folders. By default, this service is disabled on new Exchange Server 2003 installations. Network News Transfer Protocol (NNTP) The NNTP service (NntpSvc) is responsible for providing NNTP access to newsgroups maintained in public folders. By default, this service is disabled on new Exchange Server 2003 installations.
Exchange Server 2003 Security Hardening Guide
17
File Access Control Lists Table 3 lists the recommended file access control list (ACL) permission settings (the Exchange_2003Backend_V1_1.inf file configures these settings automatically). Table 3 File ACL settings configured by Exchange_2003-Backend_V1_1.inf Directory
Old ACL
New ACL
Applied to Subdirectories?
%systremdrive%\Inetp ub\mailroot
Everyone:
Administrators:
Yes
•
•
Full Access
Full Access
Local System: • %systremdrive%\Inetp ub\nntpfile\
Full Access
Everyone:
Administrators:
•
•
Full Access
Yes
Full Access
Local System: • %systremdrive%\Inetp ub\nntpfile\
Full Access
Everyone:
Everyone:
•
•
Full Access
Yes
Full Access
root %ProgramFiles%\exch srver\
Administrators:
Administrators:
•
•
Full Access
Full Access
Users:
Local System:
•
Read
•
•
Read & Execute
Server Operators:
•
List Folder Contents
•
Modify
•
Read & Execute
Server Operators:
Full Access
•
List Folder Contents
•
Modify
•
Read
•
Read & Execute
•
Write
•
List Folder Contents
CREATOR OWNER:
•
Read
•
Write
•
•
Full Access (Sub Folders and Files Only)
All – except ADDRESS, OMA, BIN, EXCHWEB and RES subdirectories
Exchange Server 2003 Security Hardening Guide
18
Directory
Old ACL
New ACL
Applied to Subdirectories?
%ProgramFiles%\exch srvr
Administrators:
Administrators:
Yes
•
•
Full Access
Full Access
Users:
Local System:
\OMA
•
Read
•
\ADDRESS
•
Read & Execute
Users:
\BIN
•
List Folder Contents
•
Read
•
Read & Execute
Server Operators:
•
List Folder Contents
•
Modify
Server Operators:
•
Read & Execute
•
Modify
•
List Folder Contents
•
Read & Execute
•
List Folder Contents
•
Read
•
Read
•
Write
•
Write
\EXCHWEB \RES
Full Access
CREATOR OWNER: •
Full Control (Sub Folders and Files Only)
Note The settings defined on the nntpfile directory and subdirectories are not strictly required unless NNTP is configured to run on the server. However, the setting is defined in the Exchange_2003-Backend_V1_1.inf security template because it increases restrictions on the file system and is ready to use in case you want to enable NNTP at a later time.
Additionally, if you install Exchange in a directory other than %programfiles%\exchsrvr then you must modify the INF files and change the path accordingly.
Privilege Rights After applying the Windows Server 2003 security policies, you only need to configure one privilege right to enable Outlook Web Access. Both the Outlook Web Access and public folders administration UI require that the Guests network logon be enabled. The Windows Server 2003 security policy sets the "Deny network logon" value to deny ANONYMOUS LOGON and the Guests group. The most efficient way to configure the "Deny network logon" is to apply a group policy that denies only ANONYMOUS LOGON. If you deploy the Exchange 2003 Group Policy Security Templates, then the Exchange_2003Backend_V1_1.inf file sets this value correctly. If you are not deploying the Exchange 2003 Group Policy Security Templates, then you can edit the existing Windows Server 2003 security policy.
To enable the Guests group in the Windows Server 2003 Baseline Security Policy 1. 2. 3.
In Active Directory Users and Computers, right-click the organizational unit that contains both the Windows Server 2003 Baseline Security Policy Exchange servers, and then click Properties. In
Properties, on the Group Policy tab, select the Windows Server 2003 Baseline Security Policy, and then click Edit. The Group Policy Object Editor opens. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
Exchange Server 2003 Security Hardening Guide
4. 5. 6.
19
In the details pane, double-click the Deny access to this computer from the network policy. In Deny access to this computer from the network Properties, select Guests, and then click Remove. Click Apply, and then click OK. Note If you prefer to create your own group policy, you must add the following value under the [Privilege Rights] section: SeDenyNetworkLogonRight = *S157
This argument blocks only ANONYMOUS LOGON.
Enabling Additional Exchange Services If you performed the procedures properly up to this point, you should have successfully hardened your Exchange back-end servers. Although your MAPI client, HTTP (Outlook Web Access) client, and SMTP should now function with your back-end server, your POP3 and IMAP4 clients will not be able to retrieve mail. If you have a front-end and back-end deployment that includes these protocols, you must also enable the appropriate POP3 and IMAP4 services on the Exchange back-end server. If this server is an NNTP server, you must also enable the NNTP service. The easiest way to enable these services is to import the corresponding Exchange 2003 protocol-specific security templates to the back-end servers that require additional client access. For example, if your organization provides POP3 access to mailboxes, after applying the Exchange 2003 security templates (or the recommended configurations) to the front-end POP3 server, you must apply the Exchange 2003 POP3 security template to the back-end server. This section discusses the services that you must enable to support NNTP. All other protocols are discussed in "Hardening Front-End Servers" later in this guide.
Exchange 2003 NNTP Server Policy Table 4 lists the services that must be enabled to support NNTP (the Exchange 2003 NNTP.inf file configures these settings automatically). This security policy is applied only on an Exchange back-end server because NNTP is not deployed in the same manner as HTTP, POP3, and IMAP4, where a front-end protocol handler proxies requests to the back-end data store. In this context, NNTP is a "back-end" only protocol; therefore, for front-end servers, you should not enable NNTP in accordance with the settings in Table 4. Table 4 Services configured to enable NNTP Service Name
Startup Mode
Reason
Network News Transport Protocol (NNTP)
Automatic
Server is used for NNTP
Hardening Front-End Servers Hardening your Exchange front-end servers is similar to hardening the back-end server, with the optional (but recommended) step of configuring and running URLScan on your HTTP front-end servers. There are six general configuration areas for hardening font-end servers: Hardening services Many services are not used, but are enabled by default and should be disabled if the corresponding functionality is not required. Hardening file access control lists (ACLs) The file ACL configuration for the front-end servers is identical to that of the back-end servers.
