Configuring Security

General Security

The security features of Microsoft Exchange 2000 Server give you control over who can access Exchange objects in your organization and administrative groups, who can connect to your mail system, and what users can do. For example, you can limit message size through connectors, block mail from certain IP addresses from being relayed on virtual servers, audit user activity on public folders, and grant or revoke administrative permissions by user, group, or domain with Exchange Administration Delegation Wizard.

Exchange security builds upon Windows 2000 security. Windows 2000 Server offers security features, such as user accounts, group policies, security and authentication protocols, and security logs.

For help with specific tasks, see How To.

For general background information, see Concepts.

Answers to frequently asked questions

What is the simplest way to control access to Exchange objects such as servers, connectors, and folders?

Use Exchange Administration Delegation Wizard to assign different administrative permissions to different groups. First, create a security group in Windows Active Directory Users and Computers Microsoft Management Console (MMC), provide a descriptive name for the group, for example, Finance Group or Mailbox Administrators, and add the appropriate users to the group. Then, using Exchange Administration Delegation Wizard, assign permissions to the group rather than assigning permissions to specific users. You can also manage access to some Exchange objects individually, such as public folder trees, address lists, MDBs, protocols, and servers. First use Exchange Administration Delegation Wizard to set your overall permissions, and then configure special permissions on the public folder tree, address list, MDB, protocols, or servers. More...

How do I audit security breaches?

By auditing Exchange store objects, you can track configuration changes to your system in the Windows 2000 event logs. First, enable the type of auditing you want in the Windows 2000 Group Policy MMC snap-in, and then set auditing on the Exchange store object through its Security properties. More...  You can also use logging to track the commands that a virtual server receives from clients by enabling logging and setting the logging properties of the virtual server associated with each messaging transport protocol. For example, for each message, you can view the client's IP address, client's domain name, date and time of the message, number of bytes sent, and the protocol command sent. When used with Windows 2000 event logs, the protocol log enables you to audit the use of the virtual server and detect or trace problems. More...

Should I use a firewall for security?

A firewall is one of the best ways to protect your system from external intruders. A firewall connects an internal network to another network while securely controlling access in both directions. A firewall can also be used to monitor traffic between your internal network and an external network, and can provide virus-scanning protection. More...

Do I need a proxy server in my firewall?

Exchange is inherently an application-specific proxy server that understands mail protocol and data, and can determine if data is corrupted or from an unacceptable source (for example, spam mail). If Exchange is configured correctly, you do not need a proxy server. More...

What tools does Windows 2000 provide to help set up security?

Windows 2000 provides an extensive set of tools to help administrators configure and manage group policies, local policies, file and folder access, system registry access, and auditing. Delegation of Control Wizard enables you to delegate administrative control for Active Directory organizational units to specified users and groups. Other tools are available through MMC snap-ins. For more information, see the Windows 2000 documentation. More...