It is
always advisable to limit direct interaction
with the server to avoid exposure to unwanted practices. Minimize direct
logging session as an Administrator by using
Remote Desktop, Terminal Server, or a dedicated management station.
A split permission
configuration model is most appropriate in situations where Exchange is
administered by separate groups in a decentralize delegation topology. If you
want your the helpdesk-level administrators to create user accounts and the
Technicians on the sites to administrate the mailboxes. The default configuration
of Exchange and Active Directory requires that mailbox administrators belong to
the "Account Operators"
security group and that the members of the "Account Operators" group
have read-read access to Exchange objects. That is a split permission model
within Exchange 2003 and Active Directory. Also, to remember that patch
management plans must extend beyond the operating system unto the client
desktop. The reasons being that security issues are extremely demanding for
Exchange 2003 and it should be kept to be more granular. Emails have become a
knowledge vault of information.
Exchange
2003 has a flexible infrastructure allowing the Administrator to basically
integrate the latest third party antispam technology to secure, and free the
data centre from the difficulties of the monitoring spam.
Intelligent message filtering uses a
SmartScreen technology which is an algorithm used to distinguish
UCEs including mirror spams. From
the global settings in ESM it is
possible to set the gateway blocking and junk Emails settings. IMF will use a
Spam Confidence Level number between 1
and 9 to rate messages passing through the SMTP connector. Spammers and other attackers continuously innovate and develop new
methods to defeat a company’s internal server
defenses. The perimeter of defence must begin for the prevention of
spam, viruses, phishing, and spyware at the gateway tier, of a network, and
then layer inward providing multiple lines of defence. At the gateway tier we
find the layer of routers, bridges, and switches that handle all of the
network’s packet traffic, including email traffic. It is extremely important to
automatically update the system with the latest antispam and antivirus policies
and rules using updated virus definitions. The
virus definition are released rapidly and they are certified, in
plus of being updated multiple times a day (often hourly), and provide the
fastest response for emerging threats. Scanning should be taking
place at the Edge, Hub
Transport, and Mailbox server roles. Like for a
DNS topology the highest level of threat is at the
Front-End server perimeter. For that
perimeter the updates are best retrieved manually and configured through
scripting configurations. Email protection should span at the gateway, mail
server, and desktop tiers. The most important thing is to protect the Exchange
mail stores. Make use of Microsoft Baseline
Security Analyzer (MBSA) to streamline the security settings of Exchange.
To display the Security on ESM tab on all
Exchange objects:Â Regedit
HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin
Add Value, Value Name: ShowSecurityPage Data Type: REG_DWORD Value: 1
Make use of
the functionality of the Network Security Hotfix Checker (HFNetChk) integrated into the Microsoft
Baseline Security Analyzer. The product must be downloaded on the website
of Microsoft. UrlScan is another
security tool used to restrict the types of HTTP requests that Internet
Information Services (IIS) will process.
Download the Bad Mail Script to manage the
folder: Located under the root folder of the SMTP
server: "C:\Program Files\Exchsrvr\Mailroot\Vsi 1\BadMail".
Go and view -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPSVC\Queuing\
Set the
value to 0 for no Bad Mail in the folder because it will eat up the CPU but the
first key is "MaxBadMailFolderSize". This should be a
DWORD value and contains the maximum
size (in kilobytes) if you want the folder to remain operational.
Download
ExMon for use within your environment,
view, evaluate and gather real-time data about your users, which can be quite
handy as it will help you as an Exchange Administrator to better understand
current client usage.
Modifying
the security descriptor on the object containing the attributes while SACLs
identify the users and groups that you want to audit when they successfully
access or fail to access an object and access control entry (ACE) is an entry
in an object's DACL that grants permissions to a user or group.
Spammers can be blocked with
RBLs Administrative list by Host names or IP configuring SMTP 550
connectors to block the sender. Inbound recipient filtering will also reduce
unsolicited commercial emails by anonymously authenticated users. Do not make
use of an Open DNS relay server
within the design topology of Active Directory for it leaves open the Exchange
2003 servers infrastructure therefore anyone in the world can query it for
Domains for which it is non-authoritative. It is to be understood that there is
no bridging of RFC compliance issues
but it is considered to be a failed DNS test.
