Blog Post

Exchange Team Blog
1 MIN READ

The first rule for secure deployment

The_Exchange_Team's avatar
Mar 18, 2004

Disable services, features and components that you are not using.
 
Exchange is a complex product that provides many features.  Many of the features are not used by every Exchange customer.  In Exchange 2003 we changed the install to only enable by default features used by the majority of our customers.  The reason for this is that it presents a smaller surface area for the product.  If all of the users of an Exchange server are using Outlook or OWA to read their email, then why should the Exchange server be listening on POP3, IMAP4, or NNTP interfaces.  Disabling unused components and services increases the security of the server by reducing the surface area Exchange is listening on. Having an unused feature enabled and running could also place extra load on the server and reduce the performance and throughput of that server. 
 
After disabling a component always ensure that the system still provides the required functionality.  There may be internal dependancies between components that are not imediately obvious.  Microsoft has just released the Exchange Server 2003 Security Hardening Guide at http://www.microsoft.com/downloads/details.aspx?FamilyId=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en. If you are an Exchange administator I recommend that you read though this guide and implement the policies that apply to your Exchange deployment.  Even if you have not deployed Exchange 2003 you will be able to put into practice many of the ideas this guide presents.

Michael Nelte

Published Mar 18, 2004
Version 1.0
  • You have been Taken Out! Comments about your posting in this link. Thanks!