Professional Documents
Culture Documents
Security Hardening
Guide
Last Reviewed: February 2005
Product Version: Exchange Server 2003
Reviewed By: Exchange Product Development
Latest Content: www.microsoft.com/exchange/library
Authors: Michael Grimm, Michael Nelte
Exchange Server 2003
Security Hardening
Guide
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred.
Microsoft, Active Directory, ActiveSync, Microsoft Press, MSDN, Outlook, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Acknowledgments
Appendixes...............................................................................................32
Appendix A: Using Permissions and Administrative Roles to Control Access33
Appendix B: Upgrading from Exchange 2000....................................... ....35
Message Limits................................................................................................. ...35
Services.............................................................................. ................................35
Outlook Mobile Access ...................................................................................... ..36
M: Drive............................................................................................................ ...36
Virtual Server Authentication..................................................... .........................36
Local Access Denied for Domain Users .......................................................... .....36
Top Level Public Folder Creation........................................................ ..................36
Access Control Configuration ............................................. ................................36
Appendix C: Ports Used in Exchange 2003........................................... ....38
Appendix D: Resources....................................................... .....................40
Exchange Server 2003 Books.................................................................... ..........40
Technical Articles............................................................................................ .....40
Websites............................................................................................................ ..40
Resource Kits..................................................................................................... ..41
Microsoft Knowledge Base Articles..................................................... .................41
Accessibility.......................................................................... ..............................42
Introduction
This guide is designed to provide you with essential information about how to harden your Microsoft®
Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this
guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003
messaging system. While most server administrators can benefit from reading this guide, it is designed to
produce maximum benefits for administrators responsible for Exchange messaging, both at the mailbox and
architect levels.
This guide is a companion to the Windows Server 2003 Security Guide
(http://go.microsoft.com/fwlink/?LinkId=21638). Specifically, many of the procedures in this guide
are related directly to security recommendations introduced in the Windows Server 2003 Security Guide.
Therefore, before you perform the procedures presented in this guide, it is recommended that you first read the
Windows Server 2003 Security Guide.
• Protecting against spam, including new features in Microsoft Office Outlook® 2003 and Exchange 2003
that can help in this area
• Protecting against denial-of-service attacks
• Protecting against address spoofing
Anti-Virus Measures
Viruses transmitted through e-mail messages are one of the more significant threats to your organization. E-
mail viruses can attack individual computer systems or your entire e-mail environment. Therefore, you must
ensure that you have adequate protection against viruses in your Exchange 2003 environment.
The most effective mechanisms for combating viruses are installing anti-virus software and keeping the anti-
virus signature files up-to-date. With this in mind, you should consider protecting against viruses at the
firewall, at the Simple Mail Transfer Protocol (SMTP) gateway, at each Exchange server, and on every client
computer. The reason for installing anti-virus software at each destination in the message delivery chain is to
provide as much defensive coverage on each message as possible. For example, the virus-scanning engine at
the SMTP gateway uses a different Multipurpose Internet Mail Extensions (MIME) parser than the one that is
installed on the Exchange server, which, in turn, is different from the parser used by Outlook or Outlook
Exchange Server 2003 Security Hardening Guide 4
Express. From a MIME parsing perspective, this means that having a virus scanner (one that uses the native
MIME parser) at each destination increases the likelihood of exposing viruses. In addition, you should consider
running virus-scanning software from different vendors across your enterprise.
One common method virus writers use to transport viruses is to include the virus in an attachment. In the most
obvious cases, a virus can be delivered by attaching an executable program (.exe) to an e-mail message. In
some cases, viruses can be delivered by embedding them in a macro, which appears to users as a much more
benign document (such as a Word or Excel file). To protect against such viruses, Outlook and Outlook Web
Access provide the following attachment-blocking features:
Attachment blocking features in Outlook
Outlook 2002 and later versions include an attachment-blocking feature; this feature (enabled by default)
blocks the most obvious file types, such as .exe, .bat, and .vbs files. Previous versions of Outlook require the
Outlook E-mail Security Update, available on the Microsoft Office Online website
(http://go.microsoft.com/fwlink/?LinkId=24348). For information about how to configure Outlook
attachment blocking features by means of a group policy, see The Office 2003 Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=24349).
