Secure Your Exchange Server

When Microsoft originally created the Security Configuration Wizard (SCW) as part of Windows Server 2003 SP1, it was intended primarily as a utility for helping network administrators to secure Windows. Even so, the wizard benefited Exchange Server administrators, because Exchange depends on Windows. After all, if Windows isn’t secure, then Exchange won’t be secure either.

When Microsoft created Exchange Server 2007, the company included a couple of XML files that can be used to extend the SCW. These files let Exchange administrators use the SCW to secure Exchange, not just Windows. In this article, I’ll show you how to install and configure the SCW, as well as how to use it to secure an Exchange server.

Installing the Security Configuration Wizard
Because the SCW was initially introduced in Windows 2003 SP1, you must install SP1 or a subsequent service pack in order to install the wizard. However, simply applying a service pack doesn’t install the SCW.

After the service pack is installed, start the Control Panel Add/Remove Programs applet. In the Add/Remove Programs dialog box, click Add/Remove Windows Components. You’ll see a list of various Windows components. Scroll through the list until you find the Security Configuration Wizard option. Select the corresponding check box, and click Next. Windows will then begin copying the necessary files. Depending on how your server is set up, you might be prompted to insert your Windows installation CD-ROM. When the file copy process is done, click Finish to complete the installation.

Adapting the Security Configuration Wizard for Exchange
After you install the SCW, you must adapt it for use with Exchange Server. To do so, insert your Exchange 2007 installation media and navigate to the Scripts folder.

Next, you need to locate the following two files: Exchange2007.xml and Exchange2007Edge.xml. You can use these two XML files to extend the SCW to support Exchange 2007. You must copy these files to the server’s \%windir%\security\msscw\kbs folder.

The two XML files are security template files that are designed to make the SCW Exchange 2007–aware. The Exchange2007. xml file can be used for securing any Exchange 2007 server so long as it isn’t hosting the Edge Transport server role. Microsoft created a completely separate XML file, Exchange 2007Edge.xml, to assist you in securing Edge Transport servers. As you probably know, an Edge Transport server operates at the network perimeter and therefore has very different security needs from that of Exchange 2007 servers hosting other roles—which is why Microsoft created two different XML files.

A benefit of the SCW is that it can be used to secure remote servers. I therefore suggest that you register both XML files with the SCW, so that you can use the wizard to secure any Exchange 2007 server. To use the SCW, you must be a member of the Exchange Server Administrators group and the local Administrators group for the target server.

You need to register the XML files before the SCW can use them. Registering the files is simple. To do so, open a command prompt window, and enter the following commands:

CD\Windows\SYSTEM32
SCWCMD Register /kbname:MSExchange /
  kbfile:%windir%\security\msscw\kbs  Exchange2007.xml
SCWCMD Register /kbname:MSExchangeEdge
  /kbfile:%windir%\security\msscw\kbs  Exchange2007Edge.xml

Figure 1 shows the result of running these commands.

Securing Exchange Server 2007
Now that you’ve installed the SCW and registered the necessary XML files, it’s time to use the wizard to secure an Exchange server. For the purposes of this article, I’ll show you how to use the SCW to secure a regular Exchange server (not an Edge Transport server). If you need to secure an Edge Transport server, the procedure for doing so is very similar, aside from some obvious differences (e.g., not belonging to the Active Directory—AD—that the rest of Exchange belongs to).

To launch the SCW, select it from the server’s Administrative Tools menu. The wizard’s Welcome screen will open and will present you with several warnings.

The first warning explains that you can use the SCW to create a security policy that can be applied to any server on the network, and that the various servers and security settings that are applied will be based on your server’s roles. However, you must keep in mind that the wizard doesn’t actually configure a server to perform a certain role. Configuring a server’s role is up to you. The SCW’s job is to create a security policy that is appropriate for the server based on its roles.

Another issue that you need to be aware of is that the SCW doesn’t automatically detect the server’s roles. Instead, the wizard will ask you which roles the server is performing. If you answer the wizard’s questions incorrectly, then the security policy might not be stringent enough, or it might be so strict that it prevents some necessary services or applications from running.