Configuring IIS Lockdown

The IIS Lockdown Wizard should be run against any front-end server. The IIS Lockdown Wizard helps to identify any potential security holes and locks down optional components that may not be required for application. Care should be taken when running this utility because an incorrect configuration may stop other services from running properly.

For proper configuration of IIS Lockdown in an Exchange environment, see these Microsoft knowledge base articles:

• How to install and use the IIS Lockdown Wizard (http://www.support.microsoft.com/?kbid=325864)

• IIS lockdown and URLscan configurations in an Exchange environment (http://www.support.microsoft.com/?kbid=309508)

Configuring SSL Security

Without SSL enabled, the client to front-end server communication is not secure. For this reason, we highly recommend that you require SSL. To take this one step further, the ability to access the front-end server without SSL should be disabled.

Not to mention, the authentication method to front-end servers is through basic authentication. If you're not securing your front-end servers with SSL, user names and passwords are being sent clear-text. Additional information on configuring SSL can be located in the Front-End and Back-End Topology document at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx.

Verify Message Tracking Logs

If message tracking is enabled, any message handled by SMTP is automatically stored in a shared folder. This allows any Exchange administrator to view the information through Exchange System Manager (or by navigating to the share directly). If the Everyone group has permissions to this share, it should be removed. The Exchange Server MP will verify and alert if the Everyone group has permission to this share.

Verifying SMTP Directories

The Exchange Server MP will verify whether the SMTP directories are located on NTFS partitions. Because SMTP messages are not always secure, utilizing NTFS security can help secure the files. Other file systems aren't capable of being secured adequately. For that reason, move the SMTP directories to an NTFS partition.

Verifying Anonymous Relay

Exchange, by default, does not relay messages unless it's submitted by an authenticated user. The Exchange Server MP will verify this setting and alert if Relay Restrictions allows anonymous relay.

Prerequisites

Before running the Configuration Wizard, make sure that the following conditions are true:

• The administrator running the Configuration Wizard has at least Exchange full administrator privileges for the Administrative Group they're going to configure.

• Any Exchange servers that will be configured have the MOM agent installed.

• Any Exchange servers that will be configured have the Remote Registry service enabled.

Using the Wizard

The configuration runs in two modes: default and custom. The default mode enables the following:

• Messaging tracking

• Exchange Information Store service monitoring

• Exchange Management service monitoring

• Exchange MTA Stacks service monitoring

• Exchange System Attendant service monitoring

• SMTP service monitoring

• WWW Publishing service monitoring

• Creation of MAPI logon test mailboxes

• Server availability monitoring

The custom mode can be used to select all the features mentioned in the preceding list as well as to allow additional monitoring requirements to be defined. For example, the custom mode can be used to monitor availability per store instead of per server or add additional services that should be monitored as a part of the health of the Exchange service. Custom mode can also be used to disable monitored features such as mailbox availability or Front-End monitoring.

Both modes allow the customization of mail flow monitoring. This monitoring verifies that e-mail can flow from a designated sending server(s) to a designated receiving server(s).

Command-Line Features

If multiple Exchange servers require configuration, working through a wizard may make configuration a little time-consuming. To get around this, use ExchangeMPConfig.exe to import or export configurations from server to server. This utility is located in the %programfiles%\Exchange Management Pack\ Configuration Utility directory.

ExchangeMPConfig.exe supports the following switches:

• Export configuration

  • /e <configfile.xml>: Exports a configuration to the file name specified.

  • /s <filter>: Specifies the name of servers to pull configuration from (supports wild-cards such as ∗ or ?).

  • /a <filter>: Specifies the name of an administrative group to pull configuration from (supports wildcards such as ∗ or ?).

• Import configuration

  • /i <configfile.xml>: Imports and applies the specified configuration file.

  • /u <domain\username>: Specifies the Mailbox Access account name.

  • /p <password>: Specifies the password for the Mailbox Access account.

Exchange Topology Discovery

This script is used by the computers that are members of the Microsoft Exchange Topology Discovery Computers to gather topology information that is displayed in the Exchange topology view.

Exchange 2000 — Check local disks free space

This script checks the free space on all drives (as well as Log and Queue drives separately) by percentage and megabytes available and generates alerts based on warning or error level thresholds.

Exchange 2000 — Check mailbox store status

The Check mailbox store status script checks to see if a mailbox store is online.

Exchange 2000 — Check service(s) state

The Check services state script checks to see if specified services are running. The list of services is specified by the Configuration Wizard.

Exchange 2000 — Check service(s) state front-end

This performs the same action as the Check services state script.

Exchange 2000 — Collect Mailbox Statistics

This script collects mailbox statistics up to the specified number in MaxEntries.

Exchange 2000 — Collect Message Tracking Log Statistics

The script collects message tracking log statistics up to the specified number in MaxEntries.

Exchange 2000 — Collect Public Folder Statistics

This script collects mailbox statistics up to the specified number in MaxEntries.

Exchange 2000 — Install Exchange Helper Objects

The script installs the Exchange Help Object on Exchange servers.

Exchange 2000 — Mail flow receiver

This script verifies mail flow from a specified server. The servers are specified by the Configuration Wizard.

Exchange 2000 — MAPI logon verification

MAPI logon verification checks the mailbox and server availability by logging on through MAPI.

Exchange 2000 — Verify Circular Logging settings

This script verifies the circular logging settings are either enabled or disabled based on the VerifyThisCircularLoggingState parameter.

Exchange 2000 — Verify Log Files Are Being Truncated (By Age Modified)

If logs aren't truncating, then most likely, backups aren't completing. This script checks the date of the log files against the date of Max_Days_Old value to determine if an alert should be generated.

Exchange 2000 — Verify Message Tracking Is Enabled

This script checks whether Message Tracking is enabled. CheckOnlyBackEndServers can be used to limit the scope for which this script checks.

Exchange 2000 — Verify Remote Simple Mail Transfer Protocol Queues

This script checks the count of messages in the remote SMTP queue.

Exchange 2000 — Verify Required Windows hotfixes

This script checks Exchange servers for the presence of the hotfixes in the HotfixIDs parameters.

Exchange 2003 — EAS logon verification

Verifies EAS availability.

Exchange 2003 — OMA logon verification

Verifies OMA availability.

Exchange 2003 — OWA logon verification

Verifies OWA availability.

Exchange 2003 — Verify if SSL should be required

As the description states, this script verifies if SSL should be required. The parameter ListOfServersExcludedFromSSLRequiredAlert (take a breath) can be used to specify a list of servers to be excluded from this check. This list should be comma delimited. Override criteria can be used to achieve the same effect.