Exchange Server 2003 Security Hardening Guide
20
Enabling additional services (optional) Enable any additional front-end services that are required for your organization Running URLScan (optional, but recommended) Although running URLScan is not required for the services to run, it is highly recommended as a mechanism for further hardening your front-end HTTP servers. Dismounting the mailbox store and deleting the public folder store (optional, but recommended) For front-end servers that are not SMTP front-end servers, you can dismount and delete these stores. Note If you plan to delete the public folder store, you should delete it before applying the Exchange security policies so the changes can replicate to the other Exchange servers.
Applying the Exchange_2003-Frontend_V1_1.inf security template (included with this guide) to your frontend servers is the most efficient mechanism for performing the hardening configurations that are described in this section. Furthermore, after you apply the Exchange_2003-Frontend_V1_1.inf template, you can use the protocol-specific security templates to enable the appropriate services. For information about how to deploy the Exchange Group Policy Security Templates, see "Deploying Exchange Group Policy Security Templates" later in this guide.
Before You Get Started Before you begin hardening the front-end servers in your organization, consider the following: •
Exchange 2003 includes the following applications: • Outlook Web Access • Outlook Mobile Access • Exchange Server ActiveSync® These applications allow your users to access Exchange information from their personal computers or mobile devices. These applications all use a combination of Hypertext Transfer Protocol (HTTP) and WebDAV. By default, Outlook Web Access and Exchange Server ActiveSync are enabled. Outlook Mobile Access is also installed by default, but the service is disabled on new installations of Exchange 2003.
•
POP3 and IMAP4 clients may also use front-end servers to access mailboxes. In these cases, they also use a front-end server as an SMTP gateway. Using a firewall server such as Internet Security and Acceleration (ISA) Server 2004 to regulate access for HTTP, RPC over HTTP, POP3, and IMAP4 protocol traffic is an essential building block for a more secure messaging system. For information about how to deploy ISA 2000 with Exchange 2003, see the technical article Using ISA Server 2000 with Exchange Server 2003 (http://go.microsoft.com/fwlink/?linkid=23232). For information about how to deploy ISA 2004 with Exchange 2003, see "Using ISA Server 2004 with Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=42243). It is recommended that you isolate your ISA server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), allowing only the essential ports into your organization. The Exchange front-end server can then communicate freely with all Windows and Exchange services over IPSec. For a list of ports that Exchange 2003 may use, see Appendix C, "Ports Used in Exchange 2003" later in this guide. The IIS Lockdown (IISlockd.exe) tool is needed only for Windows 2000 Server. In Windows Server 2003, IIS Lockdown is a core part of Internet Information Services (IIS). If you are running Exchange 2003 on a server running Windows 2000, see the Microsoft Knowledge Base article 309677, "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=309677).
•
•
•
Exchange Server 2003 Security Hardening Guide
•
21
It is recommended that you use Secure Sockets Layer (SSL) and cookie authentication for Outlook Web Access. SSL helps maintain confidentially by encrypting message traffic between the client and Exchange 2003. Cookie authentication improves security by timing out inactive, non-domain connections and forcing the user to re-authenticate after a period of inactivity. For more information about cookie authentication, see the book Exchange Server 2003 Administration Guide (http://go.microsoft.com/fwlink/?linkid=21769).
Services Similar to hardening your back-end servers, it is important that you disable all non-essential front-end services. Afterward, you can enable these services on an "as-needed" basis. This section assumes that you have done one of the following: • You already used Exchange System Manager to designate the server as an Exchange front-end server. • You already configured the server as an SMTP gateway or bridgehead server. Important Designating a computer as a front-end server reconfigures the protocol stacks to enable front-end and back-end deployments. If you deployed the Exchange_2003Frontend_V1_1.inf security template before designating the server as a front-end server, you must manually start the Microsoft System Attendant service (and its dependencies), use Exchange System Manager to designate the server as a front-end server, and then restart the computer.
Table 5 lists the recommended baseline settings you should start with when hardening the services for an Exchange front-end server (the Exchange_2003-Frontend_V1_1.inf file configures these settings automatically) Table 5 Service settings configured by Exchange_2003-Frontend_V1_1.inf Service Name
Startup Mode
Reason
Microsoft Exchange IMAP4
Disabled
Server not configured for IMAP4
Microsoft Exchange Information Store
Disabled
Not required as there is no mailbox store or public folder store
Microsoft Exchange POP3
Disabled
Server not configured for POP3
Microsoft Search
Disabled
No message stores to search
Microsoft Exchange Event
Disabled
Only needed for backwards compatibility with Exchange 5.5
Microsoft Exchange Site Replication Service
Disabled
Only needed for backwards compatibility with Exchange 5.5
Microsoft Exchange Management
Automatic
Required for message tracking and Exchange Server Best Practices Analyzer (ExBPA) tool functionality
Windows Management Instrumentation
Automatic
Required for Microsoft Exchange management
Microsoft Exchange MTA Stacks
Disabled
Only needed for backwards compatibility or if there are X.400 connectors on the machine
Microsoft Exchange System Attendant
Disabled
Only needed if running Exchange maintenance and other tasks on this server
Microsoft Exchange Routing Engine
Disabled
Needed to coordinate message transfer between Exchange servers
Exchange Server 2003 Security Hardening Guide
22
Service Name
Startup Mode
Reason
IPSEC Policy Agent
Automatic
Needed to implement IPSec policy on server
IIS Admin Service
Disabled
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services.