Attachment blocking features in Outlook Web Access
In Exchange 2000 Service Pack 2 (SP2), Outlook Web Access introduced the ability to block attachments by
file type and MIME type. In Outlook Web Access for Exchange 2000 and Microsoft Office® Outlook Web
Access 2003, attachment blocking is enabled by default. With this default configuration, users can send any
attachment type but will not receive dangerous file types, such as .exe, .bat, and .vbs files.
Note In their default configurations, both Outlook 2003 and Outlook Web Access 2003 block the
same attachment types.
In Outlook Web Access, there are two levels of attachment blocking that you can configure. These levels
correspond to the different risk levels posed by file types and MIME types. Outlook Web Access does not
allow Level 1 files or MIME types (specified by the attributes, Level1FileTypes and Level1MIMETypes
respectively) to be downloaded in any format. Level 2 file and MIME types are less severe; users are not
allowed to open them in Internet Explorer, but they can right-click the file, save it to disk, and then open it.
If you want to view or change blocked file types or MIME types in Outlook Web Access, perform the
following procedure.
Warning Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry incorrectly may not
be able to be resolved. Before editing the registry, back up any valuable data.
To view or change blocked file types or MIME types in Outlook Web Access
1. Start Registry Editor (regedit).
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
3. The Level1FileTypes value shows blocked attachments; the Level1MIMETypes show blocked MIME
types.
• Introduce you to spam-protection features in Outlook 2003 and Outlook Web Access 2003.
• Explain the spam confidence level (SCL) infrastructure.
• Show you how you restrict Exchange 2003 distribution Lists.
• Explain the different types of filtering you can apply in Exchange 2003.
Updates to the junk e-mail features in Outlook 2003 will be listed on the Microsoft Office Online website,
under Office Update (http://go.microsoft.com/fwlink/?LinkId=24393).
• Connection filtering Filters inbound messages by comparing their IP address against a block list
provided by a real-time block list service. You can also enter your own set of accept/restrict IP addresses at
a global level.
• Sender filtering By default, SMTP connections that are created by senders on this list are dropped.
• Recipient filtering Allows you to set global restrictions on mail to specific recipients.
For more information about how filters are applied, see the book What's New in Exchange Server 2003
(http://go.microsoft.com/fwlink/?LinkId=24402).
mailbox and other Exchange servers. Alternatively, to prevent your Exchange 2000 servers from resolving
anonymous mail, you can perform the following procedure.
Exchange Server 2003 Security Hardening Guide 9
5. To determine the value that you want to use, add the values for all of the elements that you want to be
resolved. For example, to resolve all of the fields except the sender, type 48 (16+32=48). To resolve only
the recipients, type only 16. By default, Exchange 2000 resolves everything (you can specify this behavior
either by removing the key or by setting the value with this formula: 2+16+32=50).
6. Quit Registry Editor.
7. Restart the SMTP virtual server.
Be cautious when you select the servers on which you want to enable this setting. If you change the behavior
on the default SMTP virtual server, and there are multiple servers in your organization, all internal mail that
originates on other Exchange 2000 servers is also affected. Therefore, because Exchange 2000 uses SMTP to
route internal mail between servers, you may want to create a new SMTP virtual server, or perhaps apply this
setting only on an incoming SMTP bridgehead server.
Cross-forest authentication settings
If your organization contains multiple forests, you can configure trusts between forests such that SMTP
bridgehead servers require authentication.
Note Workflow applications may submit mail anonymously; therefore, before you configure
authentication in your organization, be sure to evaluate your workflow application needs.
For information about how to configure cross-forest authentication, see "Transport and Message Flow
Features" in the book What's New in Exchange Server 2003
(http://go.microsoft.com/fwlink/?LinkId=24402).
Anonymous access settings
Although Exchange 2003 provides the ability for client-side users to recognize spoofed mail, you should turn
off anonymous SMTP access on all internal Exchange servers. Turning off anonymous access helps assure that
only authenticated users can submit messages within your organization. In addition, requiring authentication
forces client programs such as Outlook Express and Outlook using RPC over HTTP to authenticate before
sending mail.
Reverse Domain Name System lookups
If you receive messages directly from other domains on the Internet, you can configure your SMTP virtual
server to perform a reverse Domain Name System (DNS) lookup on incoming e-mail messages. This verifies
Exchange Server 2003 Security Hardening Guide 10
that the Internet Protocol (IP) address and fully qualified domain name (FQDN) of the sender's mail server
corresponds to the domain name listed in the message. However, consider the following limitations to reverse
DNS lookups:
• The sender's IP address may not be in the reverse DNS lookup record, or the sending server may have
multiple names for the same IP, not all of which may be available from the reverse DNS lookup record.
