Services for Hardening a Front-End Server
Similar to hardening your back-end servers, it is important that you disable all non-essential front-end services. Afterward, you can enable these services on an "as-needed" basis.
This section assumes that you have done one of the following:
You already used Exchange System Manager to designate the server as an Exchange front-end server.
You already configured the server as an SMTP gateway or bridgehead server.
Important
Designating a computer as a front-end server reconfigures the protocol stacks to enable front-end and back-end deployments. If you deployed the Exchange_2003-Frontend_V1_1.inf security template before designating the server as a front-end server, you must manually start the Microsoft System Attendant service (and its dependencies), use Exchange System Manager to designate the server as a front-end server, and then restart the computer.
The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange front-end server (the Exchange_2003-Frontend_V1_1.inf file configures these settings automatically)
Service settings configured by Exchange_2003-Frontend_V1_1.inf
Service Name | Startup Mode | Reason |
---|---|---|
Microsoft Exchange IMAP4 |
Disabled |
Server not configured for IMAP4 |
Microsoft Exchange Information Store |
Disabled |
Not required as there is no mailbox store or public folder store |
Microsoft Exchange POP3 |
Disabled |
Server not configured for POP3 |
Microsoft Search |
Disabled |
No message stores to search |
Microsoft Exchange Event |
Disabled |
Only needed for backwards compatibility with Exchange 5.5 |
Microsoft Exchange Site Replication Service |
Disabled |
Only needed for backwards compatibility with Exchange 5.5 |
Microsoft Exchange Management |
Automatic |
Required for message tracking, and Exchange Server Best Practices Analyzer Tool functionality |
Windows Management Instrumentation |
Automatic |
Required for Microsoft Exchange management |
Microsoft Exchange MTA Stacks |
Disabled |
Only needed for backwards compatibility or if there are X.400 connectors on the machine |
Microsoft Exchange System Attendant |
Disabled |
Only needed if running Exchange maintenance or if you are using a front-end server as a RPC over HTTP front-end proxy. If you are using the server as a RPC over HTTP front-end proxy, to enable the Microsoft Exchange System Attendant service, you must deploy the Exchange_2003-RPC-HTTP_V1_2 group policy security template. |
Microsoft Exchange Routing Engine |
Disabled |
Needed to coordinate message transfer between Exchange servers |
IPSEC Policy Agent |
Automatic |
Needed to implement IPSec policy on server |
IIS Admin Service |
Disabled |
Required if running the World Wide Web Publishing Service, SMTP, POP3, IMAP4, or NNTP services. |
NTLM Security Support Provider |
Automatic |
System Attendant depends on this service |
Simple Mail Transfer Protocol (SMTP) |
Disabled |
Required for Exchange transport |
World Wide Web Publishing Service |
Disabled |
Required for communication with Outlook Web Access and Outlook Mobile Access servers |
Network News Transport Protocol (NNTP) |
Disabled |
Only needed for setup and newsgroup functionality |
Remote Registry |
Automatic |
Required for Exchange Setup and remote administration |