NTLM Security Support Provider
Automatic
System Attendant depends on this service
Simple Mail Transfer Protocol (SMTP)
Disabled
Required for Exchange transport
World Wide Web Publishing Service
Disabled
Required for communication with Outlook Web Access and Outlook Mobile Access servers
Network News Transport Protocol (NNTP)
Disabled
Only needed for setup and newsgroup functionality
Remote Registry
Automatic
Required for Exchange Setup and remote administration
Key Services That Are Disabled As with the back-end configuration, you may need to re-enable some services to provide the functionality you require. The following list describes some of the services that are disabled: Microsoft Exchange POP3, Microsoft Exchange IMAP4 If you do not have POP3 or IMAP4 clients, you can ensure that these services are disabled by group policy. However, before disabling these services, ensure that there are not any customized programs running in your environment that require these services. Simple Mail Transfer Protocol (SMTP) When a front-end server acts as an HTTP, POP3, or IMAP4 server, it does not strictly require SMTP. However, if you configured your front-end server to receive SMTP mail (either as a gateway server or as an SMTP submission server for IMAP4 or POP3 clients), you must enable the SMTP service (SMTPSVC). For virus scanners, the Microsoft Exchange Information Store service (MSExchangeIS) and the Microsoft Exchange System Attendant service (MSExchangeSA) are also required. Microsoft Exchange System Attendant On a front-end server, the System Attendant is required only if you want to make configuration changes to the server. Specifically, to make any changes to a server that uses the Exchange 2003 Front-end Security Policy (including designating the server as a front-end server), you must temporarily start the Microsoft Exchange System Attendant service (MSExchangeSA) and associated services first. Microsoft Exchange Information Store Because mail is not delivered to this server, the Microsoft Exchange Information Store service (MSExchangeIS) is not required. However, if the server is configured as an SMTP gateway server (without any user mailboxes or public folders), MSExchangeIS is required for virus scanning and to reliably route public folder mail.
Service Access Control Lists The service access control list (ACL) settings for front-end servers are identical to the service ACL settings for back-end servers. For information about these service ACL settings, see "Service Access Control Lists" earlier in this guide. Note The Exchange_2003-Frontend_V1_1.inf security template configures these settings automatically.
Exchange Server 2003 Security Hardening Guide
23
File Access Control Lists The file access control list (ACLs) settings for front-end servers are identical to the file ACLs settings for back-end servers. For information about these file ACL settings, see "File Access Control Lists" in the "Hardening Back-End Servers" section. Note The Exchange_2003-Frontend_V1_1.inf security template configures these settings automatically.
Enabling Additional Exchange Services If you performed the procedures properly up to this point, you should have successfully hardened your Exchange front-end servers. However, to take advantage of Exchange 2003 services and features, you must enable protocol support for each type of client. This section explains which services you must enable to support the client protocols. Important For POP3 and IMAP4 to function, you must configure both protocols on the front-end and the back-end servers.
Each of the following subsections corresponds to a specific security template included in the Exchange Group policy Security Templates. Installing these templates is the most efficient way to enable a protocol.
Exchange 2003 HTTP Server Policy The Exchange 2003 HTTP security policy enables the HTTP service on the front-end servers. Note If you followed the recommendations in this section, or if you are deploying the Exchange 2003 Group Policy Security Templates included with this guide, it is not necessary that you enable this policy on the back-server; both the security templates and the recommendations in this section assume HTTP access for the back-end server.
Table 6 lists the services that must be enabled to support HTTP (the Exchange 2003 HTTP.inf file configures these settings automatically). Table 6 Services configured to enable HTTP Service Name
Startup Mode
Reason
World Wide Web Publishing Service
Automatic
Server is used for HTTP
HTTP SSL
Manual
Starts automatically when required for the World Wide Web Publishing Service
IIS Admin Service
Automatic
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services.
Exchange 2003 POP3 Server Policy The Exchange 2003 POP3 security policy enables the POP3 service. If you are using POP3, you must apply this policy on the back-end server as well. Table 7 lists the services that must be enabled to support POP3 (the Exchange 2003 POP3.inf file configures these settings automatically).
Exchange Server 2003 Security Hardening Guide
24
Table 7 Services configured to enable POP3 Service Name
Startup Mode
Reason
Microsoft Exchange POP3
Automatic
Server is used for POP3
IIS Admin Service
Automatic
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services.
Exchange 2003 IMAP4 Server Policy The Exchange 2003 IMAP4 security policy enables the IMAP4 service. If you are using IMAP4, you must apply this policy on the back-end server as well. Table 8 lists the services that must be enabled to support IMAP4 (the Exchange 2003 IMAP4.inf file configures these settings automatically). Table 8 Services configured to enable IMAP4 Service Name
Startup Mode
Reason
Microsoft Exchange IMAP4
Automatic
Server is used for IMAP4
IIS Admin Service
Automatic
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services.
Exchange 2003 SMTP Server Policy The Exchange 2003 SMTP security policy enables the SMTP service. Note If you followed the recommendations in this section, or if you are deploying the Exchange 2003 Group Policy Security Templates included with this guide, it is not necessary to enable this policy on the back-server; both the security templates and the recommendations in this section assume SMTP functionality for the back-end server.
Table 9 lists the services that must be enabled to support SMTP (the Exchange 2003 SMTP.inf file configures these settings automatically). These settings are also the default settings after a typical Exchange 2003 installation Table 9 Services configured to enable SMTP Service Name
Startup Mode
Reason
Simple Mail Transport Protocol (SMTP)
Automatic
Server is used for SMTP
IIS Admin Service
Automatic
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services.
Microsoft Exchange Information Store
Automatic
Used by virus scanners, SMTP.
