Secure configuration document

(1)

MS Exchange 2003

Draft 0.1

DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY

Ministry of Communication and Information Technology, Government of India.

Submitted by

(2)

Document Classification: Internal Page 1 of 46

Document Control

S. No. Type of Information Document Data

1. _{Document Title} _{Secure Configuration Document – Wi-Fi}

2. _{Document Code} _{PR_SCD_Wi-Fi}

3. _{Date of Release}

4. _{Next Review Date} ₁₂th

September 2014

5. _{Document Owner} _DietY

6. _{Document Author(s)} _{Wipro Consulting Services}

7. _{Document Reviewer} _Negd

8. _{Document Reference} PR_Harden

6th Sep 2013 Draft Version

Document Approval

S. No. Document Approver Approver Designation Approver E-mail ID

1. Archana Dureja Director, DietY [email protected]

Document Change History Version

No. Revision Date Nature of Change

Date of Approval

(3)

Purpose

This document is intended to guide MS Exchange system administrators to secure Microsoft Email Exchange 2003 Server. This document should be used to harden MS Exchange 2003 server/s deployed in e-Gov service delivery environment. Security compliance on Exchange 2003 devices can be measured and reported considering the below mentioned control points as benchmark or criteria

How to use this Document

The document covers the mandatory security configurations for MS Exchange Email Server 2003. Please test the prescribed settings in the staging setup before deploying it to production environment.

The document also mentions the “How to check” section, the output of these can be utilized to capture in hardening reports. These reports can serve as audit artifacts in meeting Hardening compliance on a specific server.

The Solution sections in control point/s below provide solutions and configurations as per industry best practices. The configurations also provide recommended values in a production environment, determined with practical experience in a production environment. The recommended values and parameters can be redefined specific to the environment if found not suitable or as desired.

(4)

General Exchange Security Guidance:

The following recommendations are provided to facilitate a more secure platform.

 Review all recommendations to ensure they comply with local policy.

 Do not install Exchange Server 2003 on a domain controller.

 Load the operating system and secure it before loading Exchange onto the platform.

 It is important to realize that the system cannot be considered to be secured until the operating system has first been secured. If the operating system is not secured,

 Exchange functionality might be secure but the platform as a whole will be vulnerable.

 Ensure the following services have been started before attempting to install Exchange:

o NNTP o HTTP o SMTP

o World Wide Web o .NET Framework

 Ensure that all relevant operating system security patches have been applied.

 Ensure that all relevant Exchange security patches have been applied.

 Exchange Administrator should require a User’s network/domain username to be different than their email alias. The possible threat in not following this

recommendation: once a malicious user has access to your email address, they now have a valid network/domain username to conduct malicious activity.

 The recommended settings only increase security. It is essential to continually monitor the latest in best security practices.

Exchange Server 2003 can operate in two modes: Native mode and Mixed mode. In Native mode we can

 Rename and consolidate administrative groups,

 Define routing groups and administrative groups,

 Move mailboxes between servers in different administrative groups,

 Create an administrative group that spans multiple routing groups and

 Use query-based distribution groups.

 Does not allow Exchange 2003 to interoperate with Exchange 5.5 systems.

(5)

running Exchange 2003 or Exchange 2000. Once the Exchange servers have been updated, the switch to Native mode can take place. Once the switch occurs, the change cannot be reversed, and the organization is no longer able to interoperate with Exchange 5.5 systems. Exchange 2003 servers can be configured to function as role based servers. That is as an HTTP server, IMAP server, POP 3 server, NNTP server or SMTP server. SMTP service must be running on every Exchange 2003 server. Without SMTP service, Exchange will not function. With OWA 2003, your organization’s users can access their mailboxes using a Web browser. OWA 2003 has come a long way

By default, the authentication method for accessing OWA is basic and/or Integrated Windows authentication, but actually there are five different authentication methods that can be used to validate your OWA users:

 Anonymous access: Enabling anonymous connections allows HTTP clients to access

resources without specifying a Microsoft Windows 200x user account. Passwords for anonymous accounts are not verified; the password is only logged in the Windows 200x Event Log. By default, anonymous access is not enabled. The server creates and uses the account IUSR_computername.

