0989703

Module 3: Securing
Exchange Server 2003
Contents
Overview 1
Lesson: Preparing for and Protecting
Against Computer Viruses 2
Lesson: Securing Mailboxes 15
Lesson: Implementing Digital Signature
and Encryption Capabilities 28
Lesson: Configuring Firewalls 38
Lesson: Configuring Administrative
Permissions 48
Lesson: Allowing Only the Required
Services to Run on Exchange 2003 61
Discussion: Securing Exchange
Server 2003 70
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
 2003 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, ActiveSync, ActiveX, Active
Directory, Hotmail, MSDN, MSN, Outlook, PowerPoint, Visual Basic, and Windows Media are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 3: Securing Exchange Server 2003 iii
Instructor Notes
Presentation: This module provides students with knowledge and skills that are necessary to
70 minutes implement security on the server running Microsoft® Exchange 2003.
Implementing security on the Exchange server is the final step of getting a new
Practices: Exchange server functioning in the actual environment. Securing Exchange
50 minutes Server 2003 involves implementing antivirus strategies, implementing digital
signatures and encryption features, configuring firewalls, and setting
administrative permissions.
After completing this module, students will be able to:
! Prepare for and protect against computer viruses.
! Secure mailboxes.
! Implement digital signatures and encryption capabilities.
! Configure firewalls.
! Configure administrative permissions.
! Allow only the required services to run on Exchange 2003.
Required materials To teach this module, you need the following materials:
! Microsoft PowerPoint® file 2400B_03.ppt
! Video file 2400B_03_v05.wmv
! Module 3 animation, Connecting MAPI Clients to Exchange Server 2003
Through a Firewall, 2400B_03A_05.swf
! The job aid Creating Virus-Clean Policies and Procedures on the Student
Materials compact disc
Important It is recommended that you use PowerPoint 2002 or later to display

the slides for this course. If you use PowerPoint Viewer or an earlier version of
PowerPoint, all the features of the slides may not be displayed correctly.
Preparation tasks To prepare for this module:

! Read all of the materials for this module.
! Complete the practices and review the discussions and assessment
questions. Where possible, anticipate alternative answers that students may
suggest and prepare responses to those answers.
! Complete the demonstration regarding how to use Connectix Virtual PC,
which is in the Introduction module of this course. All students must watch
you perform this demonstration. It is crucial that students become familiar
with the virtual environment that is used in the practices before they attempt
to complete the first practice in this module on their own.
! Review the links and suggested additional readings for this module.
Document your own suggested additional readings to share with the class.
Classroom setup The classroom should be set up to use Connectix Virtual PC software, as
discussed in the Manual Classroom Setup Guide. No additional classroom setup
is needed.
iv Module 3: Securing Exchange Server 2003
How to Teach This Module

This section contains information that will help you to teach this module.
How to start Discuss the tasks on the module overview slide and then click the projector
button to show the brief video from a Northwind Trader’s employee before you
continue with the module. In this video, students will be given overall
instructions for tasks from their team lead or co-worker at Northwind Traders.
You can play this video again at the beginning of the first practice in the
module if you think it will help motivate students.
Time to teach this We anticipate that your total presentation time will be about 70 minutes. The
module majority of the time spent on this module should be time that students get to
complete hands-on practice activities, view the multimedia presentation, and
participate in class discussions. In addition to your presentation time, we
anticipate that hands-on time for students will be about 50 minutes.
Tip When this icon appears on the lower-right corner of a slide, it indicates
that students must complete an inline practice before you move on to the next
slide:
Practices Some practices in this module require initial startup time. Consider having
students perform the initial step in these practices before you begin the lecture
on the related content. If a practice begins with a procedure titled “To prepare
for this practice,” then it requires initial startup time.
Lesson: Preparing for and Protecting Against Computer Viruses

The first two topics of this lesson involve antivirus tasks. Because Microsoft
does not own any antivirus software, legal constraints prevent the installation of
an antivirus product through instruction in the student workbook. As an added
value for your students, consider demonstrating the following steps:
1. Connect to http://www.microsoft.com/exchange/antivirus.asp and show the
partner antivirus companies.
2. Connect to any antivirus company that you are familiar with and show the
students how to locate and download an evaluation antivirus product.
Download the product to your host computer, use Virtual PC to share that
host folder with your London virtual computer, and copy the evaluation
software to London.
3. Install evaluation antivirus software on London (do not install on Miami
unless you have that virtual computer up and running while you are
performing the installation).
4. Connect back to the vendor site to search for, download, and apply any virus
signature file updates that are available.
Module 3: Securing Exchange Server 2003 v
What Are Computer Ask students what they know about viruses. Discuss differences between
Viruses? viruses, worms, and Trojan horses. Emphasize that worms and Trojan horses
are not technically viruses. However, to provide consistency between the
technical documentation and Course 2400, Implementing and Managing
Microsoft Exchange Server 2003, the topics of worms and Trojan horses are
included as part of the virus topics.
How Are Viruses Use this animated slide to explain the process through which viruses spread in
Spread? an Exchange organization. Use the associated text box that appears with each
click to guide you through your explanation of how viruses spread. Emphasize
to the students that they must always install and configure new computers while
they are disconnected from the network because a virus can also infect secure
resources, such as files, applications, and operating system source files.
Guidelines for Preparing Discuss the three guidelines that must be followed while preparing an antivirus
an Antivirus Strategy strategy for an Exchange organization. Because of the prevalent virus attacks in
many companies, emphasize that students should consider configuring their
messaging systems to block attachments of known exploitable file types, such
as .bat, .com, .scr, .vbs, and embedded Hypertext Markup Language (HTML)
scripts.
Emphasize that students need to understand the capabilities and be aware of the
impacts that their antivirus solution may have on Exchange as well as other
Microsoft Windows® services. Point out that file-level scans should exclude
Exchange database files and that if students are running Windows 2000,
antivirus scanning of the Microsoft Internet Information Services (IIS)
metabase may cause corruption and failure of IIS.
Considerations When Use the table in this slide to discuss the antivirus software features that students
Choosing Antivirus should take into consideration when protecting their company’s components
Software from virus threats.
Explain to students the features that are supported by Exchange Virus Scanning
Application Programming Interface (VSAPI) 2.5 and that for information on
third-party vendors that develop antivirus software for Exchange, refer students
to http://www.microsoft.com/exchange/partners/antivirus.asp.
What Are Virus-Clean Use this slide to explain why virus-clean policies and procedures should be in
Policies and place before a virus attack occurs. Emphasize that if students have the virus-
Procedures? clean policies and procedures in place they can avoid making decisions in haste.
Guidelines for Creating Discuss the guidelines for creating virus-clean policies and procedures. Show
Virus-Clean Policies and students where the job aid Creating Virus-Clean Policies and Procedures
Procedures resides on the Student Materials compact disc. It is also printed at the back of
the student workbooks. This job aid will help the students in answering some
key questions about their Exchange organization that need to be answered when
developing virus-clean policies and procedures.
The goal of this practice is to have students consider their own policies and
procedures for removing viruses in their environment. You should consider
leading this discussion in such a way that students realize the important
components that must be documented for their company that will allow them to
respond to a virus incidence in a fast and efficient manner. You want your
students returning to their companies with an idea of the importance of creating
these procedures before they are needed and to be able to use the job aid to help
them identify the items that they need to be able to create policies and
procedures for responding to a virus incident.
vi Module 3: Securing Exchange Server 2003
What Are Security Use this slide to explain the concept of security updates and how they help to
Updates? eliminate known security vulnerabilities, such as those that are caused by or
exploited by viruses. Emphasize that students should quickly evaluate their
system to determine if the update is relevant to their current situation.
Where to Locate and Use this slide to discuss the bulletins and utilities that can help a student’s
Download Security company to remain current on the latest security issues and fixes. Tell
Updates students that they can download security updates from various Web sites,
including http://www.microsoft.com/exchange/downloads and
http://support.microsoft.com.
Refer students to Course 2596, Deploying and Managing Microsoft Systems
Management Server 2003 for more information about Microsoft Systems
Management Server (SMS).
Lesson: Securing Mailboxes

The practices in this lesson have the student set up and configure Simple Mail
Transfer Protocol (SMTP) connectivity. Because of space limitations on the
Trainer Materials DVD, there is no way to test the configuration of SMTP
connectivity in the classroom with the current setup. As an added value for your
students, consider creating a virtual computer that can be run alongside London
for these practices. The additional virtual computer must be an Exchange server
in a separate organization with an IP address on the same subnet as London
(131.192.1.x). The students can use this additional virtual computer to verify
that their configuration works.
Message Filtering to Discuss the concepts about message filtering, block lists, and connection
Reduce Unsolicited filtering. Refer students to http://www.mail-abuse.org for information about
Commercial E-Mai Mail Abuse Prevention System (MAPS). Discuss the filtering features provided
by Microsoft Outlook® 2003, Exchange 2003, and Microsoft Outlook Web
Access that students can use to reduce unsolicited commercial e-mail.
How Outlook 2003 and Use this animated slide to explain the process by which Outlook 2003 and
Exchange 2003 Evaluate Exchange 2003 evaluate an e-mail message to determine if it is unsolicited
Unsolicited Commercial commercial e-mail.
E-Mail
How to Configure the Use this slide to discuss the high-level steps for configuring the Junk E-mail
Junk E-Mail Feature feature in Outlook 2003 and enabling connection filtering. Then have the
students complete the inline practice on configuring Exchange to enable
connection filtering and answer any questions that they have.
Guidelines for Securing Use this slide to discuss the guidelines that students should follow for securing
Mailboxes mailboxes. Emphasize that this is a critical task because user mailboxes,
mailbox features, and mailbox content are often one of the greatest security
risks within any company.
What Is Recipient and Discuss the concepts of recipient filtering and sender filtering. Remember to tell
Sender Filtering? the students that recipient filtering rules only apply to anonymous connections.
Authenticated users and other Exchange servers bypass these rules.
How to Create and Apply Use this slide to discuss the high-level steps for creating and applying recipient
Recipient and Sender filtering, and creating and applying sender filtering. Then have the students
Filtering complete the inline practice on configuring Exchange to block e-mail addresses
and domains, and answer any questions that they have.
Module 3: Securing Exchange Server 2003 vii
Guidelines for Cleaning Use this slide to discuss the steps for developing specific procedures for
E-Mail of Viruses creating a virus-clean network environment after a virus has attacked the
students’ messaging system. Explain that these procedures can be customized
for their particular situation.
Lesson: Implementing Digital Signature and Encryption Capabilities

What Are Digital Use this slide to explain the digital signature and encryption capabilities that
Signature and help to secure a messaging system.
Encryption Capabilities?
What Is a PKI? Use this slide to discuss a public key infrastructure (PKI) policy that is used for
establishing a secure method for exchanging information.
What Are the PKI Use this slide to briefly discuss the components that enable digital signature and
Components That encryption capabilities. Refer students to Module 5, “Using a PKI to Secure
Enable Digital Signature Information,” in Course 2810, Fundamentals of Network Security, and Course
and Encryption 2821, Designing and Managing a Public Key Infrastructure, for more
Capabilities? information about PKI.
How the Enrollment Use this slide to discuss the enrollment process. Emphasize that although the
Process Enables Digital enrollment process varies with the certification authority (CA) that is used, and
Signature and its policies, the steps in the student workbook outline the general process.
Encryption Capabilities
The Process of Creating Use this slide to discuss the process to digitally sign and encrypt e-mail
and Deploying Digital messages.
Signature and
Encryption Certificates
How to Configure Digital Use this slide to discuss the steps for configuring Outlook to use the certificates
Signature and to enable digital signature and encryption capabilities. Then have the students
Encryption Capabilities complete the inline practice on configuring Exchange to allow users to digitally
sign and encrypt messages, and answer any questions that they have.
Lesson: Configuring Firewalls

What Is a Firewall? Use this slide to explain that a firewall is a system that is used to prevent
unauthorized Internet users from accessing private networks (intranets) that are
connected to the Internet.
What Is a TCP Port? Discuss the concept of Transmission Control Protocol (TCP) and how it enables
two hosts to establish a connection and exchange streams of data. Also discuss
how students can reduce TCP port exposure and the Exchange 2003 ports and
their associated services.
IIS Ports Used by Use this slide to discuss how IIS with Exchange provides the protocols that
Exchange enable Internet clients to gain access to mailbox data in Exchange and to
configure virtual servers for added functionality and scalability. Refer students
to the Request for Comment (RFC) Web site for more information on Hypertext
Transfer Protocol (HTTP), SMTP, Network News Transfer Protocol (NNTP),
Post Office Protocol 3 (POP3), and Internet Message Access Protocol 4
(IMAP4).
viii Module 3: Securing Exchange Server 2003
Options for Connecting Discuss the options that are required if students have a firewall separating the
a MAPI Client to an MAPI client and the Exchange server. Be prepared to explain to your students
Exchange Server When that there are other options such as Outlook Web Access, for accessing
Separated by a Firewall Exchange and that this topic is intended to explain the configuration
requirements that a MAPI client, such as Outlook, place on their Exchange
network.
Recommended Options Use this slide to discuss the two options for the location of an RPC proxy server
for Connecting a MAPI when students deploy RPC over HTTP in their network.
Client to an Exchange
Server When Separated
by a Firewall
Multimedia: Connecting Use the animation to show the ports that MAPI uses and the client request
MAPI Clients to process, how the firewall is configured to allow messages to travel across the
Exchange Server firewall, and how a MAPI client can use RPC over HTTP to access the
Through a Firewall Exchange Server 2003. Use the animation and the discussion questions to help
your students understand the security requirements when a MAPI client is used
to access Exchange through a firewall.
Lesson: Configuring Administrative Permissions

