Center for Internet Security Benchmark for Exchange 2007 for Windows  Server 2003
97 Pages
English

Center for Internet Security Benchmark for Exchange 2007 for Windows Server 2003

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

Center for Internet Security Benchmark for Exchange 2007 for Windows Server 2003 Version 1.0 December 2007 Copyright 2001-2007, The Center for Internet Security (CIS) Editor: Adam Cecchetti Leviathan Security Group http://www.cisecurity.org cis-feedback@cisecurity.org Table of Contents Table of Contents .......................................................................................................................... 2 Terms of Use Agreement .............. 5 Introduction ................................... 8 Explanation of This Document ................................................................... 8 Intended Audience ...................................................... 8 Security Levels............................ 8 Precursor Technical Information ................................ 9 1. General Exchange Guidance .............................................................................................. 11 1.1. General Guidance ........... 11 1.2. Exchange Edge vs. Hub Transport ................. 12 1.3. Edge Server Management 12 1.4. Roles ............................................................................................................................... 13 1.5. Features .......................... 14 2. Recommended Security Settings for Exchange Controls ................................................ 16 3. Pre-Installation and Installation Recommendations ....................... ...

Subjects

Informations

Published by
Reads 12
Language English






Center for Internet Security Benchmark for
Exchange 2007 for Windows Server 2003
Version 1.0

December 2007

Copyright 2001-2007, The Center for Internet Security (CIS)
Editor: Adam Cecchetti
Leviathan Security Group