 Integrated Windows authentication: The Integrated Windows authentication

method is enabled by default (except on front-end servers). This authentication method also requires HTTP users to have a valid Windows 200x user account and password to access information. Users are not prompted for their account names and passwords; instead, the server negotiates with the Windows 2000 security packages installed on the client computer. This method allows the server to authenticate users without prompting them for information and without transmitting unencrypted information across the network.

 Digest authentication: Digest authentication works only with Active Directory

accounts. It’s quite secure because it sends a hash value over the network rather than a plaintext password, as is the case with basic authentication. Digest

authentication works across proxy servers and other firewalls and is available on Web Distributed Authoring and Versioning (WebDAV) directories. To use this form of authentication, your clients must use Internet Explorer 5.0 or later.

 Basic authentication: Basic authentication transmits user passwords across the

network as unencrypted information. Although this method allows users to access all Exchange resources, it is not very secure. To enhance security, it is strongly advised that you use SSL with basic authentication to encrypt all information. We will show you how to enable Secure Socket Layer (SSL) on your OWA virtual directories in the next section.

 .NET Passport authentication: .NET Passport authentication allows your site’s users

(6)

maintaining their own proprietary authentication systems. However, the .NET Passport central server does not authorize or deny a specific user’s access to individual .NET Passport-enabled sites. It is Web site’s responsibility to control user permissions. Using .NET Passport authentication requires that a default domain be defined. You probably know the .NET Passport authentication method from services such as Microsoft’s MSN Hotmail and Messenger. Note that this authentication method can be set only through the IIS Manager, not the Exchange System Manager. As you can see in the Figures 5.7 and 5.8, you can set all types of authentication methods on either the HTTP Virtual folders in the exchange System Manager and/or on the OWA virtual directories under the Default Web Site in the IIS Manager. As a general rule, you should set the authentication methods through the Exchange System Manager whenever possible, and through the IIS Manager only as a last resort.

(7)

(8)

reasonable to want to immediately filter messages to recipients who are not in Active Directory since mail accounts are, in fact, stored in Active Directory. However, this feature can be used by external entities to determine whether a particular user exists in the Active Directory domain. By monitoring whether or not messages are filtered, an external entity could build a list of known accounts on the system.

But if this feature is enabled then we have to make sure that email addresses are different from Windows account usernames.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Recipient Filtering Tab → Filter recipients who are not in the Directory

(15)

6. Blocking Specific Recipient and Sender Email ids.( Optional)

Description Email administrator may need to block messages that are sent or received from

specific email ids/mailboxes

Impact Absence of such a feature can open a threat caused from specific internal or

external email ids.

Solution Specify and Block Recipients at following path:

Exchange System Manager →Global Settings → Message Delivery→ Properties → Recipient Filtering

Specify and Block Senders at following path:

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Senders

How to check Check and ensure sender and recipient email ids are configured at following

path if/as desired.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Recipient Filtering

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Senders

(16)

7. Archive Filtered Messages

Description Archiving of the messages that were blocked by the sender filter helps to

recover messages that might have been inappropriately filtered.

Impact In absence of a backup of filtered messages, may result in delivering an

important email to expected mailbox (once traced.).

Also it can lead to issues and inefficient incident tracking in the event of a security breach.

Solution This feature has to be enabled as it provides a backup copy of filtered messages.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Archive filtered messages

Check if the feature is enabled at following path.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Archive filtered messages

Also check if filtered messages are being actually archived.

Applicable to

(17)

8. Filter Messages with Blank Sender

Description All the messages with blank sender have to be blocked

Impact An unauthorized and malicious activity can go undetected and unnoticed. Solution This feature has to be enabled by clicking at following option:

Exchange System Manager →Global Settings → Message Delivery → Properties → Sender Filtering Tab → Filter messages with blank sender

How to check Check if following feature is enabled.