What Are Administrative Discuss that an administrative group is a collection of Exchange 2000 or
Groups? Exchange 2003 objects that are grouped together for the purpose of managing
and delegating permissions. Also, discuss the different types of administrative
group objects.
Where Is a New Discuss the locations where a new computer running Exchange 2000 or
Computer Running Exchange 2003 is added in the Exchange organization.
Exchange Server
Added?
How to Create an Use this slide to discuss the high-level steps for displaying the Administrative
Administrative Group Groups container and creating a new administrative group. For more
information about creating administrative groups, refer students to Module 3,
“Designing an Administrative Plan,” in Course 1573, Designing Microsoft
Exchange 2000 for the Enterprise. Then have the students complete the inline
practice on creating an administrative group, and answer any questions that they
have.
How to Grant Exchange Begin with a discussion on Exchange administrative permissions. Also discuss
Administrative the Exchange Administration Delegation Wizard, how the object from which
Permissions you start the wizard determines which object the user or group has permissions
for, and the roles supported by the Exchange Administration Delegation
Wizard. Have the students complete the inline practice on delegating control of
an administrative group, and answer any questions that they have.
How to Modify and Use this slide to discuss the high-level steps for modifying permissions from
Prevent Inherited propagating to child objects and preventing permissions from propagating to
Permissions child objects.
For this topic and the next, emphasize that students need to understand the
impact of any changes they make to object permissions.
Be prepared to explain to your students that the Security page is not displayed
for all objects unless settings are modified in the registry. You may want to
demonstrate that by default they can see the Security for some objects, such as
the server object, but not for objects such as an Administrative Group object.
Module 3: Securing Exchange Server 2003 ix
How to Configure Use this slide to discuss the high-level steps for applying advanced security
Advanced Security settings by using Adsiedit.exe. Then have the students complete the inline
Permissions by Using practice on configuring custom security permissions, and answer any questions
Adsiedit.exe that they have.
Lesson: Allowing Only the Required Services to Run on

Exchange 2003
Services Used by Use this slide to discuss the different Exchange 2003 services. The requirement
Exchange 2003 for Exchange services depends on the role that your Exchange server provides
in your environment.
Why Allow Only Discuss the need for allowing only the required services to run on
Required Services to Exchange 2003.
Run on Exchange 2003?
What Are the Required Use the table on this slide to discuss the services that must be configured for an
Services on an Outlook Web Access front-end server. Also discuss the additional service
Exchange Front-End considerations. Tell the students that the information in the topic assumes that
Server? they plan to use front-end servers to establish HTTP connections. If they plan to
configure POP3 or IMAP4, they must enable either the POP3 or IMAP4
service, but they must not use the World Wide Web Publishing Service.
What Are the Required Use the table on this slide to discuss how Exchange services can be configured
Services on an for a back-end server. Also discuss the additional service considerations. Refer
Exchange Back-End or students to the white papers Microsoft Exchange Server Front-End and Back-
Mailbox Server? End Topology and Security Operations for Microsoft Exchange 2000 Server in
the Additional Reading section of the Student Materials compact disc for more
information about front-end and back-end servers, and securing the Exchange
server.
Discussion: Securing Microsoft Exchange Server 2003

The scenarios in this discussion were designed to allow students to reflect on
what they did in the module and to give them an opportunity to ask any
remaining questions that they have. Use the discussion scenarios to provide a
summary of the module content. You can also return to the Module overview
slide and use it to help summarize the lessons covered in this module.
You can do this activity with the entire class. Or, if you have time, have
students work in small groups to come up with solutions to the problems in the
scenarios and then present and discuss their ideas with the class.
Before taking part in the discussion, students should have completed all of the
practices. Students who have not completed the practices may have difficulty
taking part in the discussion.
x Module 3: Securing Exchange Server 2003
Assessment
Assessment questions for this module are located on the Student Materials
compact disc. You can use the assessment questions in whatever way you think
is best for your students. For example, you can use them as pre-assessments to
help students identify areas of difficulty. Or you can use them as post-
assessments to validate learning. Consider using the questions to reinforce
learning at the end of the day or at the beginning of the next day. If you choose
not to use the assessment questions during class, show students where they are
so that they can use them to assess their own learning outside of class.
Module 3: Securing Exchange Server 2003 1
Overview
*****************************ILLEGAL FOR NON-TRAINER USE******************************

Introduction After you install and configure Microsoft® Exchange Server 2003, you must
implement security on the server running Exchange 2003. To secure
Exchange 2003, you must prepare for and protect against the possibility of a
virus attack, and you must secure mailboxes, implement digital signatures and
encryption, configure firewalls, and set appropriate administrative permissions.
You can also reduce the number of services that are running on the server,
thereby allowing only the services that are necessary to run Exchange.
Objectives After completing this module, you will be able to:
! Prepare for and protect against computer viruses.
! Secure mailboxes.
! Implement digital signatures and encryption capabilities.
! Configure firewalls.
! Configure administrative permissions.
! Allow only the required services to run on Exchange 2003.
2 Module 3: Securing Exchange Server 2003
Lesson: Preparing for and Protecting Against Computer

Viruses

Introduction This lesson presents an overview of computer viruses and explains how they
spread through a network. This lesson then provides guidelines for preparing an
antivirus strategy, choosing antivirus software, and creating virus-clean policies
and procedures. Finally, this lesson describes security updates and explains
where to locate and download these updates.
Lesson objectives After completing this lesson, you will be able to:
! Explain the purpose of computer viruses.
! Describe how viruses are spread.
! Prepare an antivirus strategy.
! Choose antivirus software.
! Explain the purpose of virus-clean policies and procedures.
! Create virus-clean policies and procedures.
! Explain the purpose of security updates.
! Locate and download security updates.
What Are Computer Viruses?

A computer virus is a program—a piece of executable code—that has the
ability to attach itself to files or programs. The virus then replicates and spreads
its infected files over the network, from one computer to another. A virus
requires a host program to work—that is, the virus must be run before it can
replicate and infect other computers.
Virus side effects Viruses often deliver a virus payload, which is an action that a virus carries out
separately from replication. While many viruses simply replicate and then
display messages or images, some viruses can cause extensive damage to
hardware, software, or data. Even if a virus does not deliver a payload,
replication can cause problems by consuming massive storage space, memory,
and bandwidth, thereby degrading the overall performance of the computer and
the network that computer is attached to.
Virus variations Similar to a virus, a worm is a program that can replicate itself. However,
unlike a virus, a worm does not require a host program, which means that a
worm can replicate itself automatically by taking advantage of automatic file
sending and receiving.
A Trojan horse is a program that claims to be one thing (for example, it may
claim to be a computer game) but instead, a Trojan horse does damage when it
is run (for example, it may erase a hard disk or compromise a security system).
A Trojan horse cannot replicate itself; instead, it relies on users to spread the
program by way of e-mail.
Important Worms and Trojan horses are not technically viruses. However,
these two programs are typically categorized as viruses in technical
documentation. Therefore, to provide consistency with current documentation,
throughout Course 2400, Implementing and Managing Microsoft Exchange
Server 2003, the topics of worms and Trojan horses are included as part of the
virus topics.
How Are Viruses Spread?

Viruses are commonly found in e-mail attachments or in programs that are
downloaded from the Internet. When a user activates a virus by opening an
e-mail message or launching a program, it loads itself into a legitimate
program’s memory and then searches for other programs. If the virus finds
other programs, it modifies the unsuspecting program by adding the virus’s
code to it. The next time that the legitimate program is run, it infects other
programs, and this way the virus keeps spreading. After a virus infects a
messaging system, it spreads quickly because e-mail clients provide both
sending capabilities and programmatic access to information (such as an e-mail
client’s address book) that enables viruses to replicate quickly.
Important A virus can also infect secure resources, such as files, applications,
and operating system source files. Therefore, always install and configure new
computers while they are disconnected from the network. Before you reconnect
to the network, you should apply software upgrades, and then install antivirus
software and run a manual scan of the software by using the latest signature
files.
Guidelines for Preparing an Antivirus Strategy

An essential aspect of protecting your messaging system against viruses is
preparing an antivirus strategy. Your antivirus strategy should include
educating users about viruses, installing antivirus software in the appropriate
locations, and ensuring that the antivirus software is current.
Determine how to Your antivirus strategy should outline the processes for educating users about
educate users about viruses. Educating users necessitates making them aware of current virus threats
viruses and the importance of keeping their computer systems up to date with the latest
signature files and security updates. If users are aware of viruses, they may be
able to help stop a virus from spreading if it infects the system. Typically, users
should know not to open attachments that they receive from any application
(including e-mail clients and instant messaging applications) unless they know
the sender and they are expecting the attachment.
You can use a variety of methods to alert users of an e-mail virus threat,
including voice mail messages and e-mail messages explaining what
attachments not to open, or by posting documents in prominent places
throughout your company about e-mail virus threats, known viruses, and
information regarding how to combat viruses.
Determine where to Your antivirus strategy should also include plans for installing antivirus
install antivirus software software on client computers, servers, and firewalls:
! Client-side antivirus software. Because viruses are activated when users
open infected attachments, you should install client-side antivirus software
on all of the clients that connect to your network, including remote clients.
Client-side antivirus software installs file system filters that check files on
their computer for the signatures of known viruses as the files are written to
disk. Some antivirus software connects to e-mail clients and searches
attachments on incoming e-mail. If a virus is detected, the software deletes
the attachment from the message or copies the attachment to the local hard
disk and then disinfects the file.
Note You should configure Microsoft Outlook® to block attachments of

known exploitable file types, such as .bat, .com, .scr, .vbs, and embedded
Hypertext Markup Language (HTML) scripts. If your client computers use
Outlook 2000 and 2003, this blocking is done by default. A security update
is available for earlier versions of Outlook to implement this.
! Server-side antivirus software. To prevent viruses from spreading to users

who are not using the current client-side antivirus software, you should
install server-side antivirus software on every Exchange server that is in
your company. Server-side antivirus software scans mailbox and public
folder stores, (some server-side antivirus software can also scan transports),
and it then eliminates them before the viruses enter your network. Any
antivirus software that you install on the server running Exchange must be
developed specifically for Exchange. The antivirus software must be
specific for Exchange because Exchange has a large database and the
antivirus software must differentiate between the signature of a known virus
and a random string of bytes that coincidentally matches a virus signature.
Note Any file level scan of your Exchange server must exclude Exchange
database files (*.edb, *.stm, and *.log files) from being scanned to prevent
antivirus software from corrupting the database when it attempts to clean a
virus from one of these files.
! Firewall antivirus software. In addition to using a firewall to protect your

network from unauthorized access, you should also implement virus
protection on the firewall. Antivirus software that is installed on a firewall
scans files as they enter the firewall, thereby stopping the viruses before
they make it into or out of a network. Most firewall antivirus software
enables you to specify how viruses are processed. For example, you can
configure firewall antivirus software to remove an attachment, to send a
notification e-mail to an administrator, or to hold the suspect message in a
queue for later review.
Ensure that the antivirus Because new computer viruses (or strains of old viruses) are constantly being
software is current created, one of the most important tasks when implementing an antivirus
strategy is to ensure that your antivirus software is up-to-date. You should also
provide automatic updates for every component such as client computers,
Exchange servers, and firewalls that you want to protect. Automatic updates do
not require administrator or user intervention, and they are particularly
important on client computers because users often do not update their software
regularly. Remember, however, that these updates can introduce new code. By
configuring systems for automatic updates, you will not have a chance to test
the code in your environment, so you will not be able to tell in advance if the
new code conflicts or causes problems such as causing a program to stop
responding.
Considerations When Choosing Antivirus Software

After you have created an antivirus strategy, you are ready to choose the
appropriate antivirus software for your company. Choosing antivirus software
involves evaluating your network environment to determine where your virus
threats exist. Because viruses typically enter a network by way of servers, client
computers, and firewalls, you must protect all of these components.
Considerations The following table describes the antivirus software features that you should
take into consideration when protecting your company’s components.
Component to protect Antivirus software feature Antivirus software consideration
Exchange server Exchange 2003 support Does the software integrate with Exchange 2003 and the
other servers in your environment?
Does the software significantly interfere with Exchange
performance?
Is the software supported by the software vendor for use
with Exchange?
Client Distribution functionality Does the software provide automated deployment of
client-based software?
Administrative tools Are there mechanisms for reporting and monitoring client
desktops from a single, central location?
Are remote systems protected with the same level of
security as locally connected computers?
Server and firewall E-mail scan Does the software scan inbound and outbound e-mail?
(continued)
Component to protect Antivirus software feature Antivirus software consideration
All components Software updates Does the software allow for quick and automated
updates?
How often does the vendor release product updates,
especially in the event of a virus attack?
Varied virus detection Does the software guard against viruses, worms, Trojan
horses, and other malicious code such as macro viruses
and malicious scripts?
Does the vendor provide assurance that their product will
be frequently updated to detect new viruses as needed?
Is the vendor (TruSecure ICSA Lab or CheckMark)
certified?
Multiple scan locations Does the software provide virus scanning at the Exchange
client, Exchange information store, Exchange transport,
and firewall level?
Note The Exchange Server 2003 Virus Scanning Application Programming

Interface (VSAPI) 2.5 allows antivirus vendor products to run on Exchange
servers that do not have resident Exchange mailboxes (for example, gateway
servers or bridgehead servers) and allows antivirus vendor products to delete
messages and provide additional virus status messages to allow clients to better
indicate the infection status of a given message.
For information on third-party vendors that develop antivirus software for
Exchange, see http://www.microsoft.com/exchange/partners/antivirus.asp.
What Are Virus-Clean Policies and Procedures?