• Reverse DNS lookups place an additional load on the Exchange server.
• Reverse DNS lookups require that the Exchange server is able to contact the reverse lookup zones for the
sending domain.
• Performing reverse DNS lookups on each message can result in a substantial decrease in performance due
to increased latency.
Note For more information about using reverse DNS lookup, see Microsoft Knowledge Base
article 319356, "HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=319356).
Important Because the "Deploying Exchange Group Policy Security Templates" section is
written with the assumption that you understand how to harden Exchange 2003 servers, it is
important that you read "Hardening Exchange 2003 Servers" first.
As with all software deployments, be sure to thoroughly test all recommended configurations in a test
environment before you deploy in a production environment.
Note Running custom applications or third-party Exchange or Outlook plug-ins may require
further configuration and testing.
Table 1 Differences between the Windows Server 2003 and Exchange 2003 Domain
Controller Baseline Policies
Exchange Server 2003 Security Hardening Guide 12
9. After importing the policy, you must wait for replication to other domain controllers or use the Active
Directory Sites and Services MMC snap-in to force replications. Replication ensures that all domain
controllers are updated with the policy.
Note Although replication applies the policy, you must reboot the servers for the policies to
take effect.
10. In the Event Log, to verify that the policy was downloaded successfully, search for the following
Application Information event: SceCli 1704. Then, verify that the server can communicate with the other
domain controllers in the domain.
11. Restart each domain controller one at a time to ensure that each reboots successfully and that the policies
have taken effect.
Services
Table 2 lists the recommended baseline settings you should start with when hardening the services for an
Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings
automatically). All Internet-based mail retrieval protocols are disabled. The reason for this is to implement a
hardened start-up configuration that requires you to enable each service as it is required.
Note For the Exchange System Attendant to start, the following Windows services must be up
and running:
• Event Log
• NTLM Security Support Provider
• RPC
• Server
• Workstation
Exchange Server 2003 Security Hardening Guide 15
Note The settings defined on the nntpfile directory and subdirectories are not strictly required
unless NNTP is configured to run on the server. However, the setting is defined in the
Exchange_2003-Backend_V1_1.inf security template because it increases restrictions on the file
system and is ready to use in case you want to enable NNTP at a later time.
Additionally, if you install Exchange in a directory other than %programfiles%\exchsrvr then you must
modify the INF files and change the path accordingly.
Privilege Rights
After applying the Windows Server 2003 security policies, you only need to configure one privilege right to
enable Outlook Web Access. Both the Outlook Web Access and public folders administration UI require that
the Guests network logon be enabled. The Windows Server 2003 security policy sets the "Deny network
logon" value to deny ANONYMOUS LOGON and the Guests group. The most efficient way to configure the
"Deny network logon" is to apply a group policy that denies only ANONYMOUS LOGON.
If you deploy the Exchange 2003 Group Policy Security Templates, then the Exchange_2003-
Backend_V1_1.inf file sets this value correctly.
If you are not deploying the Exchange 2003 Group Policy Security Templates, then you can edit the existing
Windows Server 2003 security policy.
To enable the Guests group in the Windows Server 2003 Baseline Security Policy
1. In Active Directory Users and Computers, right-click the organizational unit that contains both the
Windows Server 2003 Baseline Security Policy Exchange servers, and then click Properties.
2. In <Organizational Unit> Properties, on the Group Policy tab, select the Windows Server 2003 Baseline
Security Policy, and then click Edit. The Group Policy Object Editor opens.
3. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand
Security Settings, expand Local Policies, and then click User Rights Assignment.
Exchange Server 2003 Security Hardening Guide 19
4. In the details pane, double-click the Deny access to this computer from the network policy.
5. In Deny access to this computer from the network Properties, select Guests, and then click Remove.
6. Click Apply, and then click OK.
Note If you prefer to create your own group policy, you must add the following value under the
[Privilege Rights] section:
SeDenyNetworkLogonRight = *S157
This argument blocks only ANONYMOUS LOGON.