Exchange System Manager →Global Settings → Message Delivery → Properties → Sender Filtering Tab → Filter messages with blank sender

(18)

9. Drop Connection if Address Matches Filter

Description This control allows specifying that any inbound connections from an address

that has been filtered should be immediately dropped

Impact In absence of a feature to drop connections from suspected IPs can cause

security beaches and malicious activities on the email server.

Solution Enable this feature because by dropping the connection it will be the most

effective way to handle the message as it minimizes the server’s resources.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Drop connection if address matches filter

If enabled a malicious user who has successfully been able to relay a mail through the server will be thrown out of the connection immediately. Also the mail will be filtered out.

Check if the filtered IP addresses are dropped at following path.

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Drop connection if address matches filter

Applicable to

(19)

10. Accept Messages without Notifying Sender of Filtering( Optional)

Description This feature allows filtering silently to avoid giving indications that messages

were filtered to the sender.

Impact Giving indications to sender about filtering can suggest the malicious sender

about the Server security and internal environment that can help the sender in performing further malicious activities.

Solution This feature can be enabled only when then “Drop connection if address

matches filter” is disabled. (Note that “Drop connection if address matches filter” is even more efficient and secure configuration.)

Exchange System Manager →Global Settings → Message Delivery→ Properties → Sender Filtering Tab → Accept messages without notifying sender of filtering

→ Properties → Sender Filtering Tab → Accept messages without notifying sender of filtering

Applicable to

(20)

11. Authenticating and Using Outlook Mobile Access over secured connection

Description OMA is used to provide an Outlook-like interface for mobile devices that offers

many of the features of using Outlook itself. If Outlook Mobile access is enabled then “Enable unsupported devices” option will also be available potentially causing Exchange to provide OMA pages to any requesting devices.

Impact Opening OAM over an insecure connection exposes the server for malicious

activities and security breaches.

Solution Disable this feature and delete the OMA virtual directory from IIS. If OMA is

enabled it should

 Use default value of Basic authentication as Enabling Integrated Windows Authentication or Digest authentication is unlikely to have much of an effect since OMA cannot use these protocols.

 Enabled with Read permission

 Execute permission control can also be enabled to allows to specify whether scripts and/or executable may be run on this virtual server.

 Used over a secure connection with a policy regarding secure practices with mobile devices.

 But if a particular client application does not support secure communication this feature will need to be disabled or such client applications need to be upgraded with 128 bit encryption.

Configure OMA as per following steps:

Exchange System Manager →Global Settings → Mobile Services→ Properties → General Tab →Outlook Mobile Access → Enable Outlook Mobile Access and Enable unsupported devices Authentication IIS Manager → [server] → Web Sites → Default Web Site → OMA → Properties → Directory Security Tab → Authentication and access control → Edit Button →Authenticated access (Multiple Items)

(21)

OMA→ Properties → Virtual Directory Tab → Access Control (Multiple Items)

 With Execute Permission IIS Manager → [server] → Web Sites → Default Web Site → OMA→ Properties → Virtual Directory Tab → Execute permissions (Multiple Items)

 Over Secured Connection IIS Manager → [server] → Web Sites → Default Web Site → OMA→ Properties → Directory Security Tab → Secure communications → Edit Button → Require secure channel (SSL) (Multiple Items)

Applicable to

(22)

12. Authenticating and Using User Initiated Synchronization over secured connection Description Using ActiveSync one can synchronize e-mail, calendaring, and contact

information between the Exchange server and Windows supporting mobile devices. Connection to ActiveSync Virtual directory should be carried with proper authentication.

Impact Unauthenticated and insecure synchronization between mobile user and

Exchange server can lead to security breaches.

Solution Disable ActiveSync and delete Microsoft-Server-ActiveSync Virtual Directory

from IIS. If ActiveSync is enabled it should

 Use default value of Basic authentication as Enabling Integrated Windows Authentication or Digest authentication is unlikely to have much of an effect since OMA cannot use these protocols.

 Used over a secure connection with a policy regarding secure practices with mobile devices.

 But if a particular client application does not support secure communication this feature will need to be disabled or such client applications need to be upgraded with 128 bit encryption.

To enable ActiveSync, “Enable user initiated synchronization” must be selected.