After implementing antivirus software, virus attacks can still occur. Because of
the possibility of attacks, a vital aspect of your security strategy should be to
include policies and procedures on how to prevent viruses, as well as what to do
when a virus does attack your system. These policies and procedures are called
virus-clean policies and procedures.
Why create virus-clean These policies and procedures should be in position before a virus attack
policies and occurs, thereby avoiding making decisions in haste that could reduce your
procedures? company’s ability to:
! Understand the extent and source of an attack.
! Protect sensitive data that is contained on systems.
! Protect systems and networks, and their ability to continue operating as
intended.
! Recover infected systems.
! Collect information that assists in understanding what has happened so that
further damage does not occur.
! Support legal investigations.
Guidelines for Creating Virus-Clean Policies and Procedures

Although the actual procedures you will create to remove a virus from an
infected system will depend on the antivirus software that you use, you should
also consider the impact of the virus on your network environment when
creating virus-clean policies and procedures.
Guidelines The policies and procedures you create should define the following:
! When to isolate the affected systems. After a virus attack occurs, depending
on the severity of the virus and your company’s security policy, you should
isolate the affected systems by taking them offline. Because viruses can
quickly cause extensive damage, you should have procedures in place that
enable you to immediately take the e-mail servers offline.
! When to restore the system to its original state. If your antivirus software
does not completely remove the virus from the affected system, you must
restore the system to its original state by performing a restore operation by
using backup data that has not been compromised. You may also need to
reinstall the operating system and all of the applications by using source
disks.
Note If a virus-infected e-mail message spreads to your users’ mailboxes,

you may be able to remove viruses from your mailboxes by using the
ExMerge.exe tool. For more information about using ExMerge.exe to
remove viruses, see the article “HOW TO: Remove a Virus-Infected
Message from Mailboxes by Using the ExMerge.exe Tool” on the Product
Support Services page of the Microsoft Web site at
http://support.microsoft.com/.
! How to validate system functionality and performance. After you restore

your system, you must ensure that the system is functioning normally by
using historical baselines. Historical baselines allow you to compare the
current performance for items such as message delivery rates to those of
your system before the system was restored. You must also monitor your
system for repeat virus outbreaks.
Note For additional information on creating policies and procedures for

maintaining a virus-clean network environment, you can use the job aid
Creating Virus-Clean Policies and Procedures in the Job Aid folder on the
Student Materials compact disc.
Practice: Creating Virus- In this practice, you will use the job aid titled Creating Virus-Clean Policies
Clean Policies and and Procedures at the end of the workbook to help you plan what actions
Procedures should be taken to recover from a virus attack in your company. A copy of this
job aid is also included on the Student Materials compact disc.
Review the checklist, and then prepare to answer the following questions. There
are no correct or incorrect answers in this discussion.
Discussion questions Answer the following questions during the classroom discussion.
1. If a virus were to infect your messaging system, are there specific
individuals that are responsible for responding to the virus attack?
• What are the advantages of having this information documented?
2. To be able to communicate the impact of the attack, do you have a
communication plan in place?
• Would the best mechanism for communicating information about a virus
be by notifying your users through e-mail?
• Why or why not?
3. Would the actions that you take to get rid of a virus change if more than one
person were impacted by the virus?
• What if your whole company was impacted?
4. Do you know the Web site and support numbers for your virus vendor in
case of a virus attack?
5. Does your backup routine give you the ability to recover from a severe virus
attack where the virus cannot be removed from a server?
What Are Security Updates?

Security updates are product updates that eliminate known security
vulnerabilities, such as those that are caused by or exploited by viruses. When a
security update becomes available, you should quickly evaluate your system to
determine if the update is relevant to your current situation.
Most security updates are released for client software such as Web browsers;
however, occasionally updates are also released to protect server software. To
keep Exchange secure, you must ensure that the security updates for both
Exchange and the operating system are current by installing the latest security
fixes. If the operating system is vulnerable, Exchange is also vulnerable;
therefore, you should regard the security of the operating system as seriously as
you regard the security of the Exchange server.
Where to Locate and Download Security Updates

You can download security updates from various Web sites, including
Microsoft.com. You can find Exchange updates at http://www.microsoft.com/
exchange/downloads and http://support.microsoft.com.
Bulletins and utilities for The following bulletins and utilities can also help your company remain current
downloading security on the latest security issues and fixes:
updates
! Security bulletins. Microsoft and many third-party antivirus vendors include
services that periodically release security bulletins that enable you to stay
current on security issues and fixes. By visiting the following Web sites and
subscribing to security bulletins, you receive automatic e-mail notification
of security issues:
• Microsoft Security Notification Service, which is located at
http://www.microsoft.com/technet/security/bulletin/notify.asp.
• Microsoft Security Web site, which is located at
http://www.microsoft.com/security.
• Microsoft Windows® Update, which is located at
http://v4.windowsupdate.microsoft.com/en/default.asp.
! Utilities. You can use the following utilities to keep current on Windows
service packs (SPs), hotfixes, and patches:
• Microsoft Baseline Security Analyzer (MBSA). This utility checks for
missing patches, blank or weak passwords, and vulnerabilities on each
server that is running Windows 2000 or later, Microsoft Internet
Information Services (IIS), Microsoft SQL Server™, and Microsoft
Internet Explorer 5.01 or later. MBSA uses the Microsoft Network
Security Hotfix Checker (Hfnetchk.exe) tool to scan for missing security
updates and SPs for Windows, Internet Explorer, IIS, SQL Server,
Exchange, and Microsoft Windows Media® Player. You can download
the latest MBSA from http://www.microsoft.com/technet.
• Microsoft Software Update Services (SUS). This utility simplifies the

process of keeping Windows-based computers and servers up-to-date
with the latest critical updates. SUS is recommended for medium
enterprises with one or more locations and up to 500 users. For smaller
companies with fewer client computers, use Microsoft Windows Update.
You can download SUS from http://www.microsoft.com/windows2000/
windowsupdate/sus/default.asp.
• Microsoft Systems Management Server (SMS). This utility automates the
distribution and installation of the recommended security fixes for large
companies with multiple locations and more than 500 Windows-based
client and server computers. SMS enables you to determine which
computers need security fixes, and then enables you to deploy the fixes
to the appropriate resources. You can download SMS from
http://www.microsoft.com/catalog.
Note For more information about SMS, see Course 2596, Deploying and
Managing Microsoft Systems Management Server 2003.
Lesson: Securing Mailboxes

Introduction This lesson presents the guidelines that administrators should consider when
securing Exchange 2003 user mailboxes.
! Explain how message filtering can be used to reduce unsolicited commercial
e-mail.
! Describe how Outlook 2003 and Exchange 2003 evaluate unsolicited
commercial e-mail.
! Configure the Junk E-Mail feature.
! Explain the guidelines for securing mailboxes.
! Explain what recipient and sender filtering is.
! Create and apply recipient and sender filtering.
! Clean e-mail of viruses.
Message Filtering to Reduce Unsolicited Commercial E-Mail

What is unsolicited Unsolicited commercial e-mail, or junk e-mail, can be a major problem for
commercial e-mail? companies because, in addition to wasting your users’ time in reading such
e-mail, it uses a computer’s memory resources and consumes network
bandwidth. Although unsolicited commercial e-mail can be difficult to guard
against, you can use message filtering to reduce the amount of unsolicited
e-mail your users receive.
What is message Message filtering is the process that is used to identify unsolicited commercial
filtering? e-mail by examining e-mail headers and message bodies and then matching
those against established junk e-mail rules. The challenge of message filtering
is eliminating junk e-mail without eliminating legitimate e-mail.
Message filtering Outlook 2003, Exchange 2003, and Microsoft Outlook Web Access include the
features for reducing following message filtering features that you can use to reduce unsolicited
unsolicited e-mail commercial e-mail:
! Outlook Junk E-Mail features. Outlook 2003 and Exchange 2003 Outlook
Web Access include a set of built-in message filters, collectively referred to
as the Junk E-Mail feature, to identify unsolicited commercial e-mail. The
Junk E-Mail feature enables users to configure Trusted Sender, Trusted
Recipients, and Junk Senders lists. For example, Outlook 2003 can search
e-mail messages by sender, and if the sender is listed on the Junk Senders
list, the message is moved into the Junk E-Mail folder or deleted. In
Outlook 2003, the Junk E-Mail feature is enabled by default. Microsoft
provides updates for these built-in message filters.
! Outlook content-blocking features. Outlook 2003 and Exchange 2003
Outlook Web Access enable you to block external content, such as Web
beacons, referrals, and malicious code, in HTML messages.
! Exchange filtering features. Exchange 2003 filtering features examine

e-mail headers and match them to established filter rules. For example, a
filtering feature could be used to prevent users from receiving e-mail from a
particular domain or from an unspecified sender. To use the Exchange
filtering features, you must first create global filters by configuring the
properties of the global Message Delivery object. After you have created
the global filters, you must configure specific Simple Mail Transfer Protocol
(SMTP) virtual servers to use these global filters. (A virtual server is a
server that allows you to host different protocols or protocol settings on the
same physical server.)
What is a block list? A block list is a list of domain names and Internet Protocol (IP) addresses that
are known to send unsolicited commercial e-mail. You can develop a block list
for your company by routinely adding to your Global Accept and Deny List
Configuration new IP addresses that define which IP addresses you will accept
or deny e-mail from. Or, you can subscribe to a block list that is maintained by
a third-party company, such as Mail Abuse Prevention System (MAPS). Block
lists that are maintained by third-party companies are typically called Realtime
Blackhole Lists or Relay Blocking Lists. To use block lists, you must configure
your server to use these third-party services.
Note For more information about MAPS, see http://www.mail-abuse.org.
While block lists can reduce the amount of unsolicited e-mail that you receive,
they have some limitations, which are as follows:
! Block lists cannot completely prevent unsolicited e-mail because people
who send this type of e-mail use a variety of tactics, such as spoofing (or
forging) subject headers or using third-party servers to send the mail to
evade block lists.
! Block lists can also block legitimate e-mail because some domains may be
incorrectly listed in the block list.
What is connection Connection filtering is an Exchange 2003 junk e-mail protection feature that
filtering? enables you to check the IP address of the connecting SMTP server against
those that are listed on a block list. If a match is found between IP addresses,
Exchange rejects every intended message recipient unless it is a recipient who
is defined as an exception. Exchange 2003 connection filtering also enables you
to:
! Configure multiple connection filter rules. You can configure multiple
connection filter rules and then prioritize the order in which the rules are
applied to the IP address of the connecting SMTP server. When you
configure multiple connection filter rules, the rules are checked in the order
that they appear. Creating multiple rules enables you to use the same IP
address with a different set of rules—for example, when you subscribe to
two different block list providers.
! Configure exceptions to connection filter rules. You can choose to allow

e-mail messages to be delivered to specific recipients or delivered from a
specific sender regardless of whether the recipients appear on a block list.
(For example, a legitimate company may be blocked from sending e-mail to
your company because they have inadvertently configured open relaying.
Open relaying or mail relaying is when an unauthorized user sends e-mail
messages from another system’s e-mail server to make it appear that the
messages originated from the other system.) If an exception is configured
for an e-mail recipient and a match is found, Exchange will accept e-mail
from the SMTP address.
The connection filtering When you configure connection filtering, you establish a rule that SMTP uses
process to perform a Domain Name System (DNS) lookup on a block list. The
connection filter examines each incoming IP address and matches it against the
block list. When an e-mail message is sent to your organization, Exchange
contacts the block list provider. The provider then checks for the existence of a
host record in DNS. Exchange queries for this information are in a specific
format—for example, if the connecting IP address is 192.168.5.1 and the block
list provider is contoso.blocklist.msft, Exchange queries for the existence of the
following record:
1.5.168.192.contoso.blocklist.msft IN A 127.0.0.x
If this IP address is found on the block list, the block list provider issues one of
two responses:
! 127.0.0.x status code. This response indicates that the IP address was found
on the block list, and it also lists the type of offense, such as known source
of unsolicited e-mail or known relay server.
! Host not found. This response indicates that the IP address was not found on
the block list.
How Outlook 2003 and Exchange 2003 Evaluate Unsolicited

