Hardening Back-End Servers

 

After hardening the domain, domain controllers, and all member servers (in accordance with the Windows Server 2003 Security Guide), and after deploying the Exchange Domain Controller Baseline Policy, you are ready to harden your Exchange 2003 servers.

There are four general configuration areas for hardening back-end servers:

• Hardening services

  Many services are not used, but are enabled by default and should be disabled

• Hardening file access control lists

  (ACLs)There are some directories that can be hardened more securely than the default installation provides.

• Changing privilege rights

  To allow Outlook Web Access users to log on, you must make one change in user privileges.

• Enabling additional services (optional)

  Enable any additional services that are required for your organization.

Applying the Exchange_2003-Backend_V1_1.inf security template to your back-end servers is the most efficient mechanism for performing the hardening configurations that are described in this section.

For information about how to deploy the Exchange Group Policy Security Templates, see "Deploying the Exchange Group Policy Security Templates."

Important

Before hardening the Exchange 2003 back-end servers, you should delete any public folder stores from all local Exchange computers that will not be used as public folder access points. Deleting the public folder stores before hardening the Exchange infrastructure allows replication of the deletions to occur. For information about how to delete the public folder store, see "Deleting the Mailbox Store and the Public Folder Store."