 This enables “Enable up-to-date notifications” checkbox to send out alerts to the user's mobile device when new mail has arrived.

(23)

Refer detailed steps in How to check section.

Exchange System Manager →Global Settings → Mobile Services→ Properties → General Tab →Exchange ActiveSync → Enable user initiated synchronization/Enable upto-date

notifications/Enable notifications to user specified SMTP addresses

 Authenticating IIS Manager → [server] → Web Sites → Default Web Site →Microsoft Server-ActiveSync →Properties → Directory Security Tab→ Authentication and access control→ Edit Button → Authenticated access (Multiple Items)

 With Read enabled IIS Manager → [server] → Web Sites → Default Web Site

→Microsoft-Server-ActiveSync →Properties → Virtual Directory Tab→ Access Control (Multiple Items)

 With Execute Permission IIS Manager → [server] → Web Sites → Default Web Site →Microsoft-Server-ActiveSync →Properties → Virtual Directory Tab→ Execute permissions (Multiple Items)

 Over Secured Connection IIS Manager → [server] → Web Sites → Default Web Site →Microsoft Server ActiveSync →Properties → Directory Security Tab→ Secure communications → Edit Button → Require secure channel (SSL) (Multiple Items).

Applicable to.

(24)

13. Certificate Wizard

Description Server certificates are required for many security features in

Exchange, and without them the server cannot engage in many forms of secure communication. Certificate Wizard guides through the process of requesting a new certificate or of importing an existing certificate. Certificates must be manually installed on each virtual server.

Impact Use of any virtual server that has not been given a certificate should

be considered a highly insecure.

Solution Execute Wizard to Install Certificate. Once a certificate is installed on

one virtual server, any other virtual server (regardless of protocol used) may easily be configured to use this certificate by selecting “Assign an existing certificate” in the first page of the Wizard

How to check For HTTP IIS Manager → [server] → Web Sites → Default Web Site → Properties →

Directory Security Tab→ Server Certificate Button →Wizard Button

For IMAP Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → Access Tab →Certificate Button → Wizard Button

Applicable to HTTP Server, POP3 Server, IMAP4 Server, NNTP Server, and SMTP

(25)

14. Enable Anonymous Access

Description Email Exchange 2003 supports 3 types of authentication methods  Anonymous access

 Basic Authentication

 Integrated Windows Authentication.

Typically, you select anonymous access for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers that are used for remote IMAP and POP users.

If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. Hence anonymous access for a server accepting HTTP requests facing internet should be enabled.

Impact In absence of anonymous access being enabled the email server may not receive

incoming mail from internet.

Solution Use the IUSR_<computer-name> account. This account is created for the

processes that are created by anonymous Internet users and thus have a reduced access to the computer as a whole. Different user identities can be specified in this field, but they should not have greater access to the computer than the IUSR_<computer-name> account.

(26)

Applicable to

(27)

15. Authentication Method

Description This feature controls the authentication method used to connect to the virtual

server and its virtual directories( Refer General Exchange Security Guidance section of this doc).

The Integrated Windows authentication method is enabled by default. This authentication method also requires HTTP users to have a valid Windows 200x user account and password to access information. Users are not prompted for their account names and passwords; instead, the server negotiates with the Windows 2000 security packages installed on the client computer. This method allows the server to authenticate users without prompting them for information and without transmitting unencrypted information across the network

Impact In absence of appropriate authentication method and encryption, can cause

security breaches.

Solution Out of the options available select integrated windows authentication

checkbox.

For any changes that are made to this panel, the IIS manager will give the administrator the option of having these changes applied to all the virtual directories residing on this virtual server. In general this option should not be exercised.

Note that Integrated Windows Authentication cannot be used through front-end servers.

How to check IIS Manager → [server] → Web Sites → Default Web Site →Properties → Directory Security

Tab→ Authentication and access control→ Edit Button → Authenticated access (Multiple Items)

(28)

16. Using Form based Authentication Method to Access Exchange Virtual Directory over secured connection.

Description The Exchange Virtual Directory called Outlook Web Access (OWA) is used to

allow web access to user mail accounts using an Outlook client, through a web browser. Form based authentication stores user name and password information in the browser cookies. These cookies persist throughout the OWA session after which they are destroyed.