Commercial E-Mail

The process to The following steps describe the process by which Outlook 2003 and
determine if an e-mail Exchange 2003 evaluate an e-mail message to determine if it is unsolicited
message is unsolicited commercial e-mail. This process is for unauthenticated e-mail messages only—
it does not apply to internal e-mail messages:
1. When an e-mail message is received by the transport, the IP address is
evaluated against the Accept or Deny lists. If a match is found on the Deny
list, the message is stopped at the protocol level.
2. If the IP address is not on the Accept or Deny list, the e-mail message is
evaluated against a block list. If a match is found on the block list, the
message is stopped at the protocol level.
3. The e-mail message is evaluated against any third–party, anti-junk e-mail
products or plug-ins that are configured at the transport layer. The third-
party product analyzes the message and assigns it a Spam Confidence Level
value that indicates the degree to which the message can be considered
unsolicited commercial e-mail.
4. The e-mail message is moved into the information store and, based on its
Spam Confidence Level value and how user settings are configured in
Outlook, it is either delivered to a folder or deleted. Outlook evaluates the
e-mail message based on the following considerations:
• The message is delivered if it is from a sender in the user’s Contacts
folder, in the Global Address List (GAL), or on the Trusted Senders or
Trusted Recipients list.
• If the sender is not listed in the user’s Contacts folder, in the GAL, or on
the Trusted Senders or Trusted Recipients list, the message is checked
against the Junk Senders list. If a match is found, the message is sent to
the Junk E-mail folder.
• If the message has not been stopped, it is then passed through the junk
e-mail filter. The filter ranks the message on a scale from 1 to 10 (1
indicates that the message is junk e-mail and 10 indicates that it is not
junk e-mail). When the filter is set to Low, any message ranked below 4
is sent to the Junk E-mail folder. When the filter is set to High, any
message ranked below 7 is sent to the Junk E-mail folder.
How to Configure the Junk E-Mail Feature

To configure the Junk The high-level steps to configure the Junk E-mail feature in Outlook 2003 are
E-mail feature as follows:
1. On the Tools menu, click Options.
2. On the Preferences tab, click Junk E-mail.
3. Configure the level of protection (such as Low, High, or Trusted List Only),
and then configure Trusted Senders, Trusted Recipients, and Junk Senders.
To enable connection The high-level steps to enable connection filtering in Exchange 2003 are as
filtering follows:
1. In Exchange System Manager, configure the Connection Filtering tab on
the global Message Delivery object.
2. Apply the filter at the SMTP virtual server level by selecting Advanced on
the General tab of the SMTP virtual server object.
Detailed steps for enabling connection filtering in Exchange are included in the
practice that follows.
Practice: Configuring In this practice, you will configure Exchange to enable connection filtering.
Exchange to enable
connection filtering ! To prepare for this practice
1. Start up 2400_London-Virtual PC, if not already started.
Note This procedure may take 5 minutes to complete before you can
continue.
2. Log on as NWTraders\LondonAdmin with a password of P@ssw0rd.

3. Run the script entitled “2400B_03_Setup.vbs” located in the
C:\MOC\2400\practices\Mod03 folder.
4. If not already open, open Outlook Web Access by using Microsoft Internet
Explorer to open the URL http://london/exchange/londonadmin. When
prompted for credentials, use nwtraders\londonadmin with a password of
P@ssw0rd.
5. Read the message with the subject “Configuring Security” from your team
lead, Samantha Smith.
! To enable connection filtering

1. In Exchange System Manager, click Global Settings.
2. In the details pane, right-click Message Delivery, and then click
Properties.
3. In the Message Delivery Properties dialog box, click Connection
Filtering.
4. On the Connection Filtering tab, click Add.
5. In the Connection Filtering Rule dialog box, in the Display Name box,
type Blocklist Provider and in the DNS Suffix of Provider box, type
msftblocklist99999.msft and then click OK.
6. In the Message Delivery Properties dialog box, click OK.
7. In the Exchange System Manager informational dialog box, read the
message referring to enabling the connection filter, and then click OK.
8. In Exchange System Manager, in the console tree, browse to
Administrative Groups\First Administrative Group\Servers\London\
Protocols\SMTP, and then click SMTP.
9. In the details pane, right-click Default SMTP Virtual Server, and then
click Properties.
10. In the Default SMTP Virtual Server Properties dialog box, on the
General tab, click Advanced.
11. In the Advanced dialog box, click Edit.
12. In the Identification dialog box, select the Apply Connection Filter check
box, and then click OK.
13. In the Advanced dialog box, verify that Filter Enabled is set to Yes, and
then click OK.
14. In the Default SMTP Virtual Server Properties dialog box, click OK.
What would you do differently if you wanted to make an exception for

recipients that send e-mail to your users from blocked domains?
On the Message Delivery Properties dialog box, you would
configure an exception list to the block list service rules. This
allows you to add the SMTP address for users that you want to
continue to receive messages from, even if they are on the block list.
Guidelines for Securing Mailboxes

Guidelines Because user mailboxes, mailbox features, and mailbox content are often one of
the greatest security risks within any company, when developing a security
strategy for Exchange 2003, you should consider the following guidelines:
! Prevent users outside your Exchange organization from receiving out-of-
office e-mail messages. You can configure the default SMTP policy or
create SMTP policies on a domain-by-domain basis to not reply to or
forward out-of-office messages to the Internet.
! Prevent users from receiving unsolicited e-mail. You can create a message
filter and then apply that filter to each applicable virtual server. You can
filter a message by:
• E-mail sender.
• E-mail recipient.
• E-mail domain.
! Prevent users from receiving e-mail from unidentified or predetermined
domains. You can configure virtual servers to deny messages from
unidentified domains or from any domain that you choose.
! Prevent distribution lists from being used by unauthorized users. You can
configure distribution lists to accept e-mail only from authenticated users.
! Limit access to e-mail content by digitally signing and encrypting e-mail
messages. You can digitally sign and encrypt e-mail messages to ensure that
only the intended recipient views the message content.
! Prevent junk e-mail by searching incoming and outgoing e-mail for specific
words, phrases, and senders. You can configure Outlook Web Access and
Outlook 2003 to determine how junk e-mail is managed.
What Is Recipient and Sender Filtering?

You can block unwanted e-mail based on IP addresses, sender and recipient
e-mail addresses, or e-mail domains. You can also block e-mail by configuring
Accept and Deny lists. These lists can be configured through the global
Message Delivery object and then applied to individual virtual servers.
What is recipient Recipient filtering is a method that can be used for reducing unsolicited
filtering? commercial e-mail by filtering inbound e-mail based on the recipient. You can
filter e-mail that is addressed to users who are not found in the Microsoft Active
Directory® directory service, or to whom the sender does not have permissions
to send e-mail to. Then any incoming e-mail that matches this criterion is
rejected at the protocol level by Exchange returning a 550 error during the
SMTP session. You can also use recipient filtering to filter messages that are
sent to a number of well-defined recipients, such as root@domain and
inet@domain, which is an indicative practice of unsolicited commercial e-mail.
Note Recipient filtering rules only apply to anonymous connections.

Authenticated users and other Exchange servers bypass these rules.
What is sender filtering? Sender filtering reduces unsolicited commercial e-mail by filtering inbound
e-mail based on the sender of the e-mail. Sender filtering enables you to create
filters that specify how e-mail messages are managed, based on the sender of
the message. For example, you can filter messages that are sent by specific
users or messages that are sent without sender addresses. You can archive
filtered messages or drop the connection if the sender’s address matches the
filter.
How to Create and Apply Recipient and Sender Filtering

To create and apply The high-level steps for creating and applying recipient filtering are as follows:
recipient filtering
1. In Exchange System Manager, configure the Recipient Filtering tab on the
global Message Delivery object.
the General tab of the SMTP Virtual Server object.
Detailed steps for creating and applying recipient filtering are included in the
practice “Blocking E-Mail Addresses and Domains,” later in this lesson.
To create and apply The high-level steps for creating and applying sender filtering are as follows:
sender filtering
1. In Exchange System Manager, configure the Sender Filtering tab on the
global Message Delivery object.
the General tab of the SMTP Virtual Server object.
Note Configuring recipient or sender filtering will impact the performance of

your Exchange server. You should consider this impact when determining
whether it is appropriate to enable filtering.
Detailed steps for creating and applying sender filtering are included in the
Practice: Blocking In this practice, you will configure Exchange to block e-mail addresses and
e-mail addresses and domains.
domains
1. In Exchange System Manager, in the console tree, click Global Settings.
2. In the details pane, right-click Message Delivery, and then click
Properties.
3. In the Message Delivery Properties dialog box, click Sender Filtering.
4. On the Sender Filtering tab, click Add.

5. In the Add Sender dialog box, type nodebt4u@contoso.msft and then
click OK.
6. In the Message Delivery Properties dialog box, click OK.
7. In the Exchange System Manager dialog box, click OK to acknowledge
that this filter must be enabled on the virtual server.
8. In Exchange System Manager, in the console tree, browse to
Administrative Groups\First Administrative Group\Servers\London\
Protocols\SMTP, and then click SMTP.
9. In the details pane, right-click Default SMTP Virtual Server, and then
click Properties.
10. In the Default SMTP Virtual Server Properties dialog box, click Access.
11. On the Access tab, click Connection.
12. In the Connection dialog box, click Add.
13. In the Computer dialog box, click Domain, type
evildomainspamsender99999.msft and then click OK.
14. In the Connection dialog box, click OK.
15. In the Default SMTP Virtual Server Properties dialog box, click
General.
16. On the General tab, click Advanced.
17. In the Advanced dialog box, click Edit.
18. In the Identification dialog box, select the Apply Sender Filter check box
and then click OK.
19. In the Advanced dialog box, click OK.
20. In the Default SMTP Virtual Server Properties dialog box, click OK.
You would like to retain a copy of messages that are filtered by your
sender filter. How can you enable Exchange to keep these messages?
In the Message Delivery Properties dialog box, on the Sender
Filtering tab, you should select the Archive filtered messages check
box.
Guidelines for Cleaning E-Mail of Viruses

Guidelines If your company has detailed procedures for creating a virus-clean network
environment after a virus has attacked your messaging system, you should use
those procedures. However, if your company has not developed specific
procedures, you can use the following steps to create procedures that can be
customized for your particular situation to remove viruses from your network:
1. Shut down all of the Internet gateways to stop the influx of the virus into
your organization.
2. Instruct your Exchange users to install the latest fixes and security patches
on their client computers.
3. Clean all the Exchange components that were infected by the virus. Because
different viruses affect different Exchange components, you should check
the Microsoft Security Web site for patches or fixes, and the corresponding
instructions, about how to clean the components, such as the information
store, the message transfer agent (MTA), and the transport.
4. Install the latest signature files on your servers that are running Exchange
and your client workstations. Run a manual scan of your Exchange servers
and your client workstations.
5. If your client or server software is configured to quarantine (or hold)
messages, evaluate the quarantine folder and remove any files that are
infected.
6. To avoid re-infection, complete all of the preceding steps before you turn on
your Internet gateways.
Tip Even if you follow the preceding steps, your messaging system can be
re-infected with a virus. For example, after you clean your messaging system,
an employee returning from time off could inadvertently infect the system again
when opening a piece of e-mail that contains the virus.
Lesson: Implementing Digital Signature and Encryption

Capabilities

Introduction This lesson describes what digital signature and encryption are, and then
explains how these capabilities enhance Exchange 2003 security. The lesson
then explains how public key infrastructure (PKI) is used to send digitally
signed and encrypted e-mail messages, while also describing the components of
PKI. Finally, this lesson describes how the enrollment process enables digital
signature and encryption capabilities.
! Explain the purpose of digital signature and encryption capabilities.
! Explain the purpose of a PKI.
! Describe the PKI components that enable digital signature and encryption
capabilities.
! Describe how the enrollment process enables digital signature and
encryption capabilities.
! Describe the process of creating and deploying digital signature and
encryption certificates.
! Configure digital signature and encryption capabilities.
What Are Digital Signature and Encryption Capabilities?