http://www.cisecurity.org
cis-feedback@cisecurity.org







Table of Contents

Table of Contents .......................................................................................................................... 2
Terms of Use Agreement .............. 5
Introduction ................................... 8
Explanation of This Document ................................................................... 8
Intended Audience ...................................................... 8
Security Levels............................ 8
Precursor Technical Information ................................ 9
1. General Exchange Guidance .............................................................................................. 11
1.1. General Guidance ........... 11
1.2. Exchange Edge vs. Hub Transport ................. 12
1.3. Edge Server Management 12
1.4. Roles ............................................................................................................................... 13
1.5. Features .......................... 14
2. Recommended Security Settings for Exchange Controls ................................................ 16
3. Pre-Installation and Installation Recommendations ....................... 37
3.1. Installation Host is Not a Domain Controller................................................................. 37
3.2. Patches and Updates ....................................... 37
3.3. Security Configuration Wizard ...................................................... 37
3.4. Disable Unnecessary Exchange Services and Roles ................................ 38
4. All Roles ............................................................... 39
4.1. Audit Administrative Access to Exchange..................................................................... 39
4.2. Ensure Fatal Error Reporting is Disabled ...... 39
5. Edge Transport Role........................................... 41
5.1. Restrict Accepted Domains ............................................................ 41
5.2. Mail Routing Options ..................................... 41
5.3. Audit Send Connector Address Space ........................................... 42
5.4. Enable TLS for Smart Host Basic Authentication ......................... 43
5.5. Specify Block List Service Provider .............................................. 43
5.6. Specify Allow List Service Pr 44
5.7. Filter Recipients Who Are Not in Directory .................................. 45
5.8. Filter Recipients ............................................. 46
5.9. Filter Senders.................................................................................. 47
5.10. Filter Blank Senders ... 47
5.11. Filter Custom Words .................................................................................................. 48
5.12. Filter Attachment extensions ...................... 48
5.13. Configure Allowed IPs ............................... 49
5.14. Enable TLS for Basic Authentication ......... 49
5.15. Restrict Mail Send Size .............................................................................................. 50
5.16. Restrict Mail Receive Size ......................... 51
5.17. Restrict Max Recipients 51
5.18. Restrict IP Range For Receive Connectors ................................ 52
5.19. Ensure Sender Reputation is Enabled ......................................... 52
6. Mailbox Role........................................................................................ 54 6.1. Restrict Email Deletion Retention.................................................................................. 54
6.2. Restrict Mailbox Deletion Retention.............. 54
6.3. Restrict Deletion of Mail or Mailboxes Until Archival ................. 55
6.4. Mounting of Mailbox Database at Startup ..................................................................... 56
6.5. Ensure Proper Permissions on Mail Database 56
6.6. e Mailbox Database Cannot Be Overwritten ........................ 57
6.7. Verify Default Mailbox Storage Limits ......... 57
6.8. Ensure Public Folder Database Cannot Be Overwritten ................................................ 58
6.9. Verify Default Public Folder Storage Limits ................................. 59
6.10. Audit Public Folder Client Access ............. 60
6.11. ublic Folder Administrative Access ............................... 60
6.12. Verify Proper Permissions on Public Folder Database .............................................. 61
6.13. Mounting of Public Folder Database at Startup ......................... 61
6.14. Restrict Deletion of Mail or Mailboxes Until Archival .............. 62
6.15. Restrict Mail Send Size .............................................................................................. 63
6.16. Restrict Mail Receive Size ......................... 63
6.17. Restrict Max Recipients 64
6.18. Audit Mailbox Spam Bypass Settings ........................................................................ 64
6.19. AntiSpam Updates ...................................... 65
6.20. Zero out Deleted Database pages ............... 65
7. Hub Transport Role ............ 67
7.1. Restrict Accepted Domains ............................................................................................ 67
7.2. Mail Routing Options ..................................... 67
7.3. Audit DNS Lookup Servers ........................... 68
7.4. Enable TLS for Basic Authentication ............................................ 69
7.5. Restrict Out of Office Responses ................................................... 69
7.6. Restrict Mail Send Size .................................................................. 70
7.7. Restrict Mail Receive Size ............................. 70
7.8. Restrict Max Recipients ................................. 71
7.9. Restrict IP Range For Receive Connectors .... 71
8. Client Access Server Role ................................................................... 73
8.1. Require SSL for POP3 ... 73
8.2. Limit number of POP3 connections ............................................... 73
8.3. Enforce Pop3 Connection Timeouts .............................................. 74
8.4. Require SSL for IMAP ................................... 74
8.5. Enable IMAP connection timeout .................. 74
8.6. Restrict number of IMAP connections ........................................... 75
8.7. Remove Legacy Web Applications ................................................ 75
8.8. Restrict Web Authentication Methods ........... 76
8.9. Require SSL for Web Applications ................ 77
8.10. Disable Web Anonymous Access ............................................... 78
8.11. Enable Logging for Default Website .......................................... 78
8.12. Enable Policy for ActiveSync ..................... 79
8.13. Forbid ActiveSync NonProvisionable Devices .......................................................... 80
8.14. FortiveSync Simple Device Password ............................. 81
8.15. Disable ActiveSync WSS/UNC Access ..................................... 82 8.16. Require ActiveSync Password.................................................................................... 83
8.17. Require ActiveSync Alphanumeric Password ............................ 83
8.18. Require ActiveSync Minimum Password Length ...................... 84
8.19. Require ActiveSync Password Expiration .................................................................. 85
8.20. Require ActiveSync Password History....... 86
8.21. Require ActiveSync Encryption ................................................................................. 86
8.22. Restrict ActiveSync Attachment Size......... 87
8.23. Require ActiveSync Policy Refresh ........... 88
8.24. Restrict ActiveSync Maximum Password Attempts .................. 88
8.25. Require ActiveSync Certificate Based Authentication .............................................. 89
8.26. Require ActiveSync Inactivity Lockout Time ............................ 90
8.27. Disable Outlook Anywhere ........................................................ 91
9. Unified Messaging Role ...................................... 92
9.1. Disable Faxing................................................................................ 92
9.2. Require PIN length ......... 92
9.3. Require PIN complexity ................................................................. 93
9.4. Restrict Allowed In-Country/Region Groups ................................ 94
9.5. Red International Groups .......... 94
9.6. VoIP IPSec ..................................................................................... 95
10. Post Installation ................................................ 96
10.1. Configure Monitoring ................................. 96
10.2. Install Anti-Virus Software ........................ 97
10.3. Security Configuration Wizard ................................................... 97

