We ve discussed a number of ways to make your Outlook Web Access installation more secure; as with most other Exchange security tasks , there are a few final steps you should take to best protect your servers.
In an FE/BE topology, there s often no need to have any mailbox or public folder stores on the FE. This happy fact has some positive consequences: if you don t have to have any mounted stores, the Information Store doesn t have to run. That improves server performance while removing a potential attack point. In addition, it makes backing up the server both easier and faster, and it reduces the amount of disk space the server needs (although admittedly an empty .edb file doesn t take up much space).
Let s begin with public folder stores. It s always safe to remove all of the public folder databases from an FE. Bear in mind that when you do, requests for public folder data have to be proxied using IMAP4 or NNTP to the BE. However, when you remove the public folder stores on the FE (instead of just dismounting them), you re guaranteed not to have any public folder “ related replication traffic going to the FE, so on balance this is a pretty good deal.
Mailbox stores are a slightly different matter. Of course, an FE shouldn t have any user mailboxes on it, so you might think that it would be fine to dismount and remove the mailbox stores. However, this is only partially true. You can safely remove all mailbox stores from an FE server, as long as it isn t running SMTP. The SMTP service needs to have the Information Store running, and at least one mailbox store mounted, so that the Information Store can convert nondelivery reports (NDRs) to Internet format. If you ignore this restriction, NDRs will stack up in the local delivery queue on the FE until the store starts and the queue backlog is cleared.
There are two additional caveats. First, if the Information Store isn t running on a server, then you cannot use Internet Services Manager to make changes to its IIS configuration without first starting the service. That means that you cannot turn SSL on or off, change certificate mappings, or make any other changes to the underlying IIS configuration. If you need to make these changes after removing the stores, you ll have to start the Information Store, create the stores, and make the necessary changes.
Speaking of stores, don t remove the First Storage Group object from the FE, even if you re stopping the Information Store and keeping the databases offline. The Information Store depends on the presence of that object to start properly. It s perfectly acceptable for that storage group to have no mounted databases, but it must remain in place.
To make your Outlook Web Access servers as secure as possible, you should turn off all unnecessary services. Minimizing the attack surface of servers is an important part of your defense in depth. Outlook Web Access itself doesn t require any Exchange services: you can turn off the system attendant, the Information Store, and all other Exchange services if you like, with the exception of the Microsoft Exchange Routing Engine service (resvc), which must be running on all Exchange servers. Of course, when you do this, you give up a ton of management functionality, like the ability to use ESM from another machine to configure the OWA server.
Apart from that, you have a great deal of flexibility in turning off services. Microsoft Baseline Security Analyzer can scan servers looking for unnecessary services, provided you feed it a list of services to check for in a text file. (See Chapter 6, Windows Server Security Basics, for more details on how to perform such scans .) If you want to create a Services.txt file for scanning your FE servers, you can do so by adding the appropriate services to the file. The trick is in getting the right set of services. Appendix D of the Security Operations Guide for Microsoft Exchange 2000 Server contains a list of Windows 2000 services that are affected by the baseline Windows security templates included with that guide. Table 14-2 shows which services you should include in your Services.txt file for all Exchange servers. Note that I haven t included every service from Appendix D; I ve only included the most important services that aren t already disabled by default.
| Service Name | What It Does | Notes | 
|---|---|---|
| Alerter | Sends alerts to remote machines | |
| Cisvc | Content indexing service | Disabled by default with Security Operations Guide (SOG) templates; should be running only on mailbox servers. | 
| Dfs | Distributed File System server | This is normally enabled on domain controllers, but you shouldn t have a domain controller facing the Internet anyway. | 
| Fax | Fax service | |
| IISADMIN | IIS Administrator service | Turning this off makes OWA quit working because it hosts the worker processes and ISAPIs on which OWA depends | 
| IMAP4Svc | Exchange IMAP4 protocol server | Enable this service only on servers that will be offering IMAP service. | 
| LicenseService | License Logging Service | Should only be on for FEs that need to handle more than 10 simultaneous SSL connections; turn it off everywhere else. | 
| MSDTC | Distributed Transaction Coordinator (part of COM+) | Must be present on clusters; shouldn t be on FEs, especially because it would be wasteful to cluster FEs. | 
| MSExchangeIS | Exchange Information Store | Enable this service on any machine acting as a mailbox, public folder, or SMTP server; turn it off for machines running only Outlook Web Access, POP, or IMAP. | 
| MSExchangeSA | Exchange system attendant | Only disable this service on Outlook Web Access “only servers that have no mailbox stores mounted; note that disabling it will block your ability to manage the server with ESM. | 
| MSIServer | Windows Installer service | This is normally started manually, but should be explicitly disabled on any machine that faces the Internet. | 
| NtFrs | File Replication Service | Often found on file and print servers; harmless in itself, but disable it to reduce the attack surface. | 
| NtmsSvc | Removable storage management service | |
| POP3Svc | Exchange POP3 protocol server | Enable this service only on FEs that should be offering POP service. | 
| RemoteAccess | Routing and Remote Access Service process | FEs shouldn t be running Routing and Remote Access Service; use a separate firewall appliance or Routing and Remote Access Service server. | 
| Rpclocator | Remote procedure call locator service | Should only run on domain controllers, not FEs. | 
| Schedule | Allows scheduled tasks to run | Turn off if you re not using scheduled jobs on the FE. | 
| SecLogon | Service that implements RunAs command | Keeping this off makes it somewhat harder for an attacker to elevate privileges. | 
| SMTPSvc | SMTP service | Only turn this off if you re not using SMTP on your FE. | 
| Spooler | Print spooler | Turn this off unless you really need to share printers on this server (strongly discouraged). Note that turning this service off also disables printing from the server to any other network printers. | 
| TermService | Terminal Services process | The SOG templates turn this off by default. However, it s very useful, so most administrators will want it on. If you enable it, mitigate your risk by using an IP filter to restrict it to traffic from the internal LAN. | 
| TlntSvr | Telnet server | Don t allow Telnet access to any server directly from the Internet. | 
