| Exchange Server 2003 has numerous product enhancements and new features including those that are security related . The following are some of the most notable server-level security features: -
Distribution Lists Restricted to Authenticated Users You can allow only sending from authenticated users or specify which users can or cannot send mail to specified distribution lists. -
Support of Real-Time Safe and Block Lists Reduce the amount of unsolicited mail delivered to your organization with connection filtering. -
Inbound Recipient Filtering Reduce unsolicited email messages by filtering inbound messages based on the recipient. Messages that are addressed to users that are not found, or to whom the sender does not have the permissions to send, are rejected. This applies only to messages sent by anonymously authenticated users. -
Kerberos Authentication Between a Front-end and Back-end Server To help ensure that credentials are securely passed from front-end to back-end servers, Exchange Server 2003 uses Kerberos delegation when sending user credentials. -
Virus Scanning API 2.5 Third-party antivirus products can run on servers running Exchange Server 2003 that do not have resident Exchange mailboxes. These products can be configured to send messages to the sender and to delete messages. -
Antispam Integration with Outlook 2003 and Outlook Web Access You can upload the Safe and Block Senders List to Exchange Server 2003 for filtering. -
Clustering Security Exchange Server 2003 clustering supports Kerberos authentication against an Exchange virtual server. Exchange Server 2003 also supports Internet Protocol Security (IPSec) between front-end servers and clustered back-end servers running Exchange. -
Public Folder Permissions for Unknown Users Public folders, with distinguished names in ACLs that cannot be resolved to security identifiers, drop the unresolvable distinguished names . -
Domain Users Denied Local Logon to Exchange Server 2003 Servers by Default When Exchange Server 2003 is installed on a member server, the domain users group is denied local logon rights in the local security configuration. This prevents non-administrators from logging on to the server even if they should gain physical or Remote Desktop access to the Exchange server. -
Removal of Top-Level Public Folder Creation Permissions for Everyone and Anonymous Logon Exchange Server 2003 secures rampant public folder creation by removing the ability of these groups to create top-level public folders. -
Maximum Message Size Limitations By default, Exchange Server 2003 limits public folder message sizes to 10MB. In addition, inbound and outbound messages have the same cap on message size. -
Selected Services Disabled by Default With the exception of in-place upgrades, services such as POP3, IMAP4, and Outlook Mobile Access (OMA) are installed but disabled by default. Administrators must manually enable these services. Security Roles in Exchange Server 2003 Exchange Server 2003 administration is determined through permissions and Exchange roles. Roles determine the level to which IT personnel can administrator Exchange objects within the Exchange Organization. The Exchange Server 2003 roles work in conjunction with standard Windows Server 2003 groups and permissions structures. However, they are different and can be a bit confusing at first. For instance, the Exchange Full Admininstrator role is not found in Active Directory Users and Computers like a standard user or group would be. Rather, the Exchange Server 2003 roles should be viewed as templates that can define how administrators manage and maintain Exchange. In previous versions, permissions were set through applying rights to Active Directory users' and groups' Exchange objects property pages. Now, role-based administration is assigned using the Exchange Server 2003 Delegation Wizard. NOTE For more information on Exchange Server 2003 administration, refer to Chapter 18, "Exchange Server 2003 Mailbox, Distribution List, and Site Administration."
Depending on where and which roles are assigned, different levels of permissions can be applied to different Exchange server objects. Leveraging each of the three Exchange server administrative roles are -
Exchange Full Administrator The Exchange Full Administrator role is the least restrictive of all three Exchange Server 2003 roles. Similar to Full Control, using this role allows administrators to manage Exchange objects (that is, add, delete, and change permissions and objects). Assign this role only to Exchange administrators who require complete access to the Exchange Server 2003 organization. The Exchange administrator with this role must also manually be added to the Exchange Server 2003 server's local administrators group. -
Exchange Administrator This role is ideal for performing daily Exchange administration by allowing Exchange Server 2003 administrators the ability to add, change, or modify objects. This role cannot modify permissions of other Exchange administrative roles and it is recommended to place the administrator with this role into the server's local administrators group. -
Exchange View Only Administrator The Exchange View Only Administrator role is the most restrictive of all exchange roles because it allows administrators to view Exchange objects only. Use this role to restrict administrative permissions between Exchange administrative groups. Required Roles to Install Additional Exchange Server 2003 Servers In previous versions of Exchange, the Exchange Full Administrator role was required to install additional Exchange servers in the organization. This is no longer required in Exchange Server 2003. Exchange Full Administrator rights at the administrative group level can now be delegated to allow other Exchange administrators to add new Exchange Server 2003 servers within their location. This reduces the amount of administrative overhead. To delegate control to other Exchange administrators to install additional Exchange Server 2003 servers, do the following: -
Open the Exchange System Manager (ESM) from the Start, All Programs, Microsoft Exchange menu by selecting System Manager. -
Expand Administrative Groups and then right-click on the administrative group that requires delegated control and select Delegate Control. -
In the Exchange Administration Delegation Wizard, click Next . -
In the next window, shown in Figure 12.1, click Add to add the user or group who will add an Exchange Server 2003 server in the site. Figure 12.1. Using the Exchange Administration Delegation Wizard.  -
Select the role of Exchange Full Administrator and click OK. -
Click Next and then Finish. TIP The user or group should also be a member of the local administrators group on the server. Run the Exchange Administration Delegation Wizard again on either the Organization or administrative group to view who has been delegated Exchange roles.
|
