Subscribe to Windows IT Pro
June 26, 2008 12:00 AM

Secure Your Exchange Server

Take advantage of the Security Configuration Wizard
Brien Posey
Windows IT Pro
InstantDoc ID #99059
Rating: (0)

One thing that the wizard does detect automatically is which inbound ports are in use. Therefore, it’s important that any applications or services that listen for inbound traffic are running before you run the wizard.

To get started configuring the wizard, Click the Next button on the Welcome screen. You’ll see a screen that asks if you want to create a new security policy, edit an existing security policy, apply an existing security policy, or roll back to the last security policy that was applied.

The option of rolling back to the last applied security policy can be a real lifesaver. If you happen to make a mistake and apply a security policy that is too restrictive, you can rerun the wizard and use the rollback option to return your server to normal. Although rolling back the security policy is no substitute for having a good backup, it’s a nice option if you need it.

To configure the SCW initially, select the option to create a new security policy. After you click Next, you’ll see a screen asking you which server you want to use as a baseline. The wizard will create a security policy based on the server’s current settings, as well as on how you answer the wizard’s various questions. After you create a baseline policy, you can apply the policy to the server that you used to create it, or you can apply the policy to any other server.

A minor issue that I noticed while writing this article is that if the server you’re running the SCW on is running Windows 2003 SP1, then the wizard will insist that your target server also be running SP1—even if the target server is running SP2. Upgrading the server that the wizard is running on to SP2 seems to fix the problem.

Regardless of which server you choose to apply the policy to, you must have administrative permissions on the server. If the account that you’re using doesn’t have administrative privileges, you can click Specify User Account to provide an alternative set of credentials.

After you click Next, the SCW will process the security configuration database. When this process completes, click View Configuration Database to see all the server roles that the SCW is aware of. Although you can’t make any selections on this screen, you should at least verify that the SCW is Exchange 2007– aware. If the various Exchange 2007 roles appear in the list, then you registered the two XML files correctly.

Close the list of supported server roles and click Next. The following screen will inform you that you’re about to begin configuring the security policy based on the server’s roles, and that specifying incorrect roles can cause the server to stop functioning. In light of this warning, I highly recommend that you create a full system backup of the server before you continue.

Click Next to see a list of the roles that are currently installed on the server. The wizard does its best to try to identify the Windows server roles that are currently installed. Still, you must work through the list and ensure that all the roles that are important for the server are selected. Take your time going through the list, because making a mistake might cause the server to not work correctly.

Click Next, and you’ll see a list of the installed features. The basic concept behind this screen is that every Windows server also acts as a workstation in some capacity. The items in this list are the workstation components (called client features) that are currently installed. Again, go through the list carefully and make sure that the features you intend to use are selected before clicking Next.

At this point, the wizard will display the Administration and Other Options screen. This screen lists services and components that are related to performing administrative tasks on the server. Again, the wizard does a fairly good job of anticipating which of these services and components you’ll need, but you need to go through the list yourself and make sure that all the necessary components and services are selected.

The next screen lists the additional services that were detected while processing the security configuration database. Typically all the additional services that were detected will be selected, as Figure 2 shows.

In some cases you might not want to select all the services that were detected. In such a case, you should quit the SCW, uninstall the unwanted software, and then work through the wizard again.

Because the SCW might occasionally not detect a service that’s on the server, the wizard asks you to decide what you want to do if an unspecified service is detected. The wizard gives you two choices: You can disable the service, or you can allow the service to run as originally intended (by using the Do not change the startup mode of the service option).

Click Next to see a summary of all the services that have been detected. The summary displays the service’s current startup mode and what the startup mode will be after the new policy takes effect. I recommend that you take some time to meticulously look through this list, to make sure there are no mistakes.

When you’re satisfied with the changes that will be made, click Next to go to the wizard’s Network Security screen. This screen informs you that the wizard is about to configure the Windows firewall based on the roles your server is hosting. The screen contains a check box that you can use to completely skip the network security configuration. Assuming that you want to secure the network, click Next.

You’ll see a screen similar to the one in Figure 3. As you can see in the figure, the screen lists various ports and asks you which of the ports you want to open. Initially, all the ports appear to be selected. However, if you scroll through the list you’ll see that some ports are not selected by default— especially ports related to Exchange Server. You’ll need to examine each port individually and decide whether you need to enable the port.

Click Next to see a summary of the ports that were detected, as well as what the port status will be after the new security policy is in place. Ensure that everything in the list is correct, and click Next again.

You’ve now reached the wizard’s Registry Settings section. This section lets you specify which protocols can be used to communicate with other computers.

Click Next to go to the SMB Security Signatures screen, which Figure 4 shows. As you can see in the figure, the registry is configured based on which check boxes you select. You must indicate whether the other computers on the network meet minimum OS requirements, as well as whether the server has sufficient processing power to digitally sign all file and print traffic. The first check box asks whether the other computers that the server communicates with meet certain OS requirements, which are listed below the check box. The second check box asks whether the machine has the necessary power to digitally sign file and print traffic. Selecting both check boxes enables Server Message Block (SMB) security signatures.

The next screen asks which methods the server uses to authenticate with remote computers. Typically, domain accounts are the sole authentication mechanism. However, you can specify that local accounts or file sharing passwords be used.

The screen that you see next will vary depending on the options you chose on the previous screen. Assuming that you selected the Domain Accounts option, you’ll be asked to verify that all the domain controllers (DCs) are running Windows NT 4.0 with SP6A or a more recent OS. The screen also asks you to confirm that clocks are synchronized with the selected server’s clock.

Click Next to go to the screen that displays a summary of the options you’ve chosen within the Registry Settings section. If all the settings seem to be correct, click Next to continue.

The wizard will now take you to the Audit Policy section. Clicking Next will display a screen that asks you to determine your audit policy. You have the option of not auditing anything, auditing successful activities, or auditing successful and unsuccessful activities. Make your selection and click Next to go to a summary screen that shows which events will be audited when the new policy takes place.

The wizard then takes you to the Save Security Policy section. Click Next again, and you’ll be asked to provide a name and an optional description for the policy you’re creating. The screen also contains a View Security Policy button that you can use to generate a report of all the security options you’ve selected. You can use this report to verify one last time that all the security settings are correct.

Click Next, and you’ll see a screen asking if you’d like to apply the policy now or later. If you choose to apply the policy now, you’ll need to reboot the server. After you make your selection, click Next followed by Finish to complete the wizard.

Harden Your Environment
Windows 2003 SP1’s SCW was originally designed to help secure the Windows OS. But two Exchange 2007 files, Exchange2007 .xml and Exchange2007Edge.xml, let you extend the SCW to secure Exchange in addition to Windows. Installing and configuring the SCW and registering these XML files make the SCW Exchange 2007–aware and thus make your entire environment more robust.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.