Impact If forms based authentication is not used, credentials remain for a much longer

period of time, giving an unauthorized user a greater window of opportunity.

Solution Disable and delete the Exchange Virtual Directory from IIS. But if OWA is to be

used

 Enable forms based authentication.

 Use the default authentication methods of Integrated Windows Authentication and Basic authentication over a secure connection with a policy regarding secure practices with mobile devices.

 Execute permission control can also be enabled to allows to specify whether scripts and/or executables may be run on this virtual server.

How to

check

For Exchange Virtual Directory

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server →Exchange → Properties → Access Tab → Authentication Settings →Authentication Button Form Based Authentication

(29)

With Read enabled

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server →Exchange → Properties → Access Tab → Access Control

With Execute Permission

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server →Exchange → Properties → Access Tab → Execute permissions

Over Secured Connection

IIS Manager → [server] → Web Sites → Default Web Site →Exchange → Properties → Directory Security Tab → Secure communications → Edit Button →Require secure channel (SSL) (Multiple Items)

Over Secured Connection (IMAP4)

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → Calendaring Tab →Use SSL connections

Applicable to

(30)

17. Authentication Method to Access Exadmin Virtual Directory over secured connection..

Description The Exadmin Virtual Directory, a required part of the Exchange application is

used by the Exchange System Manager to access mailboxes and public folders. This feature controls the authentication method used to connect to this virtual directory.

Impact

Solution Integrated Windows Authentication is to be used to access Exadmin Virtual

Directory. Clients can use secured connection to communicate with the virtual directory.

( Refer How to check section for exact details)

 Execute permission control can also be enabled to allows to specify whether scripts and/or executables may be run on this virtual server.

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Exadmin→ Properties → Access Tab →Authentication Settings →Authentication Button With Read enabled

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Exadmin→ Properties → Access Tab →Access Control (Multiple Items)

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Exadmin→ Properties → Access Tab →Execute Permissions (Multiple Items)

(31)

IIS Manager→ [server] →Web Sites →Default Web Site →Exadmin → Properties → Directory Security Tab → Secure communications → Edit Button →Require secure channel (SSL) (Multiple Items)

Applicable to

(32)

18. Authentication Method to Access Public Virtual Directory over secured connection..

Description The Public Virtual Directory is used to provide access to public folders. Impact In absence of appropriate authentication method and encryption, can cause

security breaches

Solution  If Public folders are not used on the current exchange then delete and

remove by using IIS manager.

 If public folders are to be used, leave this feature at the default value of Integrated Windows Authentication and Basic authentication and use over a secure connection with a policy regarding secure practices with mobile devices.

For Public Virtual Directory

Exchange System Manager →Administrative Groups →[Administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Public→ Properties → Access Tab →Authentication Settings →Authentication Button

With Read enabled

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Public→ Properties → Access Tab →Access Control

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → HTTP →Exchange Virtual Server → Public→ Properties → Access Tab →Execute Permissions

Over Secured Connection

(33)

Security Tab → Secure communications →Edit Button → Require secure channel (SSL) (Multiple Items)

Applicable to

(34)

19. TCP Port/SSL Port

Description This controls the ports to which the standard and secured servers bind. If

different ports are used, clients will need to be explicitly configured to use the non-standard ports.

Impact Changing the ports introduces a large amount of complexity for a relatively small

gain. The standard ports should be used.

Solution  80 for HTTP and 443 for HTTPS

 143 for regular IMAP And 993 for secured IMAP

For HTTP

IIS Manager → [server] → Web Sites → Default Web Site →Properties → Web Site Tab → Web site identification → TCP port and SSL port

For IMAP

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → General Tab →Advanced Button → Edit Button →TCP port and SSL port

Applicable to

(35)

20. Log files to monitor the activity on the server

Description Log files keep the record of the attempts made to connect to the virtual server. Impact Changing the ports introduces a large amount of complexity for a relatively small

gain. The standard ports should be used.