Microsoft Exchange System Attendant
Automatic
Required for Exchange maintenance and other tasks
Microsoft Exchange MTA Stacks
Enabled
Used for error handling of some messages
Exchange Server 2003 Security Hardening Guide
25
Service Name
Startup Mode
Reason
Microsoft Exchange Routing Engine
Automatic
Used to coordinate message transfer between Exchange servers
URLScan URLScan.exe screens all incoming HTTP requests to an IIS server and allows only those that comply with a specific rule set to pass. This helps ensure that the server responds only to valid requests, thereby significantly improving security. URLScan allows you to filter requests based on length, character set, content, and other factors. For more information about URLScan, including download and installation instructions, see the URLScan Security Tool website (http://go.microsoft.com/fwlink/?LinkId=24490).
Configuring Exchange 2003 URLScan URLScan is configured manually by editing a configuration text file called urlscan.ini. After you install URLScan, this file is located in the following folder:<WinDir>\System32\Inetsrv\Urlscan It is highly recommended that you configure URLScan in accordance with the instructions in Microsoft Knowledge Base article 823175, "Fine-tuning and known issues when you use the Urlscan utility in an Exchange 2003 environment" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=823175).
Dismounting the Mailbox Store and Deleting the Public Folder Store Because a front-end server's role is to forward requests to the back-end servers, you may not need Exchange mailboxes or public folders on the front-end servers. The back-end Exchange server manages these stores. If the front-end server is not an SMTP front-end server, you can dismount and delete these stores. To replicate the public folder deletions to other Exchange servers, you should delete the public folder stores before you harden the servers.
To dismount and delete the mailbox and public folder databases 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.
Start the Services administrative tool. In the details pane, right-click NT LM Security Support Provider, and then click Properties. On the General tab, in the Startup Type list, select Automatic. Click Apply, click Start, and then click OK. Repeat Steps 2 through 4 for the Microsoft Exchange System Attendant service. If SMTP is running on this server, you must also start the Microsoft Exchange Information Store service. Start Exchange System Manager on the front-end server. Expand Servers, expand the front-end server, and then expand First Storage Group. If the mailbox store is mounted, right-click Mailbox Store, click Dismount Store, and then click Yes to dismount the mailbox store. Right-click Mailbox Store, and then click Properties. On the Database tab, select the Do not mount this store at start-up check box, and then click OK. If the public folder store is mounted, right-click Public Folder Store, click Dismount Store, and then click Yes to dismount the public folder store. Right-click Public Folder Store, and then click Delete. Click Yes, click OK, select a back-end server, and then click OK. Click Yes to delete the public folder store, and then click OK.
Exchange Server 2003 Security Hardening Guide
26
15. Restart the front-end server. Note If you installed the Exchange_2003-Frontend_V1_1.inf security template on this computer, you do not need to disable the NTLM Security Support Provider and the Microsoft Exchange System Attendant again—this occurs automatically when the server is rebooted.
Deploying the Exchange Group Policy Security Templates In Windows Server 2003, you can define many security settings, including auditing, security options, registry settings, file permissions, and service settings using group policy objects. The Windows Server 2003 Security Guide provides recommendations for many of these settings, and many of these settings apply for Exchange 2003. As previously mentioned, the main area where additional settings are applied is for services, although there are some file permission changes and, for domain controllers, registry changes. This section explains how to organize your Active Directory structure to support deployment of the Exchange Group Policy Security Templates at the organizational unit level. The previous sections provided steps for installing the individual security templates on each local machine or manually configuring the recommended settings. In comparison, deploying the Exchange Group Policy Security Templates (in accordance with the recommended organizational unit structure presented in this section) is more predictable and less prone to configuration problems. Using organizational units and Group Policy objects (GPOs) to deploy the security templates helps ensure that all servers within a given organizational unit are configured identically. Important This section is intended to build directly on the specific organizational unit recommendations of the Windows Server 2003 Security Guide. It is critical, however, that you read "Hardening Exchange 2003 Servers" in its entirety.
Active Directory Structure to Support Exchange 2003 Server Roles The Windows Server 2003 Security Guide recommends an organizational unit structure that allows you to easily adopt the security templates supplied with that guide. Because Exchange 2003 is a directory-enabled application, the Windows Server 2003 organizational unit structure can be easily extended to incorporate the new server roles defined in this section. •
Within the Member Servers organizational unit, create two new organizational units called Exchange Back-end Servers and Exchange Front-end Servers. If you have numerous NNTP servers, you may want to create an organizational unit for them within the Exchange Back-end Servers organizational unit. • Within the Exchange Front-end Servers organizational unit, create separate organizational units for the following (as necessary for the client services in your organization): • Exchange 2003 SMTP Servers • Exchange 2003 HTTP Servers • Exchange 2003 POP3 Servers • Exchange 2003 IMAP4 Servers You can also combine server roles into a single organizational unit. For example, if your organization runs IMAP4 and POP3 services on the same computer, you can create a single organizational unit called IMAP4 and POP3 Servers. The security policies included with this guide are additive; therefore, providing that you pay close attention to the sequence of the policies, you can apply multiple policies to a single organizational unit. Figure 1 illustrates the recommended organizational unit structure to accommodate the new server roles, including which security policy and security template (.inf file) corresponds to each organizational unit.
Exchange Server 2003 Security Hardening Guide
27
Figure 1 Organizational unit structure with additional Exchange 2003 organizational units Note Creating the organizational unit structure to support the recommendations in this guide is discussed in much more detail in the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638).
Exchange Server 2003 Security Hardening Guide
28
Because the Exchange 2003 servers reside in organizational units below the Member Servers organizational unit, the servers inherit settings that are defined in the Windows Server 2003 Member Server Baseline Policy. The Exchange policies modify these settings in two ways: • •
Some services that are not required for basic Windows Server 2003 functionality are necessary in Exchange 2003. Exchange 2003 introduces many additional services, not all of which are required to allow the Exchange servers to function in their particular roles.
