Applying the Finishing Touches


We ve discussed a number of ways to make your Outlook Web Access installation more secure; as with most other Exchange security tasks , there are a few final steps you should take to best protect your servers.

Shutting Down the Information Store

In an FE/BE topology, there s often no need to have any mailbox or public folder stores on the FE. This happy fact has some positive consequences: if you don t have to have any mounted stores, the Information Store doesn t have to run. That improves server performance while removing a potential attack point. In addition, it makes backing up the server both easier and faster, and it reduces the amount of disk space the server needs (although admittedly an empty .edb file doesn t take up much space).

Let s begin with public folder stores. It s always safe to remove all of the public folder databases from an FE. Bear in mind that when you do, requests for public folder data have to be proxied using IMAP4 or NNTP to the BE. However, when you remove the public folder stores on the FE (instead of just dismounting them), you re guaranteed not to have any public folder “ related replication traffic going to the FE, so on balance this is a pretty good deal.

Mailbox stores are a slightly different matter. Of course, an FE shouldn t have any user mailboxes on it, so you might think that it would be fine to dismount and remove the mailbox stores. However, this is only partially true. You can safely remove all mailbox stores from an FE server, as long as it isn t running SMTP. The SMTP service needs to have the Information Store running, and at least one mailbox store mounted, so that the Information Store can convert nondelivery reports (NDRs) to Internet format. If you ignore this restriction, NDRs will stack up in the local delivery queue on the FE until the store starts and the queue backlog is cleared.

There are two additional caveats. First, if the Information Store isn t running on a server, then you cannot use Internet Services Manager to make changes to its IIS configuration without first starting the service. That means that you cannot turn SSL on or off, change certificate mappings, or make any other changes to the underlying IIS configuration. If you need to make these changes after removing the stores, you ll have to start the Information Store, create the stores, and make the necessary changes.

Speaking of stores, don t remove the First Storage Group object from the FE, even if you re stopping the Information Store and keeping the databases offline. The Information Store depends on the presence of that object to start properly. It s perfectly acceptable for that storage group to have no mounted databases, but it must remain in place.

Minimizing Running Services

To make your Outlook Web Access servers as secure as possible, you should turn off all unnecessary services. Minimizing the attack surface of servers is an important part of your defense in depth. Outlook Web Access itself doesn t require any Exchange services: you can turn off the system attendant, the Information Store, and all other Exchange services if you like, with the exception of the Microsoft Exchange Routing Engine service (resvc), which must be running on all Exchange servers. Of course, when you do this, you give up a ton of management functionality, like the ability to use ESM from another machine to configure the OWA server.

Apart from that, you have a great deal of flexibility in turning off services. Microsoft Baseline Security Analyzer can scan servers looking for unnecessary services, provided you feed it a list of services to check for in a text file. (See Chapter 6, Windows Server Security Basics, for more details on how to perform such scans .) If you want to create a Services.txt file for scanning your FE servers, you can do so by adding the appropriate services to the file. The trick is in getting the right set of services. Appendix D of the Security Operations Guide for Microsoft Exchange 2000 Server contains a list of Windows 2000 services that are affected by the baseline Windows security templates included with that guide. Table 14-2 shows which services you should include in your Services.txt file for all Exchange servers. Note that I haven t included every service from Appendix D; I ve only included the most important services that aren t already disabled by default.

Table 14-2: Services to Turn Off on Outlook Web Access Servers

Service Name

What It Does

Notes

Alerter

Sends alerts to remote machines

 

Cisvc

Content indexing service

Disabled by default with Security Operations Guide (SOG) templates; should be running only on mailbox servers.

Dfs

Distributed File System server

This is normally enabled on domain controllers, but you shouldn t have a domain controller facing the Internet anyway.

Fax

Fax service

 

IISADMIN

IIS Administrator service

Turning this off makes OWA quit working because it hosts the worker processes and ISAPIs on which OWA depends

IMAP4Svc

Exchange IMAP4 protocol server

Enable this service only on servers that will be offering IMAP service.

LicenseService

License Logging Service

Should only be on for FEs that need to handle more than 10 simultaneous SSL connections; turn it off everywhere else.

MSDTC

Distributed Transaction Coordinator (part of COM+)

Must be present on clusters; shouldn t be on FEs, especially because it would be wasteful to cluster FEs.

MSExchangeIS

Exchange Information Store

Enable this service on any machine acting as a mailbox, public folder, or SMTP server; turn it off for machines running only Outlook Web Access, POP, or IMAP.

MSExchangeSA

Exchange system attendant

Only disable this service on Outlook Web Access “only servers that have no mailbox stores mounted; note that disabling it will block your ability to manage the server with ESM.

MSIServer

Windows Installer service

This is normally started manually, but should be explicitly disabled on any machine that faces the Internet.

NtFrs

File Replication Service

Often found on file and print servers; harmless in itself, but disable it to reduce the attack surface.

NtmsSvc

Removable storage management service

 

POP3Svc

Exchange POP3 protocol server

Enable this service only on FEs that should be offering POP service.

RemoteAccess

Routing and Remote Access Service process

FEs shouldn t be running Routing and Remote Access Service; use a separate firewall appliance or Routing and Remote Access Service server.

Rpclocator

Remote procedure call locator service

Should only run on domain controllers, not FEs.

Schedule

Allows scheduled tasks to run

Turn off if you re not using scheduled jobs on the FE.

SecLogon

Service that implements RunAs command

Keeping this off makes it somewhat harder for an attacker to elevate privileges.

SMTPSvc

SMTP service

Only turn this off if you re not using SMTP on your FE.

Spooler

Print spooler

Turn this off unless you really need to share printers on this server (strongly discouraged). Note that turning this service off also disables printing from the server to any other network printers.

TermService

Terminal Services process

The SOG templates turn this off by default. However, it s very useful, so most administrators will want it on. If you enable it, mitigate your risk by using an IP filter to restrict it to traffic from the internal LAN.

TlntSvr

Telnet server

Don t allow Telnet access to any server directly from the Internet.




Secure Messaging with Microsoft Exchange Server 2003
Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)
ISBN: 0735619905
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net