Checklist - Securing Exchange 2000 Servers Based on Role
On This Page
How to Use This Checklist
This checklist is a companion to the module, "Securing Exchange 2000 Servers Based on Role." Use it to help you to secure your Exchange 2000 servers, or as a quick reference for the corresponding module. This checklist should develop as you discover steps that help you to implement your secure Exchange organization.
Securing Exchange using Group Policy Settings
| Check | Description |
Test environment setup and Group Policy settings thoroughly tested. | |
Organizational unit (OU) structure modified as recommended in module and servers moved into appropriate OUs. | |
Security templates contained in ExSecurityOps.exe included with this guidance downloaded. | |
New Group Policy object "Exchange DC Policy" created in domain controller OU and Exchange document controller incremental.inf imported. | |
Replication forced between domain controllers. | |
All domain controllers have new policy. | |
Domain controllers restarted sequentially. | |
New Group Policy object "OWA Policy" created in Outlook Web Access (OWA) front-end server OU. | |
OWA front-end Incremental.inf imported. | |
New Group Policy object "Exchange Back-End Policy" created in Exchange back-end server OU. | |
Exchange back-end Incremental.inf imported. | |
Replication forced between domain controllers. | |
Policy downloaded on Exchange servers by using secedit /refreshpolicy machine_policy /enforce command. | |
All Exchange servers restarted. | |
Specified services disabled on OWA front-end and Exchange back-end servers. | |
Changes to Exchange back-end server file access control lists (ACLs). | |
Network News Transport Protocol (NNTP) service disabled if not in use. | |
Necessary services re-enabled for Exchange environment to function. |
Installing and Updating Exchange
| Check | Description |
System Attendant service on OWA front-end servers enabled and started. | |
Distributed Transaction Coordinator service on all Exchange servers enabled and started. | |
NNTP service on all Exchange servers enabled and started. | |
Microsoft Windows operating system Installer service on all Exchange servers enabled and started. | |
Windows Management Instrumentation (WMI) service on OWA front-end servers enabled and started. |
Additional Security Measures
| Check | Description |
IIS Lockdown Tool IISLockd.exe on all Exchange servers installed and started. | |
Only Web Service Hypertext Transfer Protocol (HTTP) is enabled. | |
Virtual directories removed. | |
URLScan installed. | |
IIS Lockdown and URLScan settings modified for your organization. | |
Change Password feature in OWA removed. |
Stores on OWA Front-End Servers
| Check | Description |
System Attendant and NTLM Security Support Provider services started. | |
Mailbox Store dismounted and "Do not mount this store at start-up" checked. | |
Public Folder Store dismounted and deleted. |
SMTP Banner
| Check | Description |
Metabase edited to remove SMTP Banner. | |
Simple Mail Transfer Protocol (SMTP) service restarted. |
Exchange Server Group Lockdown
| Check | Description |
EDSLock script run. |