• It is recommended that you use Secure Sockets Layer (SSL) and cookie authentication for Outlook Web
Access. SSL helps maintain confidentially by encrypting message traffic between the client and
Exchange 2003. Cookie authentication improves security by timing out inactive, non-domain connections
and forcing the user to re-authenticate after a period of inactivity. For more information about cookie
authentication, see the book Exchange Server 2003 Administration Guide
(http://go.microsoft.com/fwlink/?linkid=21769).
Services
Similar to hardening your back-end servers, it is important that you disable all non-essential front-end services.
Afterward, you can enable these services on an "as-needed" basis.
This section assumes that you have done one of the following:
• You already used Exchange System Manager to designate the server as an Exchange front-end server.
• You already configured the server as an SMTP gateway or bridgehead server.
Important Designating a computer as a front-end server reconfigures the protocol stacks to
enable front-end and back-end deployments. If you deployed the Exchange_2003-
Frontend_V1_1.inf security template before designating the server as a front-end server, you must
manually start the Microsoft System Attendant service (and its dependencies), use Exchange
System Manager to designate the server as a front-end server, and then restart the computer.
Table 5 lists the recommended baseline settings you should start with when hardening the services for an
Exchange front-end server (the Exchange_2003-Frontend_V1_1.inf file configures these settings
automatically)
URLScan
URLScan.exe screens all incoming HTTP requests to an IIS server and allows only those that comply with a
specific rule set to pass. This helps ensure that the server responds only to valid requests, thereby significantly
improving security. URLScan allows you to filter requests based on length, character set, content, and other
factors. For more information about URLScan, including download and installation instructions, see the
URLScan Security Tool website (http://go.microsoft.com/fwlink/?LinkId=24490).
Because the Exchange 2003 servers reside in organizational units below the Member Servers organizational
unit, the servers inherit settings that are defined in the Windows Server 2003 Member Server Baseline Policy.
The Exchange policies modify these settings in two ways:
• Some services that are not required for basic Windows Server 2003 functionality are necessary in
Exchange 2003.
• Exchange 2003 introduces many additional services, not all of which are required to allow the Exchange
servers to function in their particular roles.
For front-end servers, any combination of HTTP, POP3, IMAP4, and SMTP policies can be applied on top of
the Exchange_2003-Frontend_V1_1.inf policy. In fact, because the Exchange_2003-Frontend_V1_1.inf
security policy turns off all Internet client protocols, you must apply all of those protocol security policies after
deploying Exchange_2003-Frontend_V1_1.inf. For back-end servers, any combination of POP3, IMAP4, and
NNTP can be applied on top of the Exchange_2003-Backend_V1_1.inf policy.
In some cases, the Exchange Administration Delegation Wizard does not provide enough granularity for
assigning security permissions. Therefore, for individual objects within Exchange, you can modify the settings
on the Security tab. However, by default, the Security tab is displayed only on the following objects:
• Address lists
• Global address lists
Appendix A: Using Permissions and Administrative Roles to Control Access 34
Message Limits
One of the most effective denial-of-service attacks occurs when a messaging system is inundated with large
messages (20+ MB). This type of attack forces the messaging server to move large blocks of data, which could
impact a computer's input/output (I/O) to the extent that mail service is delayed or interrupted.
As a response to this type of attack, Exchange 2003 sets all message limits to 10 MB (1024 KB). This includes
messages that are sent from and received by the Exchange organization. In addition, a 10 MB message size
limit is imposed for all messages posted to public folders.
During an upgrade, Exchange Setup does not change limits that have already been set. Exchange Setup only
imposes these settings if the limits are set to No limit.
To configure the settings for sending and receiving messages, in Exchange System Manager, use the Defaults
tab in Global Message Delivery properties.
To configure the maximum message size settings for public folders, in Exchange System Manager, use the
Limits tab in Public Folder Store properties.
Exchange 2003 also provides message limits for MIME. These limits are also imposed when upgrading to
Exchange 2003. Table B.1 describes these settings.
Note If a MIME limits is reached, a non-delivery report (NDR) is sent back to the sender.
Services
Exchange 2003 Setup does not make any changes to existing service configuration. It is highly recommended
that you either apply the Exchange Security Group Policy Templates or configure the services in accordance
with the server's role.
Appendix B: Upgrading from Exchange 2000 36
M: Drive
During an upgrade from Exchange 2000, Exchange 2003 Setup removes the M: drive.
It is highly recommended that you configure access control on the Exchange directories. For information about
how to configure access control on your Exchange directories, see "Hardening Back-End Servers" earlier in
this guide.
