Topic Last Modified: 2005-11-18
The Microsoft® Exchange Server Analyzer Tool reads the following registry value to determine which version of the Microsoft Windows® operating system is running on the Exchange server:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion
If the CurrentVersion value equals 5.0, the Exchange server is running on Microsoft Windows 2000 Server. If the CurrentVersion value is 5.2, the Exchange server is running on Microsoft Windows Server™ 2003.
Additionally, the Exchange Server Analyzer reads the following registry value to determine the path for the Windows Program Files directory:
HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir
The Exchange Server Analyzer then examines the Windows Program Files directory to determine whether the Windows Program Files directory contains the \Exchsrvr folder for Exchange Server.
Finally, the Exchange Server Analyzer queries the Win32_OperatingSystem Windows Management Instrumentation (WMI) class to determine the value for the ServicePackMajorVersion key. The value for the ServicePackMajorVersion key indicates which Windows service pack is installed on the computer.
The Exchange Server Analyzer displays a warning if the following conditions are true:
- The Exchange Server Analyzer determines that the Exchange
Server computer is running on Windows Server 2003 Service
Pack 1.
- The Exchange Server Analyzer determines that Exchange
Server 2003 is not installed in the default path of \Program
Files\Exchsrvr.
This warning indicates that Exchange Server 2003 is not installed in the default Program Files folder on the server and that the Security Configuration Wizard is installed on the Exchange server. The Security Configuration Wizard is a tool that is included as an optional component of Windows Server 2003 Service Pack 1. If the Security Configuration Wizard is installed on an Exchange server, manual configuration of the Network Security section is needed.
 Note: |
|---|
| To install the Security Configuration Wizard, you must first install Windows Server 2003 Service Pack 1. After Service Pack 1 is installed, open Add/Remove Programs in Control Panel to install the Security Configuration Wizard. |
The Security Configuration Wizard helps reduce the attack surface of Windows servers by asking the user a series of questions that are designed to determine the functional requirements of a server. Specifically, the Security Configuration Wizard helps you perform the following tasks:
- It automatically disables unnecessary services.
- It automatically blocks unused ports.
- It helps you apply additional address restrictions or security
restrictions for ports that are left open.
- It prevents unnecessary Internet Information Services (IIS) Web
extensions, if applicable.
- It reduces protocol exposure to server message block (SMB),
LanMan, and Lightweight Directory Access Protocol (LDAP).
- It defines a high signal-to-noise audit policy.
The Security Configuration Wizard guides you through the process of creating, editing, applying, or rolling back a security policy that is based on the selected roles of the server. The security policies that are created by using the Security Configuration Wizard are XML files that configure services, network security, specific registry values, and audit policy when they are applied. If applicable, Internet Information Services (IIS) can also be configured.
The Security Configuration Wizard includes a Network Security feature that configures and adds exceptions to Windows Firewall, in addition to performing other functions. Windows Firewall is the new version of the stateful packet filter in Windows Server 2003 Service Pack 1. Windows Firewall was first introduced in Windows XP Service Pack 2. It was called Internet Connection Firewall in Windows XP Service Pack 2.
There is a known issue that occurs when the Network Security feature in the Security Configuration Wizard runs on an Exchange server on which Exchange Server is not installed in the default path. In this configuration, the application of the resultant policy may cause Exchange Server to be inaccessible by clients. When the Network Security feature is used on an Exchange server on which Exchange Server is not installed to the default path, the Security Configuration Wizard can configure Windows Firewall to block TCP/IP port access by Exchange Server processes, such as the System Attendant (Mad.exe), the Microsoft Exchange Information Store (Store.exe), or the message transfer agent (Emsmta.exe). In this configuration, the Security Configuration Wizard displays Not Found! next to each process. If the Security Configuration Wizard is run until it is completed with a process that has Not Found! next to it, the Security Configuration Wizard applies security policy to the Windows Firewall that blocks network access by that process.
If the blocked processes include one or more Exchange Server processes, Exchange Server may become inaccessible by clients and other servers. If this condition exists, you should perform one of the following procedures to correct the problem.
To correct the problem-
Perform one of the following procedures to correct the problem:
- Use the rollback feature of the Security Configuration Wizard
to roll back a security policy after it has been applied. For more
information about how to do this, see the Security Configuration
Wizard Help file that is included with Windows Server 2003
Service Pack 1. For more information about Windows
Server 2003 Service Pack 1 and Security Configuration
Wizard, see the Windows Server 2003 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=45315).
- In the Security Configuration Wizard, manually fill in the
Application path field to specify the location of the Exchange
Server executable process files. To do this, select the process
that has Not Found! next to it, and click Edit. It is
recommended that you run the Security Configuration Wizard on the
Exchange server to make sure that the path of each Exchange Server
process executable is correct. After each process executable has
been approved, the Security Configuration Wizard security policy
can be applied, and Exchange Server should have the network access
that it requires to function.
- Use the rollback feature of the Security Configuration Wizard
to roll back a security policy after it has been applied. For more
information about how to do this, see the Security Configuration
Wizard Help file that is included with Windows Server 2003
Service Pack 1. For more information about Windows
Server 2003 Service Pack 1 and Security Configuration
Wizard, see the Windows Server 2003 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=45315).
For more information about Windows Server 2003 Service Pack 1 and the Security Configuration Wizard, see the Windows Server 2003 TechCenter (http://go.microsoft.com/fwlink/?LinkId=45315).