Terms of Use Agreement

Background.
The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data,
information, suggestions, ideas, and other services and materials from the CIS website or
elsewhere ("Products") as a public service to Internet users worldwide. Recommendations
contained in the Products ("Recommendations") result from a consensus-building process that
involves many security experts and are generally generic in nature. The Recommendations are
intended to provide helpful information to organizations attempting to evaluate or improve the
security of their networks, systems, and devices. Proper use of the Recommendations requires
careful analysis and adaptation to specific user requirements. The Recommendations are not in
any way intended to be a "quick fix" for anyone's information security needs.
No Representations, Warranties, or Covenants.
CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or
negative effect of the Products or the Recommendations on the operation or the security of any
particular network, computer system, network device, software, hardware, or any component of
any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products
or the Recommendations. CIS is providing the Products and the Recommendations "as is" and
"as available" without representations, warranties, or covenants of any kind.
User Agreements.
By using the Products and/or the Recommendations, I and/or my organization ("We") agree and
acknowledge that:
1. No network, system, device, hardware, software, or component can be made fully
secure;
2. We are using the Products and the Recommendations solely at our own risk;
3. We are not compensating CIS to assume any liabilities associated with our use of the
Products or the Recommendations, even risks that result from CIS's negligence or
failure to perform;
4. We have the sole responsibility to evaluate the risks and benefits of the Products and
Recommendations to us and to adapt the Products and the Recommendations to our
particular circumstances and requirements;
5. Neither CIS, nor any CIS Party (defined below) has any responsibility to make any
corrections, updates, upgrades, or bug fixes; or to notify us of the need for any such
correctigradeg fixes; and
6. Neither CIS nor any CIS Party has or will have any liability to us whatsoever (whether
based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental,
consequential, or special damages (including without limitation loss of profits, loss of
sales, loss of or damage to reputation, loss of customers, loss of software, data,
information or emails, loss of privacy, loss of use of any computer
or other equipment, business interruption, wasted management or other staff resources or claims
of any kind against us from third parties) arising out of or in any way connected with our use of
or our inability to use any of the Products or Recommendations (even if CIS has been advised of
the possibility of such damages), including without limitation any liability associated with
infringement of intellectual property, defects, bugs, errors, omissions, viruses, worms,
backdoors, Trojan horses or other harmful items.

Grant of Limited Rights.
CIS hereby grants each user the following rights, but only so long as the user complies with all
of the terms of these Agreed Terms of Use:
1. Except to the extent that we may have received additional authorization pursuant to a
written agreement with CIS, each user may download, install and use each of the
Products on a single computer;
2. Each user may print one or more copies of any Product or any component of a Product
that is in a .txt, .pdf, .doc, .mcw, or .rtf format, provided that all such copies are printed
in full and are kept intact, including without limitation the text of this Agreed Terms of
Use in its entirety.

Retention of Intellectual Property Rights; Limitations on Distribution.
The Products are protected by copyright and other intellectual property laws and by international
treaties. We acknowledge and agree that we are not acquiring title to any intellectual property
rights in the Products and that full title and all ownership rights to the Products will remain the
exclusive property of CIS or CIS Parties. CIS reserves all rights not expressly granted to users in
the preceding section entitled "Grant of limited rights."
Subject to the paragraph entitled "Special Rules" (which includes a waiver, granted to some
classes of CIS Members, of certain limitations in this paragraph), and except as we may have
otherwise agreed in a written agreement with CIS, we agree that we will not (i) decompile,
disassemble, reverse engineer, or otherwise attempt to derive the source code for any software
Product that is not already in the form of source code; (ii) distribute, redistribute, encumber, sell,
rent, lease, lend, sublicense, or otherwise transfer or exploit rights to any Product or any
component of a Product; (iii) post any Product or any component of a Product on any website,
bulletin board, ftp server, newsgroup, or other similar mechanism or device, without regard to
whether such mechanism or device is internal or external, (iv) remove or alter trademark, logo,
copyright or other proprietary notices, legends, symbols or labels in any Product or any
component of a Product; (v) remove these Agreed Terms of Use from, or alter these Agreed
Terms of Use as they appear in, any Product or any component of a Product; (vi) use any Product
or any component of a Product with any derivative works based directly on a Product or any
component of a Product; (vii) use any Product or any component of a Product with other
products or applications that are directly and specifically dependent on such Product or any
component for any part of their functionality, or (viii) represent or claim a particular level of
compliance with a CIS Benchmark, scoring tool or other Product. We will not facilitate or
otherwise aid other individuals or entities in any of the activities listed in this
paragraph.
We hereby agree to indemnify, defend, and hold CIS and all of its officers, directors,
members, contributors, employees, authors, developers, agents, affiliates, licensors,
information and service providers, software suppliers, hardware suppliers, and all other
persons who aided CIS in the creation, development, or maintenance of the Products or
Recommendations ("CIS Parties") harmless from and against any and all liability,
losses, costs, and expenses (including attorneys' fees and court costs) incurred by CIS or
any CIS Party in connection with any claim arising out of any violation by us of the
preceding paragraph, including without limitation CIS's right, at our expense, to assume
the exclusive defense and control of any matter subject to this indemnification, and in
such case, we agree to cooperate with CIS in its defense of such claim. We further agree
that all CIS Parties are third-party beneficiaries of our undertakings in these Agreed
Terms of Use.
Special Rules.
The distribution of the NSA Security Recommendations is subject to the terms of the
NSA Legal Notice and the terms contained in the NSA Security Recommendations
themselves (http://nsa2.www.conxion.com/cisco/notice.htm).
CIS has created and will from time to time create, special rules for its members and for
other persons and organizations with which CIS has a written contractual relationship.
Those special rules will override and supersede these Agreed Terms of Use with respect
to the users who are covered by the special rules.
CIS hereby grants each CIS Security Consulting or Software Vendor Member and each
CIS Organizational User Member, but only so long as such Member remains in good
standing with CIS and complies with all of the terms of these Agreed Terms of Use, the
right to distribute the Products and Recommendations within such Member's own
organization, whether by manual or electronic means. Each such Member acknowledges
and agrees that the foregoing grant is subject to the terms of such Member's membership
arrangement with CIS and may, therefore, be modified or terminated by CIS at any time.
Choice of Law; Jurisdiction; Venue
We acknowledge and agree that these Agreed Terms of Use will be governed by and
construed in accordance with the laws of the State of Maryland, that any action at law or
in equity arising out of or relating to these Agreed Terms of Use shall be filed only in the
courts located in the State of Maryland, that we hereby consent and submit to the
personal jurisdiction of such courts for the purposes of litigating any such action. If any
of these Agreed Terms of Use shall be determined to be unlawful, void, or for any reason
unenforceable, then such terms shall be deemed severable and shall not affect the validity
and enforceability of any remaining provisions.
Terms of Use Agreement Version 2.1 – 02/20/04 Introduction

