Securing Microsoft Exchange Server 2000

Securing Exchange Service

• Do (at least) Microsofts baseline security checklist for Windows which can be found here: Windows Security. This includes
  • disabling the guest account
  • use strong passwords
  • rename the administrator account
  • set account lockout
  • enable logging of failed and successful logon attempts
  ... Do all this for the Exchange server and for your domain policy.


• Installing Exchange on a domain controller/member server: Logging in with a domain account on an Exchange server that is installed on a member server requires a domain name, this is not the case when you install Exchange on a domain controller (default authentication is at the domain and not local). That is why a lot of security checklists recommend not installing Exchange on a domain controller. This is partially true. If your internal domain name has the same name as your default SMTP domain, and the SMTP banner does not expose your domain name, a cracker can still find out your domain name by doing these telnet commands:

  HELO test
  MAIL FROM: givemeyourdomain

  The SMTP Service will reply with a message:

  250 2.1.0 givemeyourdomain@yoursmtpdomain.com....Sender OK

  My recommendation is, do not install Exchange on a domain controller if you use a different domain name internally than your Internet domain name (note that this is a default recommendation if you open any book about Windows 2000 or Active Directory). If you do install Exchange on a domain controller use strong passwords and enable account lockout. Force your users to use passwords of at least 9 characters and force complex passwords.


• Do not use basic authentication in your SMTP service. If you do, the username and password is sent in plain text. To avoid this, go to Access tab in the properties of your SMTP service and click on Authentication. Deselect basic authentication or if you really need basic authentication, select the "requires TLS encryption". This will encrypt the username and password. Almost all mail clients can use TLS. Note: leave the Anonymous Access enabled, otherwise you will not be able to receive mails from the Internet.


• Check mail relaying. Click on Relay in the Access tab of the propterties of your SMTP service. Do not enable mail relaying except for authenticated computers (default setting in Exchange 2000).


• Set Limits to the size of messages, SMTP sessions and connections in the Messages tab of the properties of the SMTP service. Do the same for outbound connection in the Delivery tab, Outbound connections.


• Check the Fully-Qualified Domain Name. Go to the Delivery tab in your SMTP service properties and click Advanced. Check the name of the server in the box below Fully-qualified Domain Name. Make sure it is the name of your mail server as it is known on the Internet (DNS MX/A record) and not the fully-qualified domain name of the server in your private network (as this name is given together with the SMTP banner). To verify, run:

  telnet localhost 25

  (you can exit this with "quit")


• Local/Domain Security policy: change the RestrictAnonymous setting to at least 1 (preferably 2) to prevent enumeration of list of accounts.


• Enable Exchange extended logging. In System Manager go to the properties of your exchange server, then go to the tab Diagnostic Logging, select MSExchangeTransport, select SMTP Protocol and change logging to maximum. Then go to IMAP4Svc and set Connections and Authentication to Maximum logging. Do the same for the POP3Svc. To view the log entries open Event Viewer and go to Application Log.


• SMTP Service logging. In System Manager, go to your server and click on the SMTP protocol. For each virtual SMTP server, click properties and enable logging (default). In the properties of the logging, go to extended properties and select all these items:
  • Time ( time )
  • Client IP Address ( c-ip )
  • User Name ( cs-username )
  • Method ( cs-method )
  • URI-Stem ( cs-uri-stem )
  • URI-Query ( cs-uri-query )
  • Protocol Status ( sc-status )


• Run an application firewall like AQTRONIX MailKnight at the SMTP service.

Securing Outlook Web Access

• Run an application firewall for the HTTP service: AQTRONIX WebKnight
• Use strong authentication like "Integrated Windows Authentication"
• Use SSL(HTTPS) for Outlook Web Access
• IIS Change Password replacement in ASP
• OWA Attachment Security

Advanced Exchange Security Tips & Tools

• How to Turn Off ESMTP Verbs in Exchange 2000 Server
• Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (EDLock.vbs script)
• Exchange 2000 Setup Fails and Security Vulnerability (corrected in SP1)
• Do not allow outbound authentication attempts to untrusted servers!
• How to Modify the SMTP Banner
• Stop name resolving for external messages
• Create a second SMTP Virtual Server on the externally accessible servers that only accepts anonymous connections on port 25 for inbound mail. The existing 'default' VS is used for outbound mail and is re-assigned to an IP address that isn't available to the Internet.

Other Security Checklists

• Microsoft - Security Operations Guide for Exchange 2000 Server
• NSA - Guide to the Secure Configuration and Administration of Microsoft Exchange 2000
• Microsoft - Make Your Exchange Servers More Secure with the Right Configuration

Service Packs and Hotfixes

• Exchange 2000 Server Post-Service Pack 3 Rollup
• Exchange 2000 Service Pack 3
• Exchange 2000 Service Pack 2
• Exchange 5.5 Security hotfixes
• Exchange 5.5 Outlook Web Access Update (if you installed SP4)
• Exchange 5.5 Service Pack 4

Exchange Server Web Sites

• Microsoft Exchange Home Page
• Exchange Administrator
• Slipstick.com

Various

• Fighting SPAM

[top]