programming4us
programming4us
SECURITY

Microsoft Exchange Server 2007 : Securing Windows for the Edge Transport Server Role (part 1) - Using the SCW Template

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

In Exchange Server 2007, your Edge Transport server roles are installed as standalone servers in your perimeter network (also referred to as the boundary network or screened subnet).

Because these servers exist in your perimeter network, they are more vulnerable to potential attacks than servers located on your internal network. To prepare a server for the Edge Transport server role, you should first utilize the Security Configuration Wizard (SCW) to minimize the attack service of the server by disabling functions that are not needed to perform the functions of an Edge Transport server.

Although it is possible to manually secure the server, the SCW automates the process and applies Microsoft recommended best practices to lock the server down by utilizing a role-based metaphor to determine what services are needed on a particular server. By utilizing the SCW, you can minimize your exposure to exploitation of security vulnerabilities.

One of the challenges to locking down ports and services on a particular server is ensuring you do not remove functionality that is necessary for the server to perform its functions. Often, mistakes can be made that are not immediately visible and that can cause problems in your environment that will require troubleshooting at a later date. However, within Exchange Server 2007, there is an SCW template that can be applied to a computer that has the Edge Transport server role installed that can automatically lock down services and ports that are not needed to perform Edge Transport functionality.

When you run the SCW, you can create a custom policy based on this template that can be applied to all Edge Transport servers in your environment.

Implementing Network Security

Edge Transport servers in a perimeter network are generally configured with two network adapters—one to communicate strictly with the Internet, and the other strictly for internal communications.

Each adapter must have a different level of security applied to it. It is recommended that the Internet-facing (or external) adapter be configured to only allow SMTP traffic on port 25.

The internal adapter, on the other hand, needs the following ports open to properly communicate with the server within your organization:

  • Port 25/SMTP for SMTP traffic

  • Ports 50389/TCP and 50636/UDP for Lightweight Directory Access Protocol (LDAP) communication

  • Port 3389/TCP Remote Desktop Protocol

The LDAP ports are used during the EdgeSync process, and the RDP port is used to allow remote administration of the server.

Using the SCW Template

After the Edge Transport server role has been installed, you can follow this procedure to configure a security policy with the Security Configuration Wizard:

1.
Install the Security Configuration Wizard.

2.
Register the Security Configuration Wizard extension by locating the file named Exchange2007.xml in the C:\Program Files\Microsoft\Exchange Server directory. If you installed Exchange in a different directory, you will have to go there to locate the file.

3.
Copy the file to the C:\Windows\Security\Msscw\Kbs directory. If you installed Windows in a different directory, you will have to copy the file to that installation directory instead.

4.
Open a command prompt window and register the Exchange 2007 extension with the local security configuration database by typing the following command:

scwcmd register /kbname:msexchangeedge /kbfile:%winddir%\security\msscw\kbs\exchange2007.xml


5.
Verify that the command has completed successfully by viewing the SCWRegistrar_log.xml file located in the C:\Windows\Security\Msscw\Logs directory.

6.
Create the Edge Transport server SCW policy for your specific environment.

7.
If you have more than one Edge Transport server in your environment, you can apply this custom policy to each of them by performing the following steps:

a. Log on to a server with the Edge Transport server role installed. You must be logged on as a user that is a member of the local Administrators group on that computer.

b. Select Start, All Programs, Administrative Tools, Security Configuration Wizard to start the tool. Click Next on the welcome screen.

c. On the Configuration Action page, select Apply an Existing Security Policy. Click Browse, select the XML file for your policy, and then click Open. Click Next.

d. On the Select Server page, verify that the correct server name appears in the Server (use DNS name, NetBIOS name, or IP address) field. Click Next.

e. On the Apply Security Policy page, click View Security Policy if you want to view the policy details, and then click Next.

f. On the Applying Security Policy page, wait until the progress bar indicates Application Complete, and then click Next.

8.
On the Completing the Security Configuration Wizard page, click Finish.
Other  
  •  Microsoft Exchange Server 2007 : Edge Transport Server Connectors (part 2) - Setting Message Delivery Limits, Configuring Authoritative Domains
  •  Microsoft Exchange Server 2007 : Edge Transport Server Connectors (part 1) - Configuring Send Connectors on the Edge Transport Server
  •  Microsoft Exchange Server 2007 : Server and Transport-Level Security - Exchange Server 2007 SMTP Connectors (part 2) - Hub Transport Server Connectors
  •  Microsoft Exchange Server 2007 : Server and Transport-Level Security - Exchange Server 2007 SMTP Connectors (part 1) - Connector Topology
  •  Microsoft Exchange Server 2007 : Server and Transport-Level Security - Transport-Level Security Defined
  •  Microsoft Exchange Server 2007 : Exchange Server-Level Security Features (part 2) - Protecting Exchange Server 2007 from Viruses
  •  Microsoft Exchange Server 2007 : Exchange Server-Level Security Features (part 1) - Exchange Server 2007 Antispam Measures
  •  Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 5) - Using Email Disclaimers
  •  Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 4) - Establishing a Corporate Email Policy, Securing Groups
  •  Microsoft Exchange Server 2007 : Components of a Secure Messaging Environment (part 3) - Hardening Windows Server 2003 - Running SCW
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
    programming4us
     
     
    programming4us