Securing Server Roles in Exchange 2003 The Exchange Group Policy Security Templates are included with this guide to help you secure server roles in your Exchange 2003 environment. To apply the templates, you must import them into your Group Policy settings. Table 12 lists how server roles correspond to the security templates. Important In Table 12, the sequence of the security templates corresponds to the order in which they are applied, not the order in which they should appear in the GPO list. In fact, because the Group Policies are implemented from the top of the list down, the order in which the templates should appear in the GPO list is exactly opposite.
Table 12 Exchange 2003 server roles and corresponding security templates Server Role
Description
Security Templates
Exchange 2003 back-end server
Server for mailbox and public folder access; when using POP, IMAP4, or NNTP, include the corresponding incremental template
•
Windows Server 2003 baseline template (Enterprise Client)
•
Exchange_2003-Backend_V1_1.inf
Common settings for all front-end servers; disables all protocols; must apply a specific protocol for the server to function.
•
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Frontend_V1_1.inf
Exchange 2003 front-end server
•
Exchange 2003 HTTP server
Dedicated front-end server • for HTTP; used by Outlook Web Access, • Outlook Mobile Access, • Exchange Server ActiveSync, and WebDAV applications
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Frontend_V1_1.inf Exchange_2003-HTTP_V1_1.inf
Exchange 2003 POP3 server
Dedicated frontend server for POP3, or added incrementally to an Exchange 2003 back-end server Dedicated front-end server for IMAP4, or added incrementally to an Exchange 2003 back-end
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Frontend_V1_1.inf Exchange_2003-POP3_V1_1.inf
Exchange 2003 IMAP4 server
• • •
• •
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Frontend_V1_1.inf
Exchange Server 2003 Security Hardening Guide
Server Role
Exchange 2003 NNTP server
Exchange 2003 SMTP server
29
Description
Security Templates
server
•
Exchange_2003-IMAP4_V1_1.inf
Added incrementally to an Exchange 2003 back-end server
•
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Backend_V1_1.inf Exchange_2003-NNTP_V1_1.inf
Dedicated Internet-facing gateway server for SMTP or bridgehead
•
• •
• •
Windows Server 2003 baseline template (Enterprise Client) Exchange_2003-Frontend_V1_1.inf Exchange_2003-SMTP_V1_1.inf
For front-end servers, any combination of HTTP, POP3, IMAP4, and SMTP policies can be applied on top of the Exchange_2003-Frontend_V1_1.inf policy. In fact, because the Exchange_2003-Frontend_V1_1.inf security policy turns off all Internet client protocols, you must apply all of those protocol security policies after deploying Exchange_2003-Frontend_V1_1.inf. For back-end servers, any combination of POP3, IMAP4, and NNTP can be applied on top of the Exchange_2003-Backend_V1_1.inf policy.
Importing the Exchange Group Policy Security Templates The Exchange Group Policy Security Templates are contained in the E2k3SecOps.exe file (included with this guide). You must extract this file prior to importing the security templates. These security templates are designed to increase the security in your Exchange 2003 environment. However, when you import these templates, you may lose functionality in your environment—this could include the failure of mission-critical applications. Therefore, it is essential that you thoroughly test these templates and make any appropriate changes before deploying them in a production environment. Be sure to include custom applications, third-party applications, and other software that interacts with your messaging system in your testing. Also, be sure to back up each domain controller and server prior to applying new security settings. Ensure that the system state is included in the backup, including registry data and Active Directory databases. Note The Domain Controller Baseline Policy and the Member Server Baseline Policy (included in the Windows Server 2003 Security Guide) sets the LAN Manager Authentication level at NTLMv2 only. For Outlook clients to successfully communicate with Exchange servers and domain controllers, they must also be configured to use NTLMv2.
The following procedure imports the Exchange Group Policy Security Templates included with this guide into the organizational unit structure suggested earlier in this chapter.
To create the Exchange GPOs and import the Exchange Group Policy Security Templates 1. 2. 3. 4. 5.
In Active Directory Users and Computers, expand Member Servers, right-click Exchange Back-End Servers, and then click Properties. On the Group Policy tab, click New to add a new Group Policy object (GPO). Type Exchange Back-End Policy, and then press ENTER. Click Edit. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click Security Settings, and the click Import Policy. Note If Import Policy does not appear on the menu, close Group Policy Object Editor and repeat Steps 4 and 5.
6.
In Import Policy From, navigate to the location where you saved the Exchange Group Policy Security Templates, and then double-click Exchange_2003-Backend_V1_1.inf.
Exchange Server 2003 Security Hardening Guide
30
7. 8.
Close Group Policy Object Editor, and then click OK. Repeat Steps 1 through 7 for the Exchange 2003 Front-end Servers organizational unit (using the Exchange_2003-Frontend_V1_1.inf template) and for each protocol that your organization uses.
9.
In the Active Directory site where the Exchange servers reside, verify that all domain controllers are updated with the new Exchange Group Policy Security templates. Depending on your Active Directory environment, it may take several minutes for the new Exchange Group Policy Security templates to be replicated to all domain controllers in the site. To force Active Directory replication within the site, you can use the Active Directory Sites and Services MMC snap-in or the Windows Support tool, Repadmin.exe. For more information about both methods, see Microsoft Knowledge Base article 232072, "Initiating Replication Between Active Directory Direct Replication Partners" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=232072).
10. If you have not yet moved the servers from the root Member Server organizational unit, move a server for each role into the appropriate organizational unit. 11. On the server, download the policy: at the command prompt, type gpupdate /force. 12. Restart each server to ensure that each reboots successfully and that the policies have taken effect.
Working with a Hardened Exchange Server If you successfully performed the procedure from the previous section, you have moved your existing Exchange servers into the appropriate organizational units, thereby increasing the level of security in your environment. To maximize your security, you must move new servers into the appropriate organizational unit prior to installing Exchange. Note Any configuration changes that you make on a hardened front-end server require that the Microsoft Exchange System Attendant service is running. The Microsoft Exchange System Attendant service writes configuration changes to the IIS metabase, which is essential for most configuration changes made to a front-end server.