Solution  Enable logging. In the case of an attack on the HTTP server, these logs

could contain useful details regarding the time and nature of the attack.

 Due to the size of log files, the files should be regularly copied to external storage and deleted from the server to conserve memory.

IIS Manager → [server] → Web Sites → Default Web Site →Properties → Web Site Tab →Enable Logging

Applicable to

(36)

21. Authentication Method to be used for Access IMAP Virtual Directory over secured connection

Description This controls the form of authentication used by clients attempting to connect

to this virtual server

security breaches

Solution  Select Basic authentication and Require SSL/TLS. The use of SSL/TLS not

only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages.

 NTLM (Simple Authentication and Security Layer checkbox), while it can protect the username and password during authentication, it does not provide encryption of message bodies

Exchange System Manager →Administrative Groups → [administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → Access Tab → Access control → Authentication Button

Over Secured Connection Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → Access Tab → Secure communication → Communication Button → Require Secure Channel and Require 128-bit

encryption

Applicable to

(37)

22. Connection Time-out (Minutes)

Description This controls the number of minutes that an idle connection to the IMAP server

will be maintained before being dropped by the server. Dropping out of connections this ways helps in limiting the number of idle connections that the server maintains.

security breaches

Solution The default value, minimum value and recommended value for this control is 30

minutes. However the value can be increased to desired value (if required) as per the steps in How to Check section.

How to

check Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → General Tab →Connection time-out (minutes)

Applicable to

(38)

23. Exclude or Limit Connections

Description This controls which IP addresses are allowed to connect to this virtual

server to send or download messages. The control can be set to either allow all computers to connect except for a specified few, or to deny all computers except for a specified few.

Impact In absence of appropriate authentication method and encryption, can

cause security breaches

Solution The recommended approach is to configure “Only the list below”

however if required “All except the list below” can be selected with appropriate monitoring.

Refer How to Check section to find detailed path to configure this option.

 Select “Only the list below” so that the administrator must explicitly specify which clients can connect to the IMAP Virtual Server. This significantly reduces the chance of unauthorized connections to the server

 If “All except the list below” must be selected, administrators should monitor connectivity to the IMAP server to ensure that no suspicious connections are being made.

How to check Exchange System Manager →Administrative Groups →[administrative group] →

Servers →[server] → Protocols → IMAP4 →[Specific IMAP4 Virtual Server] →Properties → Access Tab →Connection control → Connection Button (Multiple Items)

Applicable to HTTP Server, POP3 Server, IMAP4 Server, NNTP Server, and SMTP

(39)

24. Backup/Restore

Description Mailbox store backups should take place with or in addition to backups of the

full server.

security breaches

Solution Configure following options to ensure mailbox backups are managed

appropriately. Refer How to Check section for complete path.

 Full backups of the mailbox store should occur at least on a weekly basis.

 Incremental backups of the mailbox store should occur at least on a daily basis.

 Maintenance should be taken daily for at least 4 hours manually and should be scheduled for periods when the load on the server is less. Ideally, the maintenance interval should take place after backups run.

 Mailboxes should not be deleted permanently until backup is taken.

Time of Last Full Backup

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → Time of last fullbackup.

Time of Last Incremental Backup

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → Time of last incremental backup.

Do Not Permanently Delete Mailboxes Until Backed Up

(40)

Maintenance Interval

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → Maintenance interval

Database can be Overwritten by a Restore

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → This database can be overwritten by a restore

Applicable to

(41)

25. Retention Duration for deleted Items

Description This controls the minimum number of days that a deleted item (such as an

email message) will be retained before it is purged from the system

Impact In absence of further retention of deleted items before completely purging the

system can lead to accidental data loss.

Solution It is recommended that deleted messages be retained for 7 days before being

purged. This strikes a balance between the desire to be able to recover deleted messages within a reasonable amount of time without resorting to backups, while at the same time reducing the amount of storage being consumed by deleted messages

How to

check _{Exchange System Manager →Administrative Groups →[administrative group] → Servers}

→[server] → [storage group] →Mailbox Store [server] → Properties→ Limits Tab → Deletion settings→ Keep deleted items for (days)

Applicable to

(42)

26. Retention Duration for deleted Mailbox

Description This controls the minimum number of days that a deleted mailbox will be

retained before it is purged from the system.

