Anonymous access is allowed on internal SMTP virtual servers and dedicated SMTP virtual servers for IMAP and POP clients
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2005-11-18
The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value for the msExchAuthenticationFlags attribute in the protocolCfgSMTPServer class for the Exchange Server object. The protocolCfgSMTPServer class contains the settings for an SMTP virtual server. The msExchAuthenticationFlags attribute represents the type of authentication that is allowed on the SMTP server. The Exchange Server Analyzer displays a warning message if the following conditions exist:
Authentication on the msExchAuthenticationFlags attribute has been configured to allow anonymous access to the SMTP server.
The server is not running Microsoft Small Business Server 2000 or Microsoft Windows® Small Business Server 2003.
The Exchange Server hosts more than 20 mailboxes.
For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For increased security, you can also disable anonymous access on dedicated SMTP virtual servers for remote IMAP and POP users.
Do not disable anonymous access on your Internet bridgehead SMTP virtual servers. SMTP virtual servers that accept mail from the Internet must allow anonymous access.
When you send internal mail, Exchange servers in your organization authenticate with each other to send mail. Therefore, you do not have to enable anonymous access on your internal SMTP virtual servers. By preventing anonymous access on your internal servers, mail flow is not disrupted, and an additional layer of security is provided on your internal SMTP virtual server.
Similarly, IMAP and POP clients authenticate with your SMTP virtual servers before sending mail to SMTP virtual servers. Therefore, if you use dedicated SMTP virtual servers for your IMAP and POP clients, you can configure these servers to allow only authenticated access. If you disable anonymous access on these servers, you can help prevent unauthorized users from accessing them.
If you cannot disable authenticated access on your SMTP virtual server for business reasons, such as authentication by a partner company, follow these steps to help enhance security on your gateway server:
Enforce a strong password policy for all user accounts, particularly the administrator account.
Disable the guest account. For more information about disabling the guest account, see the Microsoft Knowledge Base article 320053, "How to rename the administrator and guest account in Windows 2000" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=320053). Although this article applies to Windows 2000 Server, similar principles apply to Windows Server 2003.
To disable anonymous access authentication for an SMTP Virtual Server
In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.
Right-click your inbound SMTP virtual server, and then click Properties.
Click the Access tab, and then click Authentication.
In Authentication, clear the Anonymous Access check box.
For more information about configuring your Exchange Server 2003 organization to send and receive Internet mail more securely, see the Exchange Server 2003 Transport and Routing Guide (http://go.microsoft.com/fwlink/?LinkId=47579).