Although your hardened Exchange environment allows core Exchange services to run, it does not, by default, allow you to install or upgrade Exchange. The following procedure shows you how to install or upgrade Exchange on hardened servers. Note When installing Exchange 2003 on a hardened server, you will receive "Digital Signature Not Found" errors. This error results from the increased security on the server and can be bypassed.
To install Exchange 2003 on a hardened server 1. 2. 3. 4. 5. 6. 7.
Start the Services administrative tool. In the details pane, right-click Distributed Transaction Coordinator, and then click Properties. On the General tab, in the Startup Type list, select Automatic. Click Apply. Click Start. Click OK. Repeat Steps 2 through 6 for the Network News Transport Protocol (NNTP) and Windows Installer services. Note If you are performing these steps on a server in the Exchange 2003 Front-End organizational unit, repeat Steps 2 through 6 for the Windows Management Instrumentation service.
8.
Install Exchange 2003 Note When installing Exchange 2003, at the end of Setup, a dialog box may appear indicating a non-fatal setup error occurred because the Microsoft Search service did not start. This is expected when installing a hardened server and can be bypassed.
Exchange Server 2003 Security Hardening Guide
9. 10. 11. 12. 13.
31
Start the Services administrative tool. In the details pane, right-click Distributed Transaction Coordinator, and then click Properties. On the General tab, in the Startup Type list, select Disabled. Click Apply. Click Stop.
14. Click OK. 15. Repeat Steps 9 through 14 for the Network News Transport Protocol (NNTP) and Windows Installer services. The incremental policies for Exchange front-end and back-end servers enable NTLMv2. This allows the Exchange servers to communicate with your hardened domain controllers. If you do not place your servers in the appropriate organizational unit prior to installing Exchange, the servers will not be able to contact domain controllers.
Appendixes
Appendix A: Using Permissions and Administrative Roles to Control Access As with any application in your environment, when you define the permissions for Exchange, you should consider the roles of your Exchange administrators and assign them only the necessary permissions. To simplify the process, Exchange 2003 uses administrative roles. An administrative role is a collection of Exchange 2003 objects for the purpose of managing and delegating permissions. An administrative role may contain policies, routing groups, public folder hierarchies, and servers. For example, if your organization has two sets of administrators who manage two sets Exchange 2003 servers, you can create two administrative groups that contain both sets of servers. Based on your administrative model, you can develop an administrative plan that fits your needs. To easily assign role permissions to administrative groups (and to the Exchange organization), you can use the Exchange Administration Delegation Wizard. To use the wizard, you must be logged on as a user with Full Control over the Exchange organization. To start the Exchange Administration Delegation Wizard, in Exchange System Manager, right-click the organization or administrative group, and then click Delegate Control. Table A.1 lists the administrative roles in Exchange 2003. Table A.1 Administrative Roles in Exchange Server 2003 Role
Description
Exchange View Only
Grants permissions to list and read the properties of all objects below that container. Unless the administrator will need to modify object properties, always assign this role.
Exchange Administrator
Grants all permissions except for ability to take ownership, change permissions, or open user mailboxes. If the administrator will need to add objects or modify object properties, but will not be required to delegate permissions on the objects, assign this role.
Exchange Full Administrator
Grants all permissions to all objects below that container except for the ability to open user mailboxes or impersonate a user's mailbox, including the ability to change permissions. Assign this role only to administrators who are required to delegate permissions to objects. Installing Exchange 2003 requires Exchange Full Administrator permissions. The first server in any domain (including the very first in the forest) requires Exchange Full Administrative privileges at the organization level. Additional servers in the same domain can be installed with accounts that have Exchange Full Administrative privileges at the Administrative Group level.
In some cases, the Exchange Administration Delegation Wizard does not provide enough granularity for assigning security permissions. Therefore, for individual objects within Exchange, you can modify the settings on the Security tab. However, by default, the Security tab is displayed only on the following objects: • •
Address lists Global address lists
Appendix A: Using Permissions and Administrative Roles to Control Access
34
• Databases (mailbox stores and public folder stores) • Top level public folder hierarchy Normally, it is not necessary to modify the security options on other Exchange objects; however, it is possible to display the Security tab on all Exchange objects. The following procedure shows you how to display the Security tab on all Exchange objects. Note Use caution when changing permissions on Exchange objects. If you incorrectly assign "deny" permissions, you may not be able to view some objects in Exchange System Manager.
Warning Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
To display the Security tab on all Exchange objects 1. 2. 3.
Start Registry Editor (regedit). Navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin On the Edit menu, click Add Value, and then add the following registry value: Value Name : ShowSecurityPage Data Type : REG_DWORD Value : 1
4. Close Registry Editor. This change takes effect immediately; you do not need to restart Exchange System Manager. Note Because you are modifying a key within HKEY_CURRENT_USER, the change only affects the user who is logged on to the computer on which you are working.
Appendix B: Upgrading from Exchange 2000 When upgrading from Exchange 2000 to Exchange 2003, Exchange 2003 ForestPrep and Exchange 2003 Setup configures most of the "secure-by-default" settings that are implemented with new Exchange 2003 installations. This section explains which security settings are configured automatically during an upgrade and which should be configured manually.
Message Limits One of the most effective denial-of-service attacks occurs when a messaging system is inundated with large messages (20+ MB). This type of attack forces the messaging server to move large blocks of data, which could impact a computer's input/output (I/O) to the extent that mail service is delayed or interrupted. As a response to this type of attack, Exchange 2003 sets all message limits to 10 MB (1024 KB). This includes messages that are sent from and received by the Exchange organization. In addition, a 10 MB message size limit is imposed for all messages posted to public folders. During an upgrade, Exchange Setup does not change limits that have already been set. Exchange Setup only imposes these settings if the limits are set to No limit. To configure the settings for sending and receiving messages, in Exchange System Manager, use the Defaults tab in Global Message Delivery properties. To configure the maximum message size settings for public folders, in Exchange System Manager, use the Limits tab in Public Folder Store properties. Exchange 2003 also provides message limits for MIME. These limits are also imposed when upgrading to Exchange 2003. Table B.1 describes these settings. Note If a MIME limits is reached, a non-delivery report (NDR) is sent back to the sender. Table B.1 MIME Limits Limit
Value
Description
Nesting levels
30
Number of nested MIME parts per message.