Users depend on their messaging systems to provide secure communication and
business transactions. Digital signature and encryption capabilities enable you
to secure your messaging system by protecting e-mail messages from
modification and inspection as the messages are transmitted from the sender to
the receiver.
What is a digital You can protect e-mail messages against modification by using a digital
signature? signature. A digital signature is a digital code that can be attached to an e-mail
message that uniquely identifies the sender. Digital signatures are a key
component of most authentication methods because the digital signature
ensures that the individual who is sending a message is really who he or she
claims to be.
What is encryption? You can protect e-mail messages against inspection by using encryption.
Encryption is a cryptographic technique that translates the contents of an e-mail
message into an unreadable format. There are many different types of
encryption. Exchange uses public key encryption, which uses two keys: a
public key, which is a key that is known to everyone, and a private key, which is
a key that is known only to the recipient of the message.
Example of encryption For example, when User A wants to send a secure message to User B, User A
uses the public key of User B to encrypt the message. User B then uses his or
her private key to decrypt User A’s e-mail message. If a public key is used to
encrypt messages, only the corresponding private key can be used to decrypt
those messages. It is virtually impossible to deduce a private key, even if you
know the public key.
Benefits of digital Exchange 2003, Outlook, and Outlook Web Access implement digital signature
signature and and encryption capabilities by using Secure Multi-Purpose Internet Mail
encryption capabilities Extensions (S/MIME), which is the version of the MIME protocol that supports
encryption. Digital signature and encryption capabilities enable you to
strengthen the security of your Exchange 2003 organization by:
! Protecting e-mail from being read by anyone other than the intended
recipient while the message is in transit, or while the message is stored
either on the client in a .pst file or on the Exchange server in the mailbox
store.
! Protecting e-mail from being altered by anyone other than the sender while
the message is in transit, or while the message is stored either on the client
in a .pst file or on the Exchange server in the mailbox store.
What Is a PKI?

A PKI is a policy that is used for establishing a secure method for exchanging
information. A PKI is also an integrated set of services and administrative tools
that are used for creating, deploying, and managing public key-based
applications. PKI includes cryptographic methods and a system for managing
the process that enables you to identify users and securely exchange data such
as sending digitally signed and encrypted e-mail messages.
What Are the PKI Components That Enable Digital Signature and
Encryption Capabilities?

PKI components A PKI includes components that enable digital signature and encryption
capabilities, as shown in the following table.
PKI component Description
Digital certificate Authenticates users and computers.

Certification Authority (CA) Issues certificates to users, computers, and services, and
then manages them.
Certificate templates Defines the content and purpose of a certificate. Usually
one certificate template is created for digital signature
capabilities and one is created for encryption
capabilities; however, one certificate template can be
created for both capabilities.
Certificate revocation list Lists the certificates that are revoked by a CA before the
(CRL) certificates reach their scheduled expiration date.
Certificate publication Provide locations where certificates and CRLs are made
points and CRL distribution publicly available. Certificates and CRLs can be made
points available through a directory service, such as X.500,
Lightweight Directory Access Protocol (LDAP), or
directories that are specific to the operating system and
Web servers.
Certificate and CA Manages issued certificates, publishes CA certificates
management tools and CRLs, configures CAs, imports and exports
certificates and keys, and recovers archived private
keys.
Applications and services Uses certificates for e-commerce and secure network
that are enabled by public access by using digital signature and encryption
keys capabilities.
(continued)
PKI component Description
Certificate servers Enable you to create, issue, and manage certificates by

using Microsoft Certificate Services. Using Certificate
Services on Microsoft Windows Server™ 2003 with
Exchange 2003 integrates all of the certificate
functionality into a single service, rather than relying on
multiple services, such as Microsoft Key Management
Service, which was required in previous versions of
Exchange. The benefits of certificate servers include:
" Issuing certificates from a single, archived
location.
" Maintaining a copy of all the private keys on the
server, allowing a user to retrieve their private key
information if they are unable to access the
information locally.
" Enabling automatic certificate deployment to
users with valid credentials.
" Importing archived private keys and certificates
into a CA.
Note For more information about PKI, read Module 5, “Using a PKI to Secure
Information” in Course 2810, Fundamentals of Network Security, and Course
2821, Designing and Managing a Public Key Infrastructure or see Security
Services on the Windows Server 2003 Technology CentersWeb site at
http://www.microsoft.com/windowsserver2003/technologies/.
How the Enrollment Process Enables Digital Signature and

Encryption Capabilities

The enrollment process The enrollment process is the process of requesting and issuing a certificate.
Although the enrollment process varies with the CA that is used, and its
policies, the following steps outline the general process:
1. Applicant generates a key pair. The applicant generates a public and private
key pair, or they are assigned a key pair by some authority in the company.
The applicant stores the key pair locally, either on the disk subsystem or on
a hardware device, such as a smart card.
2. Applicant sends the certificate request to the CA. The applicant provides the
information that is required by the certificate template and sends the
certificate request to the CA. The certificate request includes the public key
that is generated at the requesting computer.
3. Certificate administrator reviews the request. A certificate administrator
reviews the certificate request to verify the applicant’s information. Based
on the information presented, the certificate administrator either issues or
denies the certificate request.
4. Upon approval, the CA issues the certificate. The CA creates the certificate
and issues the certificate to the applicant that requested it. The certificate is
signed by the CA to prevent modification and it includes the applicant’s
identifying information and the submitted public key as an attribute of the
issued certificate.
The Process of Creating and Deploying Digital Signature and

Encryption Certificates

Process You use the following process to digitally sign and encrypt e-mail messages:
1. Create the certificate templates.
2. Configure an enterprise CA to enable key recovery.
3. Deploy the certificate by using auto-enrollment settings.
4. Verify the Outlook configuration.
How to Configure Digital Signature and Encryption Capabilities

To configure Outlook After deploying the digital signing and encryption certificates, you can
configure Outlook to use the certificates to enable digital signature and
encryption capabilities. The steps to configure Outlook are as follows:
1. Open Outlook.
2. On the Tools menu, click Options.
3. In the Options dialog box, click the Security tab, and then in the
Encrypted box, click Settings.
4. In the Security Settings Preferences dialog box, in the Security Settings
Name box, type a logical name for the e-mail digital certificate.
5. In the Certificates and Algorithms box, in the Signing Certificate box,
select a signing certificate, and then in the Hash Algorithm box, select an
algorithm.
6. In the Certificates and Algorithms box, in the Encryption Certificate
box, select an encryption certificate, and then in the Encryption Algorithm
box, select an algorithm.
7. Click OK to close the Change Security Settings dialog box.
8. On the Security tab, in the Encrypted box, select or clear the following
check boxes:
• Encrypt contents and attachments for outgoing messages
• Add digital signature to outgoing messages
• Send clear text signed message when sending signed messages
• Request S/MIME receipt for all S/MIME signed messages
9. Click OK to close the Options dialog box.
Caution If you receive a multipurpose certificate, you can designate the same
certificate in both the Signing Certificate box and the Encryption Certificate
box.
Practice: Implementing In this practice, you will configure Exchange to allow users to digitally sign and
digital signature and encrypt messages:
encryption capabilities
on Exchange 1. From the desktop, click Start, point to Administrative Tools, and then
click Certification Authority.
2. In Certification Authority, expand Northwind Traders CA.
3. In the console tree, right-click Certificate Templates, point to New, and
then click Certificate Template to Issue.
4. In the Enable Certificate Templates dialog box, click Exchange User and
then click OK.
5. In Certification Authority, right-click Certificate Templates and then click
Manage.
6. In the certtmpl - [Certificate Templates] console, in the details pane,
right-click Exchange User and then click Properties.
7. In the Exchange User Properties dialog box, click Security.
8. On the Security tab, in the Group or user names box, click Authenticated
Users, in the Permissions for Authenticated Users box, for the Enroll
permission, select the Allow check box, and then click OK.
9. Close the Certificate Templates console and close Certification Authority.
Why did you grant authenticated users the enroll permission?

For users to be able to sign and encrypt e-mail messages, they must
be enrolled for security. If you do not grant authenticated users
permission to self-enroll, an administrator with permission will
need to enroll the users for security.
Lesson: Configuring Firewalls

Introduction This lesson provides an overview of firewalls and explains the options for
reducing Transmission Control Protocol (TCP) and IIS ports exposure. The
lesson then explains the recommended options for connecting to an Exchange
Server when a firewall separates the server and a MAPI client.
! Explain the purpose of a firewall.
! Explain what a TCP port is and explain which ports can be shut down.
! Describe the IIS ports that are used by Exchange.
! Describe the options for connecting a MAPI client to an Exchange server
when separated by a firewall.
! Describe the recommended options for connecting a MAPI client to an
Exchange server when separated by a firewall.
! Explain how a MAPI e-mail client uses remote procedure call (RPC)
through a firewall to connect to servers running Exchange Server 2003.
What Is a Firewall?

A firewall is a system that is used to prevent unauthorized users from accessing
private networks (intranets) that are connected to other networks. Normally,
firewalls are used to keep external users from accessing an internal corporate
network from the Internet. All e-mail messages that are entering or leaving the
intranet pass through a firewall, which examines each message and blocks those
messages that do not meet specified security criteria. Implementing a firewall
connection to the Internet reduces your chances of experiencing an external
security attack that could compromise your servers running Exchange.
Techniques for Firewalls use several techniques, often simultaneously, to protect your network.
protecting a network Two of these techniques are:
! Packet filter. This technique reviews each packet (or piece of data) entering
or leaving the network.
! Proxy servers. This technique hides true network addresses.
What Is a TCP Port?

TCP is a protocol that enables two hosts to establish a connection and exchange
streams of data by grouping data into segments and then passing those segments
to IP for delivery. A TCP port is an abstract endpoint that provides a specific
location for the delivery of the TCP segments. TCP ports are identified for
specific application or service that uses TCP. For example, the over Hypertext
Transfer Protocol (HTTP) services use TCP port 80, where as SMTP uses TCP
port 25.
Because TCP ports are a common entry point for security attacks, the general
method for securing network applications and services is to restrict connections
to the ports that are associated with these applications and services. Restricting
connections to the port is referred to as TCP port filtering, and it enables you to
control the type of network traffic that reaches your Exchange servers and
network devices. Applying TCP port filters to intranet and Internet servers
insulates those servers from many TCP/IP-based security attacks.
Options for reducing You can use the following options to reduce TCP port exposure:
TCP port exposure
! Use perimeter networks. You can place a front-end server, or a server that
receives SMTP messages, in a perimeter network. (A perimeter network is a
network that sits between the Internet and intranet.) A front-end server is a
server running Exchange that does not host a mailbox or public folder
information store. You can then configure the outside firewall to filter or
block nonessential TCP ports.
! Use a smart host. You can place a dedicated SMTP server running
Windows 2000 Server or Windows Server 2003 in a perimeter network to
function as a smart host. (A smart host is an SMTP relay that provides a
store and forward service.) A smart host reduces the possibility of
compromising Exchange or exploiting Active Directory because there is no
Exchange data or Active Directory information on the server that can be
compromised.
! Use a firewall to filter Internet traffic. You can use a firewall to allow only
essential Internet traffic to pass through each TCP port that you specify. For
example, you can configure your network to allow only SMTP (port 25)
traffic to pass through your firewall, thereby preventing connections on all
of the other ports. You can also connect a server running Exchange 2000 or
Exchange 2003 to the Internet by using an SMTP virtual server. In this
configuration, the server running Exchange only accepts connections on
port 25 because the firewall blocks all of the other ports.
! Use a firewall to maintain Internet connectivity. Although you can use
firewalls in an Exchange environment, for remote clients and servers to
communicate with your network through a firewall, you must open the ports
that Exchange supports.
Note Microsoft recommends deploying Microsoft Internet Security and

Acceleration (ISA) Server in your perimeter network to route all Internet traffic
through a single server to protect servers that are inside your Exchange
organization. Although the usage of an ISA Server requires more setup time
and planning than a direct Internet connection, it increases security.
Exchange 2003 ports An effective security strategy identifies the ports that are associated with each
and services service that your Exchange 2003 organization uses. To reduce your system’s
vulnerability to intruders, you should shut down access to ports that you are not
using and filter any remaining ports. The following table lists the Exchange
2003 ports and their associated services.
Port Service
25 SMTP
80 HTTP
88 Kerberos authentication protocol
102 MTA—X.400 connector over TCP/IP
110 Post Office Protocol 3 (POP3)
119 Network News Transfer Protocol (NNTP)
135 Client/server communication
RPC
Exchange administration
143 Internet Message Access Protocol (IMAP)
389 LDAP
443 HTTP (Secure Sockets Layer (SSL))
563 NNTP (SSL)
636 LDAP (SSL)
993 IMAP4 (SSL)
995 POP3 (SSL)
3268 and 3269 Global catalog lookups
IIS Ports Used by Exchange