Appendix C: Ports Used in
Exchange 2003
Table C.1 lists Exchange 2003 services and their corresponding ports. For more information about how to
configure Exchange front-end Exchange servers, including the ports that are associated with various scenarios,
see the technical article, Using Microsoft Exchange 2000 Front-End Servers
(http://go.microsoft.com/fwlink/?linkid=14575). Although that article relates to Exchange 2000, the
information applies to Exchange 2003 as well.
Microsoft Exchange 110 & 995 110 on the Required for POP3 access
POP3 (SSL) front-end server
(IIS Admin Service)
Microsoft Exchange 143 & 993 143 on the Required for IMAP4 access
IMAP4 (SSL) front-end server
(IIS Admin Service)
Microsoft Exchange 379, 135 & 135 & other Depends whether Exchange 5.5 servers are in the
Site Replication other RPC RPC organization.
Service
Active Directory NA 379, 389, can be Depends whether Exchange 5.5 servers are in the
Connector configured organization
Technical Articles
Windows Server 2003 Security Guide
(http://go.microsoft.com/fwlink/?LinkId=21638)
Using Microsoft Exchange 2000 Front-end Servers
(http://go.microsoft.com/fwlink/?linkid=4721)
Microsoft Operations Framework (MOF) Service Management Function Library Overview
(http://go.microsoft.com/fwlink/?LinkId=21639)
Using ISA Server 2000 with Exchange Server 2003
(http://go.microsoft.com/fwlink/?linkid=23232)
Security Operations Guide for Exchange 2000 Server
(http://go.microsoft.com/fwlink/?linkid=11906)
Customizing Outlook 2003 to Help Prevent Viruses
(http://go.microsoft.com/fwlink/?LinkId=24545)
Exchange Server 2003 RPC over HTTP Deployment Scenarios
(http://go.microsoft.com/fwlink/?LinkId=24823)
Websites
Microsoft Operations Framework
(http://go.microsoft.com/fwlink/?LinkId=21640)
Microsoft Strategic Technology Protection Program
(http://go.microsoft.com/fwlink/?LinkId=21643)
Microsoft Security and Privacy
(http://go.microsoft.com/fwlink/?LinkId=21633)
Microsoft Security and Privacy Basics
(http://go.microsoft.com/fwlink/?LinkId=24701)
Security Resources for Exchange Server 2003
(http://go.microsoft.com/fwlink/?LinkId=21660)
Appendix D: Resources 41
Resource Kits
Microsoft Exchange 2000 Server Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=6543)
You can order a copy of Microsoft Exchange 2000 Server Resource Kit from Microsoft Press® at
http://go.microsoft.com/fwlink/?LinkId=6544.
Windows 2000 Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=6545)
You can order a copy of Microsoft Windows 2000 Server Resource Kit from Microsoft Press at
http://go.microsoft.com/fwlink/?LinkId=6546.
Microsoft Office 2003 Editions Resource Kit
(http://go.microsoft.com/fwlink/?LinkId=24546)
You can order a copy of Microsoft Office 2003 Editions Resource Kit from Microsoft Press at
http://go.microsoft.com/fwlink/?linkid=21757.
316685, "Active Directory-Integrated Domain Name Is Not Displayed in DNS Snap-in with Event ID 4000
and 4013 Messages". (This article provides details about enabling success auditing for logon events in the
security log.)
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=316685)
259373, "XADM: W3SVC Logs Event ID 101 in the System Event Log"
(http://go.microsoft.com/fwlink/?linkid=3052&kbid=259373)
Accessibility
For information about accessibility for people with disabilities, see the Microsoft Accessibility website
(http://go.microsoft.com/fwlink/?LinkId=21487).
Does this book help you? Give us your feedback. On a scale of 1 (poor) to 5 (excellent), how do you rate
this book?
Mail feedback to exchdocs@microsoft.com.
For the latest information about Exchange, see the following websites:
• Exchange Product Team technical articles and books
http://go.microsoft.com/fwlink/?linkid=21277
• Exchange Tools and Updates
http://go.microsoft.com/fwlink/?linkid=21316
• Self-extracting executable containing all Exchange Product Team technical articles and books
http://go.microsoft.com/fwlink/?LinkId=10687
• Exchange Server Community
http://go.microsoft.com/fwlink/?linkid=14927