Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-12-11

Microsoft Exchange Server 2007 is engineered to be secure-by-default for most customer scenarios. Generally for Exchange 2007, secure-by-default means that the following conditions are true:

This topic describes some recommended steps that you can take to better secure the messaging environment before and after you install Microsoft Exchange. We recommend that you refer to this checklist every time that you install a new Exchange server role.

As with all content in the Exchange 2007 Help file, the most up-to-date content can be found at the Exchange Server TechCenter.


Before installing Exchange 2007, perform the following procedures.

Procedures Check

Run Microsoft Update.


Run the Microsoft Malicious Software Removal Tool. The Malicious Software Removal Tool is included with Microsoft Update. More information about the tool can be found at Malicious Software Removal Tool.


Run the Microsoft Baseline Security Analyzer (



We recommend that you run the Security Configuration Wizard (SCW) on all Exchange 2007 server roles.

The SCW is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. You can use the SCW to minimize the attack surface for servers by disabling Windows functionality that is not required for the Exchange 2007 server roles. The SCW automates the security best practice of reducing the attack surface for a server. The SCW uses a role-based metaphor to solicit services that are required for the applications on a server. This tool reduces the susceptibility of Windows environments to exploitation of security vulnerabilities.

For more information, see Using the Security Configuration Wizard to Secure Windows for Exchange Server Roles.

This is an optional task.