Explanation of This Document
This document is a general guide for securing Microsoft Exchange Server 2007
(Exchange) hosted on the Windows Server 2003 platform. The first section pre-
installation and installation prescribes general advice for installing Exchange. The
document breaks down the (five) 5 roles Exchange 2007 can perform, and makes security
recommendations for each. These sets of rules constitute a benchmark. This benchmark
represents an industry consensus of "best practices" listing steps to be taken as well as
rationale for their recommendation.
Intended Audience
This document is intended for system administrators, but can be read by anyone involved
with or interested in installing and/or configuring Exchange. We assume that the reader is
a knowledgeable “system administrator.” In the context of this document, a
knowledgeable system administrator is defined as someone who can create and manage
accounts and groups, understands how operating systems perform access control,
understands how to set account policies and user rights, is familiar with how to set up
auditing and read audit logs, and can configure other similar system-related functionality.
Additionally, it is assumed that the reader is a competent Exchange administrator.
Consequently, no tutorial-type information is provided regarding Exchange or electronic
messaging in general. Many documents and books exist which provide this information,
including Microsoft’s web presence at http://www.microsoft.com. That site leads to an
extensive array of Exchange-related material.

Practical Application
The best usage of this document is to review the internal security policy for an
organization then to make adjustments as necessary. The benchmark can then properly
help you gauge the how it should be used to assess the security state of an Exchange
server.
Security Levels

Legacy - Settings in this level are designed for Exchange Servers that need to operate
with older systems such as Exchange 2003, or in environments where older third party
applications are required. The settings will not affect the function or performance of the
operating system or of applications that are running on the system.

Enterprise - Settings in this level are designed for Exchange 2007 where legacy systems
are not required. It assumes that all Exchange servers are 2007 or later, therefore able to
use all possible security features available within those systems. In such environments,
these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications
when applying these recommended technical controls.

Specialized Security – Limited Functionality – Formerly “High Security,” settings in
this level are designed for Exchange servers in which security and integrity are the
highest priorities, even at the expense of functionality, performance, and interoperability.
Therefore, each setting should be considered carefully and only applied by an
experienced administrator who has a thorough understanding of the potential impact of
each setting or action in a particular environment.
Precursor Technical Information

Exchange 2007 Shell
To open the Exchange 2007 Shell

Goto Start->All Programs->Microsoft Exchange Server 2007-> Exchange
Management Shell

This will be referred forth in this document as EMShell all commands required to
be run in the shell will be prefixed with EMShell >

Exchange 2007 Management Console
To open the Exchange Management console

Start->All Programs->Microsoft Exchange Server 2007-> Exchange Management
Console

This will be referred forth in this document as EMC all actions first requiring the
console will be prefixed with EMC->


IIS 6.0 Management Console
To open the Internet Information Server Management Console

Start ->All Programs Administrative Tools -> Internet Information Server (IIS)
Manager

This will be referred forth in this document as IIS all actions first requiring the
console will be prefixed with IIS>

Command Shell
To open the command shell

Start-> Run
Enter cmd
Click Ok
This will be referred forth in this document as IIS all actions first requiring the
console will be prefixed with CMD>