Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-03-23
The Security Configuration Wizard (SCW) is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. Use the SCW to minimize the attack surface for servers by disabling Windows functionality that is not required for Microsoft Exchange Server 2007 server roles. The SCW automates the security best practice of reducing attack surface for a server. The SCW uses a role-based metaphor to solicit services that are required for the applications on a server. This tool reduces the susceptibility of Windows environments to exploitation of security vulnerabilities.
Using the Security Configuration Wizard
Exchange 2007 provides an SCW template for each of the Exchange 2007 server roles. By using this template with the SCW, you can configure the Windows operating system to lock down services and ports that are not needed for each Exchange server role. When you run the SCW, you create a custom security policy for your environment. You can apply the custom policy to all Exchange servers in your organization. You can configure the following functionality by using the SCW:
- Server role The SCW uses the server
role information to enable services and open ports in the local
- Client features Servers also act as
clients to other servers. Select only the client features that are
required for your environment.
- Administration options Select the
options that are required for your environment, such as backup and
- Services Select the services that are
required for the server, and set the startup mode for services that
are not specified by the policy. Unspecified services are not
installed on the selected server and are not listed in the security
configuration database. The security policy that you configure
might be applied to servers that are running different services
than the server where the policy is created. You can select the
policy setting that determines the action to perform when an
unspecified service is found on a server that this policy is
applied to. The action can be set to not change the startup mode of
the service or to disable the service.
- Network security Select the ports to
open for each network interface. Access to ports can be restricted
based on the local network interface or based on remote IP
addresses and subnets.
- Registry settings Use the registry
settings to configure protocols that are used to communicate with
- Audit policy The audit policy
determines which success and failure events are logged and the file
system objects that are audited.
For more information about the SCW, see the SCW Help file or Windows Server 2003 Security Configuration Wizard.
For more information about the services and ports that are enabled by the Exchange 2007 SCW registration files, see Services and Port Executables Enabled by the Exchange 2007 SCW Registration Files.
Using the Exchange Server 2007 SCW Template
After you install an Exchange server role, follow these steps to configure a security policy by using the SCW:
- Install the SCW. For detailed steps, see How to Install the
Security Configuration Wizard.
- Register the SCW extension. For detailed steps, see How to Register Exchange
Server Role SCW Extensions.
- Create a custom security policy and apply the policy to the
local server. For detailed steps, see How to Create a New
Exchange Server Role SCW Policy.
- If you have more than one Exchange server in your organization
running a given role, you can apply your custom security policy to
each Exchange server. For detailed steps, see How to Apply an Existing
SCW Policy to an Exchange Server Role.