In Exchange 2000 and Exchange 2003, Internet access protocols are removed
from the information store and are integrated with IIS. This integration of IIS
with Exchange provides the protocols that enable Internet clients to gain access
to mailbox data in Exchange and to configure virtual servers for added
functionality and scalability.
Protocols supported by IIS is automatically installed when you install Windows 2000 Server but it must
Exchange 2000 and be selected when installing Windows Server 2003. Exchange Setup requires
Exchange 2003 that HTTP, SMTP, and NNTP be installed before Exchange is installed. After
Exchange is installed, Exchange incorporates IIS capabilities into the Exchange
messaging architecture and adds POP3 and IMAP4 to IIS. Internet messaging
clients that use these Internet access protocols can communicate with a server
running Exchange. These protocols include:
! HTTP. HTTP, the underlying protocol that is used by the Web, defines how
messages are formatted and transmitted, and what actions Web servers and
browsers take in response to various commands. Exchange supports HTTP
to provide Outlook Web Access and Outlook Mobile Access clients access
to Exchange data, such as public folders, mailbox information, and directory
searches.
! SMTP. SMTP sends messages between hosts and it is the default protocol
that is used by Exchange 2000 and Exchange 2003 to transfer messages
within an organization and to the Internet.
! NNTP. NNTP replicates a large number of messages to host computers.
Exchange uses NNTP to gain access to private or public newsgroups. In
addition, Exchange uses NNTP to send and receive newsgroup messages
between any Request For Comments (RFC)–compliant NNTP client and
server.
! POP3. POP3 retrieves messages from a server. For example, Internet

messaging clients, such as Outlook Express, use POP3 to retrieve messages
from a server, such as Exchange. With POP3, messages are stored on the
server until a client requests them. POP3 is a retrieve-only protocol; POP3
clients use SMTP to send messages.
! IMAP4. IMAP4, an advanced protocol, enables users to access public and
private folders, search through a mailbox, and store flags on a message to
indicate that the message was read. As with POP3, IMAP4 is a retrieve-only
protocol; clients use SMTP to send messages.
Note For more information about:

! HTTP, see Request for Comment (RFC) 1945 and RFC 2068.
! SMTP, see RFC 2821 and RFC 2822.
! NNTP, see RFC 977.
! POP3, see RFC 1939 and RFC 1743.
! IMAP4, see RFC 2060.
To read RFCs, see the RFC Web site at http://www.rfc-editor.org/rfc.html.
Options for Connecting a MAPI Client to an Exchange Server When

Separated by a Firewall

Options MAPI clients, such as Outlook, can usually connect to an Exchange 2000 or
Exchange 2003 server by using a wide area network (WAN). However, if you
have a firewall separating the MAPI client and the server running Exchange,
you will need to enable ports on your firewall so that the MAPI client can
connect to their mailbox and to Active Directory. To reduce your port expose,
you must use one of the following configurations to enable users with a MAPI
client to connect securely to the server running Exchange:
! Configure static ports. You can configure static port assignments for the
information store and the Directory Proxy Service (which provides
Exchange clients access to information that is in Active Directory) by
adding entries to the Windows registry. Configuring static ports provides
you control over which ports to disable on the firewall.
Note For more information on configuring static port to enable a MAPI

client to access Exchange through a firewall, see the articles
“Exchange 2000 Static Port Mappings” and “How to Configure a Global
Catalog Server to Use a Specific Port When Servicing MAPI Clients” on the
Product Support Services page of the Microsoft Web site at
http://support.microsoft.com/.
! Configure RPC over HTTP. You can configure RPC over HTTP to enable
Outlook 2003 users to connect to the Exchange 2003 server running on
Windows 2003 by using HTTP or Secure HTTP (HTTPS).
! Configure a virtual private network (VPN) connection. You can configure a
VPN connection to allow your users to connect to the Exchange server.
! Configure ISA Server. You can configure ISA Server to route all of the
Internet traffic through a single ISA server to protect the servers that are
inside your Exchange organization.
Recommended Options for Connecting a MAPI Client to an

Exchange Server When Separated by a Firewall

Outlook 2003 with Exchange 2003 running on Windows Server 2003 support
RPC over HTTP, which eliminates the need for a VPN connection when a user
is accessing Exchange information. Users running Outlook 2003 can connect
directly to an Exchange server over the Internet by using HTTP or HTTPS—
even if both the Exchange server and Outlook are behind firewalls and located
on different networks.
When you deploy RPC over HTTP, you configure your Exchange front-end
server as a RPC proxy server. The RPC proxy server specifies which ports to
use to communicate with the domain controllers, global catalog servers, and all
the Exchange servers that the RPC client must communicate with.
RPC over HTTP When you deploy RPC over HTTP in your network, you have the following
deployment options two options for where you can locate your RPC proxy server:
! Locate the RPC proxy server inside the firewall on your network. You can
deploy ISA Server in the perimeter network and locate the Exchange front-
end server inside the firewall on your network. This option eliminates the
need to open the ports for the RPC proxy server to communicate with other
computers because ISA server is responsible for routing RPC over HTTP
requests to the Exchange front-end server, which acts as an RPC proxy
server. When using this option, you can configure the RPC proxy server to
use all of the ports it needs within the specified range. This is the
recommended deployment option.
! Locate the RPC proxy server in the perimeter network. You can locate the
RPC proxy server on your Exchange 2003 front-end server which is located
inside of the perimeter network. When using this option, it is recommended
that you limit the number of ports that the RPC proxy server needs to a
specific set of ports.
Multimedia: Connecting MAPI Clients to Exchange Server Through

a Firewall

This presentation shows how MAPI mail clients use RPC to connect through a
firewall to servers running Exchange Server 2003.
Instructions Your instructor will step through the animation to show how MAPI mail clients
use RPC. When you have finished viewing the animation, answer the
discussion questions that follow and be prepared to discuss your answers with
the rest of the class.
Tip To view the presentation Connecting MAPI Clients to Exchange Server

Through a Firewall later on your own, open the Web page on the Student
Materials compact disc, click Multimedia, and then click the title of the
presentation.
Discussion question 1 You are the messaging administrator for Northwind Traders. Northwind
Traders is in the process of planning to deploy Exchange Server 2003 on
Windows Server 2003. Your current e-mail client is Outlook 2000 but
eventually you will be upgrading your users to Outlook 2003. During the initial
planning stage of the project a decision was made that all the users, including
remote users, will use Outlook to access their Exchange mailboxes.
You have scheduled a meeting with the network infrastructure group to discuss
the impact that this deployment will have on firewall configurations and what
changes will need to be made. The network infrastructure group has made it
clear that they are only willing to open a limited number of ports on the firewall
to support your Outlook clients. What will you need to configure on your
servers to allow this?
You can use the Registry Editor to assign static port numbers to be
returned to MAPI clients accessing the Exchange store on the server
running Exchange and the Name Service Provider Interface (NSPI), on
domain controllers and servers running Exchange. After you have
configured your domain controllers and your servers running Exchange to
respond with static port numbers, enable those ports and the endpoint
mapper port on your firewall. This reduces the number of ports that you
will need to open in the firewall.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Discussion question 2 After your meeting, one member of the network infrastructure group did a little
more research and realized that other options were available for configuring
MAPI client access to Exchange and scheduled another meeting. The network
infrastructure group feels that a more secure solution for allowing MAPI client
access to Exchange through the corporate firewall would be to use RPC over
HTTP and deploy ISA Server in the perimeter network.
What ports will need to be enabled on the external firewall? What will you, as
the Exchange administrator, need to do to enable using RPC over HTTP?
Only HTTP ports (port 80 or port 443) will need to be enabled on the
external firewall.
To allow RPC over HTTP to be used you will need to:
• Ensure your external MAPI clients are configured to use Outlook 2003.
• Enable your front-end server running Exchange as an RPC proxy
server and place it on your internal network.
This option eliminates the need to open the ports for the RPC proxy server
to communicate with other computers. The ISA server is responsible for
routing RPC over HTTP requests to the Exchange front-end server, which
acts as an RPC proxy server.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Lesson: Configuring Administrative Permissions

Introduction This lesson presents an overview of administrative groups and how to create
them. The lesson then explains how to configure administrative permissions by
using the Exchange Administration Delegation Wizard.
! Explain the function and purpose of administrative groups.
! Explain where a new computer running Exchange is added.
! Create an administrative group.
! Grant Exchange administrative permissions by using the Exchange
Administration Delegation Wizard.
! Modify and prevent inherited permissions.
! Configure advanced security permissions by using Adsiedit.exe.
What Are Administrative Groups?

An administrative group is a collection of Exchange 2000 or Exchange 2003
objects that are grouped together for the purpose of managing and delegating
permissions. An administrative group can contain servers, routing groups,
policies, and public folder hierarchies.
Why use administrative If your company has two sets of administrators who manage two sets of servers
groups? running Exchange 2003, you can create two administrative groups, each
containing one of these two sets of servers, and then delegate permissions to
each administrator. Delegating separate permissions to each administrator
means that only the authorized administrator can make changes to the
configuration of these servers. Regardless of the administrative model that your
Information Technology environment uses (centralized, distributed, or hybrid),
you can create administrative groups to support it.
What objects can be You can add the following objects to an administrative group:
added to a new
administrative group? ! System policy objects
! Routing group objects
! Public folder tree objects
! Server objects
Where Is a New Computer Running Exchange Server Added?

When you add a new computer running Exchange 2000 or Exchange 2003 to
your Exchange organization, the computer is added to an administrative group
as follows:
! By default, Exchange Setup automatically creates the First Administrative
Group container and the server is added to this administrative group.
! If only one administrative group exists, the server is automatically added to
this administrative group.
! If multiple administrative groups exist, Setup prompts you to select the
administrative group to which the server should be added.
Caution You cannot move computers running Exchange between

administrative groups. Therefore, it is important to install each Exchange server
in the administrative group specified in your Exchange implementation plan.
How to Create an Administrative Group

You use the Administrative Groups container to create an administrative group.
However, because the Administrative Groups container is not displayed by
default, before you can create a new administrative group, you must first
display this container.
To display the The high-level steps for displaying the Administrative Groups container are as
Administrative Groups follows:
container
1. In Exchange System Manager, right-click the Organization object.
2. In the Properties dialog box of the Organization object, click Display
administrative groups.
Detailed steps for displaying the Administrative Groups container are included
in the practice “Practice: Creating an Administrative Group” later in this lesson.
To create a new The high-level step for creating a new Administrative Group is as follows:
administrative group
! In Exchange System Manager, right-click the Administrative Groups
container, point to New, and then click Administrative Group.
Detailed steps for creating a new administrative group are included in the
Important For more information about creating administrative groups, see

Module 3, “Designing an Administrative Plan,” in Course 1573, Designing
Microsoft Exchange 2000 for the Enterprise.
Practice: Creating an In this practice, you will create an administrative group.