Body parts
250
Maximum number of body parts in any given message.
Message ID header size
1877 bytes
Maximum size of the Message-ID header.
Subject header size
2000 bytes
Maximum size of the subject header.
MIME header size
2000 bytes each
Maximum size of any one of the following headers: Content-Type, Content-Description, Content-Disposition, Content-TransferEncoding, Content-ID, Content-Base, Content-Location.
Services Exchange 2003 Setup does not make any changes to existing service configuration. It is highly recommended that you either apply the Exchange Security Group Policy Templates or configure the services in accordance with the server's role.
Appendix B: Upgrading from Exchange 2000
36
Outlook Mobile Access The setting to enable Outlook Mobile Access functionality is set when you run Exchange 2003 ForestPrep. By default, Exchange 2003 ForestPrep does not enable Outlook Mobile Access. However, during an upgrade, if Outlook Mobile Access is already enabled, Exchange 2003 ForestPrep does not disable it.
M: Drive During an upgrade from Exchange 2000, Exchange 2003 Setup removes the M: drive.
Virtual Server Authentication During an upgrade from Exchange 2000, Exchange 2003 Setup hardens some virtual server instances of POP3, IMAP4, and NNTP.
POP3 and IMAP4 Virtual Servers When upgrading an Exchange 2000 computer that is configured as a front-end server, Exchange 2003 Setup disables anonymous access and enables Basic authentication on POP3 and IMAP4 virtual servers. If you are upgrading a back-end server, the virtual server instances are not be altered.
NNTP Virtual Servers During an upgrade, Exchange 2003 Setup modifies the default instances of NNTP virtual servers. Specifically, anonymous authentication is disabled and Basic authentication and Integrated Windows authentication are enabled. Non-default virtual servers (virtual server instances that Setup does not create) are not altered during upgrade. If you created new NNTP virtual server instances, be sure that appropriate authentication is required.
Local Access Denied for Domain Users In Exchange 2003, Domain Users cannot log on locally to the Exchange server. During an upgrade, Exchange 2003 Setup configures the local computer policy to deny local access for Domain Users.
Top Level Public Folder Creation In Exchange 2003, members of the Everyone group and Anonymous users cannot create a top-level public folder hierarchy. During an upgrade, Exchange 2003 ForestPrep configures this access control setting.
Access Control Configuration For both upgrades and new installations, Exchange 2003 Setup applies access control lists (ACLs) to directories that it creates according to the explicit ACLs that are set in the Program Files directory. If you or another administrator modified the default ACLs in the Program Files directory, Exchange 2003 Setup applies that modification to most of the directories created during Setup. Aside from the explicit changes, the directories are otherwise locked down. However, regardless of the explicit ACLs you may have in the Program Files directory, Exchange Setup configures the Mailroot directory (located in \Program Files\Exchsrvr) such that Guest account access and anonymous access is removed.
Appendix B: Upgrading from Exchange 2000
37
It is highly recommended that you configure access control on the Exchange directories. For information about how to configure access control on your Exchange directories, see "Hardening Back-End Servers" earlier in this guide.
Appendix C: Ports Used in Exchange 2003 Table C.1 lists Exchange 2003 services and their corresponding ports. For more information about how to configure Exchange front-end Exchange servers, including the ports that are associated with various scenarios, see the technical article, Using Microsoft Exchange 2000 Front-End Servers (http://go.microsoft.com/fwlink/?linkid=14575). Although that article relates to Exchange 2000, the information applies to Exchange 2003 as well. Table C.1 Ports used in Exchange 2003 Services (Dependencies)
Ports inbound
Microsoft Exchange System Attendant
135 & other RPC
All core Exchange services require the Microsoft Exchange System Attendant.
Other ports required for RPC over HTTP
For more information about RPC over HTTP port configuration, see the guide Exchange Server 2003 RPC over HTTP Deployment Scenarios (http://go.microsoft.com/fwlink/?LinkId =24823).
Microsoft Exchange Information Store
135 & other RPC
(Microsoft Exchange System Attendant)
Ports outbound (initiate connections to)
Notes
Runs the Exchange databases.
Other ports required for RPC over HTTP
User Datagram Protocol (UDP) packets to random ports for new mail notification
Microsoft Exchange MTA Stacks
135 & other RPC
135 & other RPC
(Microsoft Exchange System Attendant)
102 for X.400 over TCP
102 for X.400 over TCP
Microsoft Exchange MTA Stacks are required for legacy connections to Exchange 5.5 servers. Port 102 opened only for active X.400 connections.
Simple Mail Transfer Protocol (SMTP)
25
25
Exchange store requires SMTP
691
691
Routing Engine service
For more information about RPC over HTTP port configuration, see the guide Exchange Server 2003 RPC over HTTP Deployment Scenarios (http://go.microsoft.com/fwlink/?LinkId =24823).
(IIS Admin Service) Microsoft Exchange Routing Engine (IIS Admin Service)
Appendix C: Ports Used in Exchange 2003
39
Services (Dependencies)
Ports inbound
Ports outbound (initiate connections to)
Notes
World Wide Web Publishing Service
80 & 443
80 on the frontend server
Required for Outlook Web Access and public folder administration
110 & 995 (SSL)
110 on the front-end server
Required for POP3 access
143 & 993 (SSL)
143 on the front-end server
Required for IMAP4 access
(IIS Admin Service) Microsoft Exchange POP3 (IIS Admin Service) Microsoft Exchange IMAP4 (IIS Admin Service) Network News Transfer Protocol (NNTP)
119 & (563 SSL)
N/A
(IIS Admin Service) Microsoft Exchange Site Replication Service
379, 135 & other RPC
135 & other RPC
Depends whether Exchange 5.5 servers are in the organization.