DSAccess is the centerpiece of the working components
of the Active Directory stressing the emphasis and interoperability between
Exchange 2003, DNS, Wins and AD. The DSAccess.dll
file must not be corrupted. It makes use of the Dynamic updates from the Active
Directory generating and controlling a suitable Directory list for the Exchange
2003 servers. It situates the ability to take advantage of the discovery of
valid DCs to GCs using LDAP queries for connectivity over Kerberos. It is a
performance measure within Exchange 2003 allowing the network infrastructure to
become less chatty. The Exchange components will make use of the DCs
configuration servers. LDAP queries are cached and re-used for other Exchange
components or multiple Exchange components. Certain referrals or components
like Mailbox Manager get the list of Exchange components directly from the GCs
without inter-action with DSAccess. The metabase categorizer of DSAccess uses
the replication configuration update at the interval of 15 minutes. The DNS and
the AD design and implementation can hinder performance and infrastructure
reliability. Only the GCs servers can support (NSPI) name service provider interface requests in
Native Mode.
The IIS SMTP Default virtual server
(BADMAIL folder , Pickup, Queue) Inetpub/Mailroot
CMD (metabase of IIS - adsutil.vbs/adsutil.vbs
enum smtpsvc/1 | more) - install MetaEdit
information can be found under article KB 232068. The
SMTP Virtual Server will resolve
the MX Record to find the person's Domain - either internally or
externally. Therefore the DNS records must be setup correctly or the
BadMail folder directory will be filled
and Mail will not be moved to the delivery queue.
It is possible to configure many
security settings, including auditing, security options, registry settings,
file permissions, and service settings by using Group Policy Objects.
If you
have several issues creating repetitive problems that cannot be fixed within
your electronic messaging environment it is a good thing to Audit these
problems. This is called Exchange Diagnostics Logging. It can be done with
various Third Party Tools but you may also use an Audit Policy located in the
Local Policy or Domain Policy. Turn it
on from the Local Security Policy templates to account success and failures.
Exchange 2003 configuration is stored in the Active Directory configuration
partition and at such it is constantly going through the replication topology
within the infrastructure. It is therefore considered to be Dynamic Data.
There are three types of
system policies:
·
Public folder store policies Allow you to configure
settings across public folder stores.
·
Mailbox store policies Allow you to configure settings
across mailbox stores.
·
Server policies Allow you to enable message-tracking
options on servers.
The
Routing Topology:
·
All of the
Exchange 2003 servers communicate with each other directly within a routing
group. To allow servers to talk to each other Exchange 2003 requires a routing
group connector. Bridgehead servers are able to send mail over a routing group
connector. The first designated Bridgehead
server is the routing group master. Link state information is communicated
via SMTP port 691.
Enable
auditing from the Default Domain
Controller Policy - Enable Audit Policy setting - Auditing Directory Access
for the Domain controllers and not for the Exchange servers
To get information
from the configuration partition of the Exchange 2003 servers’ partitions
Once
auditing is enabled in this manner from the
Domain controller's Event Logs it will be possible to find the
diagnostic logging for each ESM that is being used within the present
infrastructure. The problem with Exchange is to find out the underlying
infrastructure to resolve what is cumbersome.
Control object
visibility, including servers, routing groups, admin groups by using the
Delegate Control Wizard setting Exchange View
Only Administrator or an Exchange Administrator roles also learn to detail
permissions with the registry key.
HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin\ShowSecurityPage
registry key (If this key is not present or set to 0 security is only
visible on the Address Lists, Global Address Lists, and the Databases public
folders mailbox stores) by using ADSIedit
hide the Global Settings Tab from users or groups or hide Routing Groups
and the Public Folder container.