Important This practice is required to complete subsequent practices in this
module.
Complete the following steps:

1. In Exchange System Manager, right-click Administrative Groups, point to
New, and then click Administrative Group. If you do not see the
Administrative Groups container, you should configure Exchange System
Manager to display administrative groups by using the Properties page of
the Organization object.
2. In the Properties dialog box, type Policy AG and then click OK.
3. In the console tree, right-click Policy AG, point to New, and then click
System Policy Container.
4. In the console tree, in the First Administrative Group, click System
Policies.
5. In the details pane, click Mailbox Store Storage Limits Policy, and then
drag it to the System Policies container that you just created in Policy AG.
6. Repeat the previous step for all remaining system policies in
First Administrative Group\System Policies.
What is the purpose of creating a separate administrative group for

system policies?
Policy management can be controlled if you move the policies into a
separate administrative group.
How to Grant Exchange Administrative Permissions

What are Exchange Exchange administrative permissions are a group of permissions that enable
administrative administrators to perform their administrative tasks in Exchange 2000 or
permissions? Exchange 2003. You grant administrative permissions in Exchange by giving
groups or users permissions to Exchange objects.
What is the Exchange The Exchange Administration Delegation Wizard is a utility that enables you to
Administration select a group or user and grant them an administrative permission to your
Delegation Wizard? Exchange organization. Granting permissions to groups or users makes
administration more secure because you can specify who can gain access to
which Exchange objects.
Scope of permissions You can start the Exchange Administration Delegation Wizard from the
Organization object or from administrative group objects. The object that you
start the wizard from determines which object the group or user has permissions
for. For example:
! Starting the wizard from the Organization object. The permissions assigned
are propagated down the hierarchy to all the objects in the organization.
! Starting the wizard from an Administrative Group object. The permissions
propagate to all the objects in that administrative group; however, read-only
permissions are also granted from the Administrative Group object, up the
hierarchy, so that the administrator can view the hierarchy. Although the
read-only permission does not appear in Exchange System Manager, you
can view it by using the Adsiedit.exe utility.
Important To use the Exchange Administration Delegation Wizard, you must

have Exchange Full Administrator permissions at the organization level.
Roles and associated The Exchange Administration Delegation Wizard supports the following three
permissions supported roles:
by the wizard
! Exchange Full Administrator. With this permission, users can fully
administer Exchange system information (for example: add, delete, and
rename objects) and modify permissions. You should delegate this role to
administrators who need to configure and control access to your e-mail
system.
! Exchange Administrator. With this permission, users can fully administer
Exchange system information; however, they cannot modify permissions.
You should delegate this role to groups or users who are responsible for the
day-to-day administration of Exchange (for example, those groups or users
who are responsible for adding, deleting, and renaming objects).
! Exchange View Only Administrator. With this permission, users can view
Exchange configuration information. You should delegate this role to
administrators who do not need to modify Exchange objects.
Other required In addition to the roles that are supported by the Exchange Administration
administrative Delegation Wizard, there are other Windows 2000 Server or
permissions Windows Server 2003 group memberships that are required to manage
Exchange. For example, if you assign Write permission to an administrator for
objects in an organization or administrative group, the administrator must be a
local computer administrator for each computer running Exchange that he or
she needs to manage.
Exchange built-in When Exchange 2000 or Exchange 2003 is installed, two groups are
groups automatically created: Exchange Domain Servers and Exchange Enterprise
Servers. These two groups have permissions that allow Exchange servers to
gain access to Exchange configuration and recipient information in Active
Directory. These groups are intended for use by Exchange only and neither of
the groups should be used to give other groups or users administrative
privileges to Exchange.
Note For more information about the permissions that are required to perform
Exchange administrative tasks, see the Microsoft Exchange 2000 Permissions
Guide v4.0 under Additional Reading on the Student Materials compact disc.
Practice: Delegating In this practice, you will delegate control of an administrative group.
control of an
Important To complete this practice, you must have at least two administrative
groups in your Exchange organization. If you only have one administrative
group in your organization, you must create another group by completing the
practice “Creating an Administrative Group” located earlier in this module.
Complete the following steps:

1. In Exchange System Manager, in the console tree, right-click Policy AG,
and then click Delegate control.
2. In the Exchange Administration Delegation Wizard, on the Welcome page,
click Next.
3. On the Users or Groups page, click Add.
4. In the Delegate Control dialog box, click Browse.
5. In the Select Users, Computers or Groups dialog box, type Greg Weber
and then click OK.
6. In the Delegate Control dialog box, in the Role box, click Exchange
Administrator and then click OK.
7. On the Users or Groups page, click Next.
8. On the Exchange Administration Delegation Wizard page, click Finish.
9. In the Exchange System Manager dialog box, read the warning that
indicates an Exchange administrator must also be a member of the local
machine administrator group, and then click OK.
10. In Active Directory Users and Computers, browse to nwtraders.msft\
Managed Objects\IT Admin\IT Users, in the details pane, right-click Greg
Weber, and then click Properties.
11. In the Greg Weber Properties dialog box, click Member Of.
12. On the Member Of tab, click Add.
13. In the Select Groups dialog box, type Administrators and then click OK.
14. In the Greg Weber Properties dialog box, click OK.
Why did you not grant Greg Weber Full Administrator permissions on
the Policy AG?
Although Full Administrator permissions would allow Greg Weber
to manage policies, this permission would also allow him to
configure permissions on the Policy AG and the policies it contains.
Because Greg Weber only needs to be able to manage policies, you
should grant him Administrator permissions.
How to Modify and Prevent Inherited Permissions

Advanced security permissions are Exchange 2000 or Exchange 2003
permissions that enable you to provide additional administrative control by
overriding inherited permissions on objects in Exchange. Although a child
object inherits permissions from its parent object, by default, you can modify or
prevent inherited permissions.
Why modify inherited In some situations, you may not want to have permissions inherited from a
permission? parent object. For example, when you create a new routing group, that group
inherits the permissions from the administrative group in which it was created.
If you want different permissions applied to the new routing group, you can
modify the routing group’s permissions so that the permissions from the parent
administrative group are not propagated down to the new routing group.
Caution Before making any changes to inherited permissions, be sure you fully
understand the impact that the change will have on parent and child objects.
To modify inherited The steps to modify permissions to prevent propagating to child objects are as
permissions follows:
1. On the Security tab of the child object, click Advanced.
2. In the Advanced Security Settings dialog box, clear the Allow inheritable
permissions from the parent to propagate to this object and all child
objects check box.
To prevent inherited You can prevent inherited permissions from propagating to child objects by
permissions modifying the access control settings. For each access control setting, you can
specify whether the permissions should apply only to the parent object, or to the
parent object as well to its child objects.
The steps to prevent individual permissions from propagating to child objects
are as follows:
1. On the Security tab, click Advanced.
2. In the Advanced Security Settings dialog box, modify the access control
settings.
Note If you remove inherited permissions and specify that permissions must be
applied to the parent object only, the child objects are left with no permissions
(an implicit Deny permission). Removing permissions prevents access to
Exchange objects in Exchange System Manager. However, you can restore the
permissions by using the Adsiedit.exe utility.
How to Configure Advanced Security Permissions by Using

Adsiedit.exe

Whether you grant permissions to administrators manually or by using the
Exchange Administration Delegation Wizard at the organization level,
permissions are automatically propagated to all child objects. However, by
using ADSI Edit (Adsiedit.exe), you can grant advanced security permissions
that cannot be granted by using Exchange System Manager or Active Directory
Users and Computers. For example, Adsiedit.exe enables you to grant
permissions on the Administrative Groups container, and these permissions are
propagated to the new child administrative groups. To accomplish this
propagation, you use Adsiedit.exe to configure the Administrative Groups
container, under the Exchange Organization object, in the configuration
partition of Active Directory.
To configure advanced The high-level steps for configuring advanced security settings by using
security permissions by Adsiedit.exe are as follows:
using Adsiedit.exe
1. Browse to the following location in the ADSI Edit snap-in:
Configuration Container, CN=Configuration…, CN=Services,
CN=Microsoft Exchange
2. In the Properties dialog box of the object you want to modify, on the
Security tab, click Advanced.
Practice: Configuring In this practice, you will enable the Security tab for all Exchange objects, and
custom security then configure custom security permissions.
permissions
1. From the desktop, click Start, click Run, type regedit and then click OK.
2. In the Registry Editor dialog box, browse to
HKEY_CURRENT_USER\Software\Microsoft\Exchange.
3. Right-click EXAdmin, point to New, and then click DWORD Value.
4. In the New Value #1 box, type ShowSecurityPage and press ENTER.
5. Double-click ShowSecurityPage, and in the Edit DWORD Value dialog

box, in the Value data box, type 1 and then click OK.
6. Close Registry Editor.
7. From the desktop, click Start, click Run, type mmc and then click OK.
8. In Console1, click File and then click Add/Remove Snap-in.
9. In the Add/Remove Snap-in dialog box, click Add.
10. In the Add Standalone Snap-in dialog box, click ADSI Edit, click Add,
and then click Close.
11. In the Add/Remove Snap-in dialog box, click OK.
12. In Console1, in the console tree, right-click ADSI Edit and then click
Connect to.
13. In the Connection Settings dialog box, in the Select a well known Naming
Context box, click Configuration, and then click OK.
14. In the console tree, expand ADSI Edit, expand Configuration, expand
CN=Configuration,DC=nwtraders,DC=msft, expand CN=Services,
expand CN=Microsoft Exchange, expand CN=Northwind Traders, right-
click CN=Administrative Groups, and then click Properties.
15. In the CN=Administrative Groups Properties dialog box, click Security.
16. On the Security tab, click Add.
17. In the Select Users, Computers, or Groups dialog box, type Jim Kim and
then click OK.
18. In the CN=Administrative Groups Properties dialog box, click
Advanced.
19. In the Advanced Security Settings for Administrative Groups dialog
box, in the Permission entries box, click Jim Kim, and then click Edit.
20. In the Permission Entry for Administrative Groups dialog box, in the
Apply onto box, click This object and all child objects, and then click
OK.
21. In the Advanced Security Settings for Administrative Groups dialog
box, click OK.
22. In the CN=Administrative Groups Properties dialog box, click OK.
23. To verify that permissions are configured correctly, in Exchange System
Manager, right-click an administrative group and verify that Jim Kim has
permissions on the administrative group.
Why did you not use the delegation wizard to accomplish this task?
The delegation wizard does not allow you to grant permissions at
this level.
! To prepare for the next module

1. In 2400_London-Virtual PC, on the menu, click PC, and then click Shut
Down.
2. In the Shut Down dialog box, click Save PC state and keep changes,
verify that the Commit hard drive changes now check box is selected, and
then click OK.
3. Restart 2400_London-Virtual PC.
Lesson: Allowing Only the Required Services to Run on

Exchange 2003

Introduction This lesson discusses the services that are used by Exchange 2003, and explains
service dependencies and which services can be disabled to provide enhanced
Exchange security.
! Describe the services that are used by Exchange 2003.
! Explain why to allow only required services to run on Exchange 2003.
! Explain why to run only required services on an Exchange front-end server.
! Explain why to run only required services on an Exchange back-end server.
Services Used by Exchange 2003

When considering how to increase the security of Exchange 2003, it is
important to remember that Exchange is actually a number of processes,
components, and services that communicate with each other on local and
remote computers. Specifically, Exchange servers must communicate with
other Exchange servers, domain controllers, and several different clients. These
complicated interactions mean that when you attempt to secure your Exchange
servers, you must consider all these processes, components, and services when
evaluating whether to disable a particular service.
Exchange 2003 services The Exchange 2003 services that you require depend on the role that your
Exchange server provides in your environment. There are dependencies on
Exchange services for Setup to run, for administration to be performed, and for
routing and indexing to function, as well as interoperability issues with previous
versions of the product. The following table lists the Exchange services that are
required in any environment.
Processes Service dependencies
Setup For Exchange 2003 Setup to run, you must install and enable, but
not necessarily start:
• NNTP
• SMTP
• World Wide Web Publishing Service
• IIS Admin Service
Exchange 2003 Setup disables the following services by default;

however, the current state is preserved during reinstalls or
upgrades:
• NNTP
• Microsoft Exchange IMAP4
• Microsoft Exchange POP3
(continued)
Processes Service dependencies
Administration To administer Exchange 2003, the following services are

required:
• Microsoft Exchange System Attendant
• Microsoft Exchange Management
• Windows Management Instrumentation
Routing To enable Exchange 2003 to route messages, the following

services are required:
• Microsoft Exchange Routing Engine
• IIS Admin Service
• SMTP
Previous version To provide compatibility with earlier versions of Exchange, the

compatibility following services are required:
• Microsoft Exchange Event Service
• Microsoft Exchange Site Replication Service
• Exchange MTA Stacks (for Exchange 5.5 compatibility only)
Additional features The following services provide additional features for

Exchange 2003:
• Microsoft Search
• World Wide Web Publishing Service
Why Allow Only Required Services to Run on Exchange 2003?

The goal in securing your Exchange 2003 environment is to limit all possible
vulnerabilities without affecting the core functionality of Exchange. One main
area to examine is Exchange services. Because Exchange 2003 runs on
Windows 2000 Server or Windows Server 2003, an Exchange server requires
some Windows services for it to install and function properly. Also, some
Exchange services are dependent on other Exchange services. Depending on the
role your Exchange server performs in your environment, many of these
services can be disabled. When you disable a service, the port associated with
that service is no longer available for port-related attacks.
What Are the Required Services on an Exchange Front-End Server?

