Securing Your Exchange Deployment
Betrifft: Exchange Server, Operations Manager 2007
Before you import the Exchange Server 2003 Management Pack, it is recommended that you first secure your Exchange Server 2003 environment. Securing your Exchange Server 2003 environment includes performing the following tasks:
Configuring Secure Sockets Layer (SSL) on the Exchange front-end servers
Verifying that Message Tracking Log shares are locked down
Verifying that SMTP directories are on an NTFS file system partition
Verifying that SMTP cannot anonymously relay messages
If you do not secure your environment before the Exchange Server 2003 Management Pack is installed, you will receive alerts indicating that the Exchange environment is not secure.
Before adding a server running Exchange Server 2003 to a managed Exchange environment, it is recommended that you first secure the new server running Exchange. For more information about managed computers, see the "Configuring Exchange Server 2003 servers to be Managed by Operations Manager 2007" section in this guide.
To use the front-end server availability monitoring features for Exchange Server 2003, your front-end server must have SSL configured for all Microsoft Outlook Web Access (OWA), Outlook Mobile Access (OMA), and Exchange ActiveSync (EAS) virtual directories. Use the following high-level procedure to configure SSL on Exchange Server 2003 front-end servers.
To configure SSL on Exchange Server 2003 front-end servers
Set up the certificate.
Add the certsrv to your trusted roots.
Enable SSL Required on the Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync Web sites.
Enable forms-based authentication.
Verify That Message Tracking Log Shares Are Locked Down
When message tracking is enabled, all messages that are handled by Simple Mail Transfer Protocol (SMTP) are logged to message-tracking log files located on each server running Exchange. By default, the message-tracking log files are located at c:\Program Files\exchsrvr\<servername>.log. This folder is shared so that the information can be viewed from any Exchange System Manager console. You should configure permissions on this share so that the “Everyone” security group is not explicitly granted any permissions. If the “Everyone” group has been granted permissions to the message-tracking log share, you should remove the group. The Exchange Server 2003 Management Pack will detect this configuration and send you an alert if the “Everyone” group is identified on the share.
Verify That SMTP Directories Are on an NTFS Partition
Because SMTP messages are not always secure, you should help protect their contents by storing them on an NTFS partition. You can verify that the directory is on an NTFS partition by locating the SMTP directory in Microsoft Windows Explorer and accessing its properties. The General tab indicates what file system is being used.
If the SMTP directories are not on an NTFS partition, you should either move them or configure the partition to use NTFS.
For more information about the SMTP directories, see Microsoft Knowledge Base article 822933, "How to Change the Exchange 2003 SMTP Mailroot Folder Location" (http://go.microsoft.com/fwlink/?LinkId=82031).
The Exchange Server 2003 Management Pack will detect this configuration and send you an alert if the SMTP directory is not located on an NTFS partition.
Verify that SMTP Cannot Anonymously Relay Messages
By default, your SMTP virtual servers are configured to relay only messages submitted by authenticated users. The Exchange Server 2003 Management Pack will detect this configuration and send you an alert if your SMTP server is configured to allow anonymous relay.
To verify that your SMTP virtual servers are configured to relay only messages submitted by authenticated users
Start Exchange System Manager, and locate the server object on which you want to prevent mail relay.
In the left pane, under the server object, expand Protocols, and then expand SMTP.
In the left pane, right-click the SMTP virtual server on which you want to prevent mail relay, and then click Properties.
In the Properties dialog box, click the Access tab, and then click Relay.
In the Relay Restrictions dialog box, verify that:
Only the list below is selected, and the Computers list box is empty.
Allow all computers which successfully authenticate to relay, regardless of the list above is selected.
Click Cancel if you do not want to make any changes.