Exchange 2010 Edge Server Security - Using SCW to Secure Edge Servers

  • Article

The Security Configuration Wizard (SCW) is a tool that was introduced with Microsoft Windows Server 2003 Service Pack 1. Use the SCW to minimise the attack surface for servers by disabling Windows functionality that is not required for Microsoft Exchange Server 2010 server roles. The SCW automates the security best practice of reducing attack surface for a server.

The SCW uses a role-based metaphor to solicit services that are required for the applications on a server. This tool reduces the susceptibility of Windows environments to exploitation of security vulnerabilities.

Exchange 2010 provides an SCW template for each of the Exchange 2010 server roles. By using this template with the SCW, the Windows operating system can be configured to lock down services and ports that are not needed for each Exchange server role. When the SCW is run, a custom security policy is created for the environment. The custom policy can be applied to all Exchange servers in the organisation. The following functionality can be configured by using the SCW:

  •  Server role The SCW uses the server role information to enable services and open ports in the local firewall.
  • Client features Servers also act as clients to other servers. Select only the client features that are required for the environment.
  • Administration options Select the options that are required for the environment, such as backup and error reporting.
  •  Services Select the services that are required for the server, and set the startup mode for services that are not specified by the policy. Unspecified services are not installed on the selected server and are not listed in the security configuration database. The security policy that is configured might be applied to servers that are running different services than the server where the policy is created. The policy setting can be selected that determines the action to perform when an unspecified service is found on a server that this policy is applied to. The action can be set to not change the startup mode of the service or to disable the service.
  • Network security Select the ports to open for each network interface. Access to ports can be restricted based on the local network interface or based on remote IP addresses and subnets.
  • Registry settings Use the registry settings to configure protocols that are used to communicate with other computers.
  • Audit policy The audit policy determines which success and failure events are logged and the file system objects that are audited.

As part of the deployment process for the Edge servers, the SCW will be run and configured for the Exchange 2010 Edge server role. See https://technet.microsoft.com/en-us/library/aa998208.aspx for more information on securing Exchange 2010 Edge servers with SCW.