Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-01-02

This topic explains how to create a new security policy for a computer running an Exchange Server role installed by using the Security Configuration Wizard (SCW) in Microsoft Exchange Server 2007. The SCW is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. The SCW automates security best practices to reduce the attack surface for a server.

Use this procedure to create a custom security policy for your specific environment. After you create a custom policy, you use the policy to apply the same level of security to each Exchange 2007 server running the same server role or roles in your organization.

Before You Begin

Before you begin, you must follow these steps:

To perform the following procedure, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To perform the following procedure on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

Note:
Some of the steps in the following procedure don't provide specific configuration details for all of the pages in the Security Configuration Wizard. In these cases, Microsoft recommends leaving the default selections if you are not certain which services or features to enable. As with all content in the Exchange 2007 Help file, the most up-to-date information about how to use the SCW with Exchange 2007 can be found at the Exchange Server TechCenter.

Procedure

To use the Security Configuration Wizard to create a custom security policy

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Security Configuration Wizard to start the tool. Click Next on the welcome screen.

  2. On the Configuration Action page, select Create a new security policy, and then click Next.

  3. On the Select Server page, verify that the correct server name appears in the Server (use DNS name, NetBIOS name, or IP address): field. Click Next.

  4. On the Processing Security Configuration Database page, wait for the progress bar to complete, and then click Next.

  5. On the Role-Based Service Configuration page, click Next.

  6. On the Select Server Roles page, select the Exchange 2007 roles that you have installed on the computer, then click Next.

  7. On the Select Client Features page, select each client feature that is required on your Exchange server, and then click Next.

  8. On the Select Administration and Other Options page, select each administration feature that is required on your Exchange server, and then click Next.

  9. On the Select Additional Services page, select each service that is required to be enabled on the Exchange server, and then click Next.

  10. On the Handling Unspecified Services page, select the action to perform when a service that is not currently installed on the local server is found. You can select to take no action by selecting Do not change the startup mode of the service, or you can select to automatically disable the service by selecting Disable the service. Click Next.

  11. On the Confirm Service Changes page, review the changes that this policy will make to the current service configuration. Click Next.

  12. On the Network Security page, verify that Skip this section is not selected, and then click Next.

  13. On the Open Ports and Approve Applications page, if you are running the SCW on an Edge Transport server, then you must add two ports for LDAP communication to Active Directory Application Mode (ADAM).

    1. Click Add. On the Add Port or Application page, in the Port number: field, enter 50389. Select the TCP check box, and then click OK.

    2. Click Add. On the Add Port or Application page, in the Port number: field, enter 50636. Select the TCP check box, and then click OK.

  14. (Edge Transport Server only) On the Open Ports and Approve Applications page, you must configure the ports for each network adapter.

    1. Select Port 25, and then click Advanced. On the Port Restrictions page, click the Local Interface Restrictions tab. Select Over the following local interfaces:, select both the internal network adapter and external network adapter check boxes, and then click OK.

    2. Select Port 50389, and then click Advanced. On the Port Restrictions page, click the Local Interface Restrictions tab. Select Over the following local interfaces:, select only the internal network adapter check box, and then click OK.

    3. Select Port 50636, and then click Advanced. On the Port Restrictions page, click the Local Interface Restrictions tab. Select Over the following local interfaces:, select only the internal network adapter check box, and then click OK.

    Note:
    You can also configure remote address restrictions for each port.
  15. On the Open Ports and Approve Applications page, click Next.

  16. On the Confirm Port Configuration page, verify that the incoming port configuration is correct, and then click Next.

  17. On the Registry Settings page, select the Skip this section check box, and then click Next.

  18. On the Audit Policy page, select the Skip this section check box, and then click Next.

  19. On the Internet Information Services (IIS) page, select the Skip this section check box, and then click Next.

  20. On the Save Security Policy page, click Next.

  21. On the Security Policy File Name page, enter a file name for the security policy and an optional description. Click Next. If a restart of the server is required after the policy is applied, a dialog box will appear. Click OK to close the dialog box.

  22. On the Apply Security Policy page, select Apply later or Apply now, and then click Next.

  23. On the Completing the Security Configuration Wizard page, click Finish.

For More Information