Impact

Solution It is recommended that deleted mailboxes be retained for 30 days before

being purged. This gives a large amount of flexibility to easily restore a user’s mailbox.

How to check Exchange System Manager →Administrative Groups →[administrative group] → Servers

→[server] → [storage group] →Mailbox Store [server] → Properties → Limits Tab → Deletion settings→ Keep deleted mailboxes for (days)

(43)

27. Archive All Messages Sent or Received by Mailboxes

Description This controls whether messages that are received by or sent from a mailbox

store should be archived. This feature is also called “Journaling” and is used to provide a “paper trail” of all correspondence that passes through the server.

Impact

Solution When the checkbox is selected, select a user, distribution list, contact, or

public folder to whom all messages will be copied.

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ General Tab → Archive all messages sent or received by mailboxes on this store

How to check Ensure destination configuration for archiving Journaling in mailbox store

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ General Tab → Archive all messages sent or received by mailboxes on this store

(44)

28. Storage limits of Mailbox Stores

Description It controls the maximum size of a user’s mailbox and the system’s response if

these limits are exceeded.

Impact If no limits are applied to a user’s mailbox, the mailbox size is effectively

unlimited.

Solution Ensure destination configuration for in mailbox store limits are defined at the

path

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Limits Tab → Storage limits (Multiple Items)

Provide storage limits for mailboxes to 2 MB(max) ( recommended best practice)

Select all the 3 controls in Storage limits section of Limits tab which are

 Sending an email warning message to the user alerting them that they have exceeded their mailbox quota.

 Preventing the user from sending email, although they will still be able to receive messages.

 A warning message sent saying no further messages may be sent or received by the user.

How to check Ensure destination configuration for in mailbox store limits are defined

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Limits Tab → Storage limits (Multiple Items)

(45)

29. Mounting of Mailbox Store when exchange starts

Description This controls whether a Mailbox Store should be mounted when Exchange

starts. Stores are usually only unmounted when manual maintenance is being performed on them. When a store is unmounted, its contents are inaccessible to other users.

Impact Unmounted storage on reboots can lead to issues in mail services due to

inaccessibility o storage being mounted.

Solution Explore to following path

Exchange System Manager →Administrative Groups →[administrative group] → Servers →[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → Do not mount this store at start-up.

Uncheck/Clear it. Doing this ensures that the store is mounted when Exchange starts and thus is accessible to users.

If, however, conditions require that the store be unmounted (for example, maintenance), then this checkbox should be selected so that, Exchange should restart before maintenance is completed, it will not be inadvertently mounted in a bad state. Once the store is ready to mount again, the checkbox should be cleared so that the store will be remounted on boot as well

→[server] → [storage group] →Mailbox Store [server] → Properties→ Database Tab → Do not mount this store at start-up.

(46)

30. Allow Control Messages

Description Determine whether control messages can be used to perform simple

administrative functions without direct oversight

Impact IN absence of administrative control on privileged activities, there can be

impacts on email services and data in production.

Solution Exchange System Manager →Administrative Groups →[administrative group] → Servers

→[server] → Protocols → NNTP →[specific NNTP Virtual Server] →Properties → Settings Tab → Allow control messages

Disable this feature at above path. This way, the ability to create and delete newsgroups remains the exclusive ability of administrators, instead of granted to anyone who can post to the special control newsgroups.

However, if this feature (per-user control of NNTP directories) has to be enabled for specific users and computers, security must be applied to the NTFS security tab for the virtual directory folder within the Windows file structure.

→[server] → Protocols → NNTP →[specific NNTP Virtual Server] → Properties → Settings Tab → Allow control messages

Secure configuration document

MS Exchange 2003

Draft 0.1

DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY

Ministry of Communication and Information Technology, Government of India.

Table of Contents