Boot.iniÂ
Set the
/3GB switch in the Boot.ini file to increase the virtual address
space. Set the SystemPages value to
zero, and set the /Userva=3030
SMTP settings:
Used to control the
percentage of threads HKLMSystemCurrentControlSetServicesSMTPSVCQueuingValue:
MaxPercentPoolThreadsLocation:
In Exchange 2003 three registry entries are
often simultaneously adjusted to increase the maximum number of file that could
be opened by the SMTP service
HKLMSystemCurrentControlSetServicesSMTPSVCQueuingValue:
MsgHandleThresholdType: REG_DWORDLocation:
HKLMSystemCurrentControlSetServicesSMTPSVCQueuingValue:
MsgHandleAsyncThresholdType: REG_DWORDLocation:
HKLMSystemCurrentControlSetServicesInetinfoParametersValue:
FileCacheMaxHandlesType: REG_DWORD
MsgHandleThreshold and MsgHandleAsyncThreshold
entries these two entries can be set to be the same - generally these
settings are modified automatically under Exchange 2003
CPU settings:
Enable control of the number of additional
threads that could be spawned on a per-processor basis
HKLMSystemCurrentControlSetServicesSMTPSVCQueuingValue:
AdditionalPoolThreadsPerProc
DSAccess settings:
DSAccess
directory lookup cache configuration: HKLMSystemCurrentControlSetServicesMSExchangeDSAccessInstance0Value
-
The
MTA routes
LDAP queries through the DSAccess
layer to AD
-
To connect
to databases, the store process uses DSAccess
to obtain configuration information from AD
-
To route
messages, the transport process uses
DSAccess to obtain information about the connector arrangement.
Memory configurations:
MaxMemoryConfigLocation: Recipient cache:
HKLMSystemCurrentControlSetServicesMSExchangeDSAccessInstance0Value:
MaxMemoryUser
Extensible storage Heaps: virtual memory
consumption
HKLMSoftwareMicrosoftESE98GlobalOSMemoryValue:
MPHeap parallelismType: REG_SZ
Now, the value data setting must be dependent
on the number of CPUs present in the system. In Exchange 2003 this calculation
is now known to be automatic but it
is good to verify that it is setup properly.
Virtual memory fragmentation:
HKLMSystemCurrentControlSetServicesMSExchangeISParametersSystemValue: Initial
Memory PercentageType: REG_DWORDValue Data: 0xa (hex)
Log Buffers:
The Log
Buffers is the zone whereby the information is held in memory before being
written to the transaction logs. Out-of-the-box value for
msExchESEParamLogBuffers the attributes per default is set to 500.
Make use of the ADSI tool for Exchange 2003 to set it to NOT SET.
Folders caching:
Exchange Server caches data about folders that are not currently being
accessed. This will reduce the maximum number of Database Tables that are
modifying the value of the msExchESEParamMaxOpenTables
by checking the Service Pack version it will
be possible to set the value this value is also depending upon the number of
processors per unit
Fine-tuning of Microsoft search directory settings:
HKEY_LOCAL_MACHINE\Software\Microsoft\Search\1.0\Indexer\<application
name>\<index name>\ProjectPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Search\1.0\gather\ExchangeServer_<instance>\<index
name>\StreamLogsDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Search\1.0\Gathering
Manager\MaxDownloadSize
The Exchange security tasks
are base upon an Object-Oriented
security model, based on the concept of Discretionary Access Control. In the
same way it is possible to
Cache Data regarding
folders that were not currently accessed to reduce the cache's impact on
virtual memory fragmentation. These settings must be manipulated and applied
within the Exchange 2003 environment msExchESEParamMaxOpenTables attribute in
Active Directory must be lowered. In reference msExchESEParamMaxOpenTables is
an attribute of the storage groups. Once again these values should be returned
to NOT SET in Exchange 2003.
Outlook Web access is comprised mainly of static files. In
Exchange 2003 servers, the Exchweb
virtual directory should always have its content expiration set to
1 day.
IMF - SMTP Connector
The
Archive setting causes the SMTP
Connector to route those messages to be stored as
.eml files in the <drive letter :> \Program
Files\exchsrvr\mailroot\vsi 1\UceArchive folder