Because the role of an Exchange front-end server is to accept requests from
clients and then forward those requests to the appropriate back-end server for
processing, you can disable many of the Exchange services that are installed by
default.
Services to configure on The following table describes how these services should be configured for an
an Outlook Web Access Outlook Web Access front-end server.
front-end server
Service name Startup mode Reason
Microsoft Exchange Automatic This service is required to enable

Routing Engine Exchange routing functionality.
IPSec Services Automatic This service provides end-to-end
security between clients and servers on
TCP/IP networks and it should be
enabled to provide an Internet Protocol
security (IPSec) filter on Outlook Web
Access servers.
IIS Admin Service Automatic This service is dependent on the
MSExchange routing engine and it
must be enabled to allow Exchange
routing functionality.
World Wide Web Automatic This service must be enabled for client
Publishing Service computers to communicate with
Outlook Web Access or Outlook
Mobile Access front-end servers.
Microsoft Exchange Disabled This service is not required because the
IMAP4 server is configured for Outlook Web
Access and not for IMAP4 clients.
(continued)
Microsoft Exchange Disabled This service is only required if there are

Information Store user mailboxes or public folders and it
is disabled because front-end servers do
not contain user data.
Microsoft Exchange POP3 Disabled This service is not required because the
server is configured for Outlook Web
Access and not for POP3 clients.
Microsoft Search Disabled This service is only used for full-text
indexing of information stores and is
disabled because front-end servers do
not contain user data.
Microsoft Exchange Event Disabled This service is only required for
Service compatibility with previous versions of
Exchange.
Microsoft Exchange Site Disabled This service is only required for
Replication Service compatibility with previous versions of
Exchange.
Microsoft Exchange Disabled This service can be disabled if you do
Management not require message tracking to audit
message flow through Exchange.
Microsoft Exchange MTA Disabled This service is only required for
Stacks compatibility with previous versions of
Exchange or if there are X.400
connectors.
RPC Locator Disabled This service is no longer required for
communication with a domain
controller or for the system attendant to
start.
SMTP Disabled Outlook Web Access does not require
SMTP to be configured on the front-
end server and it can be disabled.
NNTP Disabled This service is only required for
installation and if newsgroup
functionality is required.
Additional service Additional service considerations are as follows:

considerations
! Microsoft Exchange System Attendant. System Attendant can be disabled
and it is only required on a front-end server if you plan to make
configuration changes to Exchange. However, the following dependent
services must be running before System Attendant will start:
• Event Log
• NTLM Security Support Provider
• RPC
• Server
• Workstation
! Microsoft Exchange Management. The service allows you to specify,
through the user interface (UI), which domain controller or global catalog
server Exchange 2003 will use when accessing the directory. This service is
also required for message tracking. You can disable this service without
affecting the core functionality of Exchange. However, you may need
Message Tracking to audit Exchange functionality.
! SMTP. The Outlook Web Access front-end server does not require SMTP
because it is functioning as an Outlook Web Access server. However, you
should enable the SMTP service if you have configured your front-end
server to receive SMTP mail, either to act as a gateway, or as a front-end
server for IMAP4 or POP3. If the server will also be an SMTP gateway, the
information store and System Attendant services are also required.
! Outlook Mobile Access. Outlook Mobile Access provides mobile access to
users. When you are not using Outlook Mobile Access, you can set it
globally to off, which makes the application inaccessible and no requests
can be made to the back-end server (ForestPrep does this by default).
Outlook Mobile Access also creates virtual directories that can be deleted or
set to localhost access only to provide additional security.
Using front-end servers The information in this topic assumes that you plan to use front-end servers to
to establish POP3, establish HTTP connections. If you plan on configuring POP3, IMAP4 or
IMAP4, or SMTP SMTP, do not enable the World Wide Web Publishing Service, and use the
connections following table to enable the required services.
Front-end server Required services
POP3 Exchange POP3 (POP3Svc), Exchange Information Store

service (MSExchangeIS), and Microsoft Exchange System
Attendant Service (MSExchangeSA)
IMAP4 Exchange IMAP (IMAP4Svc), MSExchangeIS, and
MSExchangeSA
SMTP SMTP, MSExchangeIS and MSExchangeSA
What Are the Required Services on an Exchange Back-End or

Mailbox Server?

Because the role of an Exchange back-end server is to store user mailboxes, you
can disable many of the Exchange services that are installed by default.
Services to configure on The following table describes how Exchange services can be configured for a
an Outlook Web Access back-end server.
back-end server
Microsoft Exchange Information Automatic Back-end servers or mailbox servers contain user
Store mailboxes and public folders, and they require the
information store services to be enabled.
Microsoft Exchange Management Automatic This service is enabled to provide message tracking and to
audit message flow.
Windows Management Automatic This service is enabled and it is dependent on Microsoft
Instrumentation Exchange Management.
Microsoft Exchange MTA Stacks Automatic This service is required for compatibility with previous
versions of Exchange or if there are X.400 connectors.
Microsoft Exchange System Automatic This service is enabled to perform Exchange
Attendant administration and for Exchange maintenance to run.
Microsoft Exchange Routing Engine Automatic This service is enabled to coordinate message transfer
between Exchange servers.
IPSEC Services Automatic This service is required to implement an IPSec policy on
the back-end server.
IIS Admin Service Automatic This service is required by the MSExchange routing
engine.
NTLM Security Support Provider Automatic This service is enabled and it is dependent on System
Attendant.
(continued)
Simple Mail Transfer Protocol Automatic This service is required for Exchange to transfer messages.
(SMTP)
World Wide Web Publishing Service Automatic This service is enabled to provide communication with
Outlook Web Access and Outlook Mobile Access front-
end servers.
Microsoft Exchange IMAP4 Disabled This service is not required because the back-end server is
not configured for IMAP4. This service must be enabled if
the front-end server is configured for IMAP4 access.
Microsoft Exchange POP3 Disabled This service is not required because the back-end server is
not configured for POP3. This service must be enabled if
the front-end server is configured for POP3 access.
Microsoft Search Disabled This service is only required for full-text indexing of
mailbox or public folder stores.
Microsoft Exchange Event Service Disabled This service is only required for compatibility with
previous versions of Exchange.
Microsoft Exchange Site Replication Disabled This service is only required for compatibility with
Service previous versions of Exchange.
Remote Procedure Call (RPC) Disabled This service is now not required for communication with
Locator domain controllers and clients.
Network News Transfer Protocol Disabled This service is only required for installation and if
(NNTP) newsgroup functionality is required.
Additional service Additional service considerations are as follows:

considerations
! Microsoft Exchange System Attendant. System Attendant has dependent
services that will also need to be enabled.
! Microsoft Search. The information store process creates and manages
indexes for common key fields for faster lookups and searches of documents
that reside in a store. Indexing is provided by the Microsoft Search service.
Both the information store service and the Search service must be running
for the index to be created, updated, or deleted.
Note For more information about front-end and back-end servers, see the
white paper Microsoft Exchange Server Front-End and Back-End Topology
under Additional Reading on the Student Materials compact disc. For more
information about securing your Exchange server, see the white paper
Security Operations for Microsoft Exchange 2000 Server under Additional
Reading on the Student Materials compact disc.
Discussion: Securing Exchange Server 2003

Instructions Read the following six scenarios and then discuss possible solutions with the
rest of the class.
Scenario 1 You have just installed Exchange Server 2003 in your organization. You have
never had a messaging environment before. To provide protection from virus
attacks, you need to choose an antivirus product. What are a few considerations
that you must keep in mind consider?
Some of the considerations to evaluate when choosing an antivirus product,
there are:
• Verifying that a specific product is supported for Exchange Server 2003
• Verifying that deployment of the client-based protection can be
automated
• Determining whether quick and automated updates are provided
• Verifying that the signature files will protect your organization from
viruses, worms, macro viruses, malicious scripts, and Trojan horses
• Verifying that the vendor is appropriately certified
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Scenario 2 Although you have a block-list service provider configured, you find that you
continue to receive unsolicited commercial e-mail from several senders. You
would like to block the messages coming from these troublesome domains.
How can you accomplish this?
Block lists cannot completely prevent unsolicited commercial e-mail.
Because there will always be domains that are ahead of block lists, you
must be vigilant about monitoring your incoming e-mail. When you do
identify troublesome domains, you should add the domain to the
Connection properties on the Access tab of the default SMTP virtual
server that is used to receive incoming messages from the Internet.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Scenario 3 You have just been directed to configure your forest to support e-mail digital
signatures and encryption. What are some reasons why your manager decided
to enable this feature?
Digital signatures enable your users to verify that a message was sent by
the person identified in the From box and to assure the message recipient
that the message was not altered in any way during transmission.
Encryption enables users to protect messages so that even if the message is
intercepted, the message content cannot be interpreted by the attacker.
Only a user with the correct certificates can read encrypted messages.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
Scenario 4 Your company has a firewall between your company’s intranet and the Internet.
What purpose is this firewall serving?
Firewalls are used to prevent unauthorized traffic from entering or leaving
your private network. Firewalls block attackers from being able to access
internal data, they allow packet filtering so that you can prevent both
internal and external users from transmitting particular types of
information, and they can provide proxy services which mask internal IP
addresses from external resources.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Scenario 5 Your company has a central Information Technology (IT) office that manages
all the messaging administration. You also have several branch offices that have
local IT groups that manage their own servers. You are installing Exchange in
your company and need to be sure that the correct administrators can manage
the servers in their location. What should you do?
To best delegate this administrative model, you need an administrative
group for each branch office. Because moving servers between
administrative groups is not supported, you must create your
administrative groups before you install servers running Exchange in the
branch offices. When you install the servers, choose the correct
administrative group for that particular server. You should then delegate
permissions on each administrative group to the local IT group, and
delegate permissions on the organization to the central IT group. By
configuring your permissions this way you will prevent the local IT groups
from managing servers that are outside of their group and will allow the
central group to access all the servers that are in all the administrative
groups.
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
Scenario 6 You have Exchange installed as a mailbox server. To reduce the probability of a
security breach, you want to disable unused and unnecessary services on this
Exchange server. Currently the exchange server is running Microsoft Exchange
Information Store, Microsoft Search, IPSec Policy Agent, and RPC Locator.
Which of these services must be running on this server?
A mailbox server will require the use of the IPSec Policy Agent service to
implement IPSec filters on the server. The mailbox server will also need
the Exchange Information Store service to access Mailbox and Public
Folder Stores.
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
THIS PAGE INTENTIONALLY LEFT BLANK

0989703

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

0989703

Încărcat de

Drepturi de autor:

Formate disponibile

Module 3: Securing

Exchange Server 2003

 2003 Microsoft Corporation. All rights reserved.

Important It is recommended that you use PowerPoint 2002 or later to display

Preparation tasks To prepare for this module:

How to Teach This Module

Lesson: Preparing for and Protecting Against Computer Viruses

Lesson: Securing Mailboxes

Lesson: Implementing Digital Signature and Encryption Capabilities

Lesson: Configuring Firewalls

Lesson: Configuring Administrative Permissions

Lesson: Allowing Only the Required Services to Run on

Discussion: Securing Microsoft Exchange Server 2003

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Lesson: Preparing for and Protecting Against Computer

*****************************ILLEGAL FOR NON-TRAINER USE******************************

What Are Computer Viruses?

*****************************ILLEGAL FOR NON-TRAINER USE******************************

How Are Viruses Spread?

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Guidelines for Preparing an Antivirus Strategy

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Note You should configure Microsoft Outlook® to block attachments of

! Server-side antivirus software. To prevent viruses from spreading to users

! Firewall antivirus software. In addition to using a firewall to protect your

Considerations When Choosing Antivirus Software

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Note The Exchange Server 2003 Virus Scanning Application Programming

What Are Virus-Clean Policies and Procedures?

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Guidelines for Creating Virus-Clean Policies and Procedures

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Note If a virus-infected e-mail message spreads to your users’ mailboxes,

! How to validate system functionality and performance. After you restore

Note For additional information on creating policies and procedures for

What Are Security Updates?

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Where to Locate and Download Security Updates

*****************************ILLEGAL FOR NON-TRAINER USE******************************

• Microsoft Software Update Services (SUS). This utility simplifies the

Lesson: Securing Mailboxes

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Message Filtering to Reduce Unsolicited Commercial E-Mail

*****************************ILLEGAL FOR NON-TRAINER USE******************************

! Exchange filtering features. Exchange 2003 filtering features examine

Note For more information about MAPS, see http://www.mail-abuse.org.

! Configure exceptions to connection filter rules. You can choose to allow

How Outlook 2003 and Exchange 2003 Evaluate Unsolicited

*****************************ILLEGAL FOR NON-TRAINER USE******************************

How to Configure the Junk E-Mail Feature

*****************************ILLEGAL FOR NON-TRAINER USE******************************

2. Log on as NWTraders\LondonAdmin with a password of P@ssw0rd.

! To enable connection filtering

What would you do differently if you wanted to make an exception for

Guidelines for Securing Mailboxes

*****************************ILLEGAL FOR NON-TRAINER USE******************************

What Is Recipient and Sender Filtering?

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Note Recipient filtering rules only apply to anonymous connections.

How to Create and Apply Recipient and Sender Filtering

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Note Configuring recipient or sender filtering will impact the performance of

4. On the Sender Filtering tab, click Add.

Guidelines for Cleaning E-Mail of Viruses

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**

*ILLEGAL FOR NON-TRAINER USE**