Recipe 10.9. Disabling Unnecessary Exchange Services Problem You want to minimize the attack surface of your Exchange servers by disabling unnecessary services. Solution Using a graphical user interface Log in to the target Exchange server using an account with administrative privileges. Open the Services snap-in (services.msc). Check Table 10-2 for services that you need for your server type (Exchange 2000 or Exchange Server 2003) and role (front- or back-end server). For each service in the table, verify that its startup type is set appropriately. Table 10-2. Service settings for Exchange front- and back-end servers Service name | Short name | Enabled on FE? | Enabled on BE? | Notes |
---|
Microsoft Exchange Information Store | MSExchangeIS | Maybe | Yes | The IS is required for servers that serve mailboxes, but it's also required for SMTP bridgeheads so they can generate and process NDRs. | Microsoft Exchange System Attendant | MSExchangeSA | Maybe | Yes | The SA is required to do any sort of Exchange management. You can disable it on the FE, but you'll need to reenable it before you can make changes to the server's ettings via ESM. | IIS Admin Service | IISAdmin | Maybe | Yes | Required if you're using IMAP, POP, Web, SMTP, NNTP, or well as the routing service; can be disabled otherwise. | FTP Publishing Service | FTPSvc | No | No | Not installed by default on Windows 2003. Don't ever enable this unless you're running an FTP server. | World Wide Web Publishing Service | W3SVC | Maybe | Yes | The W3SVC is required for web access via OWA, OMA, or EAS. | HTTP SSL | HTTPFilter | Yes | Yes | This service provides SSL filtering for the W3SVC; its start state should be set to "manual." | Microsoft Exchange Event | MSExchangeEVent | No | No | This service is only required if you want to run Exchange 5.5 event scripts on your server. | Microsoft Exchange IMAP4 | IMAP4SVC | Maybe | No | Only required for servers that allow IMAP access to mailboxes. | Microsoft Exchange Management | MSExchangeMGMT | No | Yes | Required for message tracking and other management functions. Depends on the WMI service. | Microsoft Exchange MTA Stacks | MSExchangeMTA | No | Maybe | The equivalent of the 5.5 MTA; required for X.400 communication with 5.5 servers or X.400 connectors. Must be running to move mailboxes with ESM on Exchange 2000 but not Exchange Server 2003. | Microsoft Exchange POP3 | POP3SVC | Maybe | No | Required for servers that offer POP3 mailbox access; off elsewhere. | Microsoft Exchange Routing Engine | RESvc | Maybe | Yes | Handles interserver message routing (in conjunction with SMTP). Required on back-end servers and bridgeheads; unnecessary on nonbridgehead FEs. | Microsoft Exchange Site Replication Service | MSExchangeSRS | No | Maybe | Required for backward compatibility with Exchange 5.5; should be disabled on all servers when running in native Exchange mode. | IPsec Services | PolicyAgent | Yes | Yes | Required for machines that are using IPsec. | RPC Locator | RpcLocator | Yes | Yes | Required for RPC communications with DCs (for logons) and clients. | NTLM Security Support Provider | NTLMSSP | Yes | Yes | Don't disable this or RPC communications will break. | Simple Mail Transport Protocol (SMTP) | SMTPSvc | Maybe | Yes | SMTP is required on back-end servers to enable interserver message transport. It's required on FEs that act as SMTP bridgeheads. | Network News Transport Protocol (NNTP) | NNTPSvc | No | No | NNTP is required in three instances: when you're setting up Exchange, when you're using NNTP, or when you're managing public folders with ESM. Unless you're doing these things, you can turn it off. | Microsoft Search | MSSearch | No | Maybe | Required in order to use full-text mailbox indexing; turn off on nonmailbox servers or if FTI isn't in use. | Terminal Services | TermService | Maybe | Maybe | Set to manual on servers that you want to be reachable via Terminal Services; disable to prevent remote logon via TS. |
Using a command-line interface Log in to the target Exchange server using an account with administrative privileges. Check Table 10-2 for services that you need for your server type (Exchange 2000 or Exchange Server 2003) and role (front- or back-end server). For each service in the table, set its startup type using the sc command with the start flag. You can set the start type to disabled, manual, or automatic. For example, this script will apply the appropriate baseline settings for a front-end Exchange Server 2003 server that's being used only as an OWA proxy: Sc start=disabled POP3Svc Sc start=disabled IMAP4Svc Sc start=disabled MSExchangeIS Sc start=disabled MSSearch Sc start=disabled MSExchangeSRS Sc start=disabled MSExchangeES Sc start=disabled MSExchangeMGMT Sc start=disabled MSExchangeMTA Sc start=disabled MSExchangeSA Sc start=automatic RESvc Sc start=automatic IISAdmin Sc start=disabled SMTPSvc Sc start=disabled NNTPSvc Sc start=manual HTTPFilter Sc start=automatic W3SVC For each service in the table, ensure that you've started or stopped the service as appropriate. You can do this with the net stop or sc stop commands: Net stop msexchangesa /y Sc stop IMAP4SVC Discussion Code that isn't running can't be attacked. For that reason, it's important to turn off unnecessary services on your Exchange servers, particularly those that face the Internet. This can be tricky, since some services are required for nonobvious circumstances. For example, if the Microsoft Exchange Management service isn't running on a given server, message tracking won't work on that server. Table 10-2 lists the key Windows and Exchange services whose state you need to control on your front- and back-end servers. This list isn't complete, of course, since there are many other Windows services that implement various features. However, Windows 2003 does a good job of disabling unneeded services, so in the table I've included two types of services: those provided by Exchange and those on which Exchange depends. For specific guidance on what a given Windows service does, you should consult the Threats and Countermeasures Guide for Windows 2003 or the Windows 2000 documentation. You should also consult the documentation for any Exchange add-ons; they may introduce additional dependencies. In general, Exchange back-ends require most of the Exchange services to be set to start automatically. In particular, the system attendant, information store, and routing engine services are required, although none of these is necessarily required on a front-end server. You can make these settings changes in three ways: manually via the GUI, automatically via a script that uses the sc command to set the service start state, or via a security template applied as part of a GPO. Of these three, the last route is the best, because the GPO can be configured so that an administrator cannot easily override the start state defined in the policy. Of course, this makes it harder to turn on services when you have a legitimate reason to do so, and it also requires that you create group policy objects and apply them to your Exchange servers. This process is described in great detail in the "Hardening Exchange 2003 Servers" section of the Exchange Server 2003 Security Hardening Guide. See Also Chapter 6 of Secure Messaging with Microsoft Exchange Server 2003 (Microsoft Press), "Hardening Exchange 2003 Servers" in Security Operations Guide for Exchange 2000: - http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/default.mspx
Security Hardening Guide for Exchange 2003: - http://go.microsoft.com/fwlink/?LinkId=34667
and Chapter 7 of the Threats and Countermeasures Guide: - http://go.microsoft.com/fwlink/?linkid=14845
|