Now that Windows 2003 SP1 is out,
I wanted to mention a tool that has shipped as part of Windows
2003 SP1. While the tool itself is not installed by SP1, the
shortcut to the Help file is placed on the server desktop when
SP1 is installed. What
does that have to do with Exchange? About the tool:
Security Configuration Wizard
(SCW) is an attack surface reduction tool that is part of
Windows Server 2003 SP1. SCW uses a roles-based metaphor (e.g.
"File Server", "Web Server", "Domain Controller", etc.) to
determine the desired functionality of a particular type of
server, then disables functionality that is not required for the
role(s) the server needs to perform. Specifically, SCW:
- Disables unneeded services
- Blocks unused ports
- Allows further (address or security) restrictions for ports
that are left open
- Prohibits unnecessary web extensions (if running IIS)
- Reduces Protocol Exposure (SMB, LanMan, LDAP)
- Defines an Audit Policy
SCW guides you through the
process of creating, editing, applying, or rolling back a
security policy based on the selected roles of the server. The
security policies that are created with SCW are XML files that,
when applied, configure services, network security, specific
registry values, audit policy, and if applicable, Internet
Information Services (IIS).
So - really, what does all this
have to do with Exchange, you ask?
There is a known issue with
Exchange server installed into a non-default path (something
other than %ProgramFiles%\Exchsrvr) where SCW is run and
application of resultant policy might cause Exchange Server not
to be accessible by clients anymore. The possible gotcha is in
the "Network Security" portion of SCW which configures the
Windows Firewall. This portion of SCW is used to turn on and add
exceptions to the Windows Firewall. Exceptions are added by
pointing the Windows Firewall to the EXE file to the application
that is exempt from firewall blocking. SCW however expects those
applications (in our case - services) to be in their default
installation paths. |