In Exchange Server 2007, your Edge
Transport server roles are installed as standalone servers in your
perimeter network (also referred to as the boundary network or screened
subnet).
Because these servers exist in
your perimeter network, they are more vulnerable to potential attacks
than servers located on your internal network. To prepare a server for
the Edge Transport server role, you should first utilize the Security
Configuration Wizard (SCW) to minimize the attack service of the server
by disabling functions that are not needed to perform the functions of
an Edge Transport server.
Although it is
possible to manually secure the server, the SCW automates the process
and applies Microsoft recommended best practices to lock the server
down by utilizing a role-based metaphor to determine what services are
needed on a particular server. By utilizing the SCW, you can minimize
your exposure to exploitation of security vulnerabilities.
One
of the challenges to locking down ports and services on a particular
server is ensuring you do not remove functionality that is necessary
for the server to perform its functions. Often, mistakes can be made
that are not immediately visible and that can cause problems in your
environment that will require troubleshooting at a later date. However,
within Exchange Server 2007, there is an SCW template that can be
applied to a computer that has the Edge Transport server role installed
that can automatically lock down services and ports that are not needed
to perform Edge Transport functionality.
When
you run the SCW, you can create a custom policy based on this template
that can be applied to all Edge Transport servers in your environment.
Implementing Network Security
Edge
Transport servers in a perimeter network are generally configured with
two network adapters—one to communicate strictly with the Internet, and
the other strictly for internal communications.
Each
adapter must have a different level of security applied to it. It is
recommended that the Internet-facing (or external) adapter be
configured to only allow SMTP traffic on port 25.
The
internal adapter, on the other hand, needs the following ports open to
properly communicate with the server within your organization:
Port 25/SMTP for SMTP traffic
Ports 50389/TCP and 50636/UDP for Lightweight Directory Access Protocol (LDAP) communication
Port 3389/TCP Remote Desktop Protocol
The LDAP ports are used during the EdgeSync process, and the RDP port is used to allow remote administration of the server.
Using the SCW Template
After
the Edge Transport server role has been installed, you can follow this
procedure to configure a security policy with the Security
Configuration Wizard:
1. | Install the Security Configuration Wizard.
|
2. | Register the Security Configuration Wizard extension by locating the file named Exchange2007.xml in the C:\Program Files\Microsoft\Exchange Server directory. If you installed Exchange in a different directory, you will have to go there to locate the file.
|
3. | Copy the file to the C:\Windows\Security\Msscw\Kbs
directory. If you installed Windows in a different directory, you will
have to copy the file to that installation directory instead.
|
4. | Open
a command prompt window and register the Exchange 2007 extension with
the local security configuration database by typing the following
command: scwcmd register /kbname:msexchangeedge /kbfile:%winddir%\security\msscw\kbs\exchange2007.xml
|
5. | Verify that the command has completed successfully by viewing the SCWRegistrar_log.xml file located in the C:\Windows\Security\Msscw\Logs directory. |
6. | Create the Edge Transport server SCW policy for your specific environment.
|
7. | If
you have more than one Edge Transport server in your environment, you
can apply this custom policy to each of them by performing the
following steps:
- a. Log on to a server
with the Edge Transport server role installed. You must be logged on as
a user that is a member of the local Administrators group on that
computer.
- b. Select Start, All Programs,
Administrative Tools, Security Configuration Wizard to start the tool.
Click Next on the welcome screen.
- c. On the
Configuration Action page, select Apply an Existing Security Policy.
Click Browse, select the XML file for your policy, and then click Open.
Click Next.
- d. On the Select Server page, verify
that the correct server name appears in the Server (use DNS name,
NetBIOS name, or IP address) field. Click Next.
- e. On the Apply Security Policy page, click View Security Policy if you want to view the policy details, and then click Next.
- f. On the Applying Security Policy page, wait until the progress bar indicates Application Complete, and then click Next.
|
8. | On the Completing the Security Configuration Wizard page, click Finish. |