Active Directory Connector
NA
379, 389, can be configured
Depends whether Exchange 5.5 servers are in the organization
Microsoft Exchange Event
Not automatic by default
(Microsoft Exchange Information Store) Exchange Management (Windows Management Instrumentation)
This is not a required service; however, Microsoft Operations Manager and other programs do not function without this service.
Appendix D: Resources For information about Microsoft Exchange Server, see the Microsoft Exchange Server website (http://go.microsoft.com/fwlink/?linkid=81). Additionally, the following resources provide valuable information regarding security concepts and processes. Note To download a self-extracting executable of all Exchange Product Team technical articles and online books, see http://go.microsoft.com/fwlink/?LinkId=10687
Exchange Server 2003 Books What's New in Exchange Server 2003 (http://go.microsoft.com/fwlink/?linkid=21765) Exchange Server 2003 Administration Guide (http://go.microsoft.com/fwlink/?linkid=21769)
Technical Articles Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=21638) Using Microsoft Exchange 2000 Front-end Servers (http://go.microsoft.com/fwlink/?linkid=4721) Microsoft Operations Framework (MOF) Service Management Function Library Overview (http://go.microsoft.com/fwlink/?LinkId=21639) Using ISA Server 2000 with Exchange Server 2003 (http://go.microsoft.com/fwlink/?linkid=23232) Security Operations Guide for Exchange 2000 Server (http://go.microsoft.com/fwlink/?linkid=11906) Customizing Outlook 2003 to Help Prevent Viruses (http://go.microsoft.com/fwlink/?LinkId=24545) Exchange Server 2003 RPC over HTTP Deployment Scenarios (http://go.microsoft.com/fwlink/?LinkId=24823)
Websites Microsoft Operations Framework (http://go.microsoft.com/fwlink/?LinkId=21640) Microsoft Strategic Technology Protection Program (http://go.microsoft.com/fwlink/?LinkId=21643) Microsoft Security and Privacy (http://go.microsoft.com/fwlink/?LinkId=21633) Microsoft Security and Privacy Basics (http://go.microsoft.com/fwlink/?LinkId=24701) Security Resources for Exchange Server 2003 (http://go.microsoft.com/fwlink/?LinkId=21660)
Appendix D: Resources
Microsoft Baseline Security Analyzer (http://go.microsoft.com/fwlink/?linkid=17809) Spam Filter on MSDN (http://go.microsoft.com/fwlink/?LinkId=24395) Exchange Intelligent Message Filter (http://go.microsoft.com/fwlink/?linkid=21607) URLScan Security Tool (http://go.microsoft.com/fwlink/?LinkId=24490) Microsoft Office Online (http://go.microsoft.com/fwlink/?LinkId=24348) For a detailed discussion about native Web Storage System Events, see the Microsoft Exchange Software Development Kit (SDK) (http://go.microsoft.com/fwlink/?LinkId=21641) Exchange Server Technical Documentation Library (http://go.microsoft.com/fwlink/?linkid=21277)
Resource Kits Microsoft Exchange 2000 Server Resource Kit (http://go.microsoft.com/fwlink/?LinkId=6543) You can order a copy of Microsoft Exchange 2000 Server Resource Kit from Microsoft Press® at http://go.microsoft.com/fwlink/?LinkId=6544. Windows 2000 Resource Kit (http://go.microsoft.com/fwlink/?LinkId=6545) You can order a copy of Microsoft Windows 2000 Server Resource Kit from Microsoft Press at http://go.microsoft.com/fwlink/?LinkId=6546. Microsoft Office 2003 Editions Resource Kit (http://go.microsoft.com/fwlink/?LinkId=24546) You can order a copy of Microsoft Office 2003 Editions Resource Kit from Microsoft Press at http://go.microsoft.com/fwlink/?linkid=21757.
Microsoft Knowledge Base Articles The following Microsoft Knowledge Base articles are available on the Web at http://go.microsoft.com/fwlink/?linkid=14898: 319356, "HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=319356) 309622, "XADM: Clients Cannot Browse the Global Address List After You Apply the Q299687 Windows 2000 Security Hotfix" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=309622) 313807, "XADM: Enhancing the Security of Exchange 2003 for the Exchange Domain Servers Group" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=313807) 309677, "XADM: Known Issues and Fine Tuning When You Use the IIS Lockdown Wizard in an Exchange 2000 Environment" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=309677)
41
Appendix D: Resources
42
316685, "Active Directory-Integrated Domain Name Is Not Displayed in DNS Snap-in with Event ID 4000 and 4013 Messages". (This article provides details about enabling success auditing for logon events in the security log.) (http://go.microsoft.com/fwlink/?linkid=3052&kbid=316685) 259373, "XADM: W3SVC Logs Event ID 101 in the System Event Log" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=259373)
Accessibility For information about accessibility for people with disabilities, see the Microsoft Accessibility website (http://go.microsoft.com/fwlink/?LinkId=21487).
Does this book help you? Give us your feedback. On a scale of 1 (poor) to 5 (excellent), how do you rate this book? Mail feedback to [email protected]. For the latest information about Exchange, see the following websites: • • • •
Exchange Product Team technical articles and books http://go.microsoft.com/fwlink/?linkid=21277 Exchange Tools and Updates http://go.microsoft.com/fwlink/?linkid=21316 Self-extracting executable containing all Exchange Product Team technical articles and books http://go.microsoft.com/fwlink/?LinkId=10687 Exchange Server Community http://go.microsoft.com/fwlink/?linkid=14927