|
Name |
CIS Exchange Server 2003 Benchmark |
|
Version |
Version 1.0 |
|
Status |
Final |
| Creation
Date |
2005 |
| Revision
Date |
2005-08-18 |
| Product
Category |
Mail Server |
| Vendor |
Microsoft Corporation |
| Product |
Microsoft Exchange Server 2003 |
| Product
Version |
Microsoft Exchange Server 2003 |
| Product
Role |
Enterprise Email Server |
|
Checklist
Summary |
The purpose of this guide is to provide the reader with security configuration guidance for Microsoft’s Exchange Server 2003. Furthermore, it is assumed that the underlying operating system is Microsoft’s Windows Server 2003. The recommendations contained herein have been tested on a Windows Server 2003-based platform. Although most of the recommendations will apply even if Exchange is loaded over a different Windows OS, no statements regarding security or operability can be made for other platform configurations. |
| Known
Issues |
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. The security changes described in this document only apply to Microsoft Windows NT 4.0 Service Pack 6a systems and should not be applied to any other Windows NT versions or operating systems. You can severely impair or disable a Windows NT system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Manager, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network. |
| Target
Audience |
This document is intended for system administrators, but should be read by anyone involved with or interested in installing and/or configuring Exchange. We assume that the reader is a knowledgeable system administrator. In the context of this document, a knowledgeable system administrator is defined as someone who can create and manage accounts and groups, understands how operating systems perform access control, understands how to set account policies and user rights, is familiar with how to set up auditing and read audit logs, and can configure other similar system-related functionality. Additionally, it is assumed that the reader is a competent Exchange administrator. |
| Target
Operational Environment |
Specialized-Security - Limited Functionality |
| Checklist
Installation Tools |
Not Available. |
| Rollback
Capability |
Not Available. |
| Testing
Information |
Not Available. |
| NIAP/CMVP
Status |
Not Available. |
| Regulatory
Compliance |
Not Available. |
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer to Known Issues. |
| Disclaimer |
Differs
for Public and Private consumers, please read
disclaimer information from the CIS web site
located at:
http://www.cisecurity.org/sub_form.html |
| Product
Support |
|
| Submitting
Organization/Authors |
The Center for Internet Security (CIS) |
| Point
of Contact |
http://www.cisecurity.org/ |
| Sponsor |
Not Available |
| Licensing |
Differs
for Public and Private consumers, please read
licensing information from the CIS web site
located at:
http://www.cisecurity.org/sub_form.html
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_Exchange2003_Benchmark_v1.0.pdf) =
00915e0f58566d7ab20ecebf1f92423440e68d15
sha256 (CIS_Exchange2003_Benchmark_v1.0.pdf)
=
4a57bfcec8552637440148f310dfa6e771c07cfe
396388cd6aad1d5db500fc0f
|
| Change
History |
Version
1.0: 2004-09-18
|
| Dependency/Requirement |
Exchange
Server 2003 and Exchange Server Front-End and
Back-End Topology, Windows Server 2003 Security
Guide, Windows Server 2000 Operating System
Level 2 Benchmark Consensus Baseline Security
Settings, Exchange Server 2003 Security Hardening
Guide,
http://www.microsoft.com/security/
guidance/prodtech/IIS.mspx, as appropriate.
|
| References |
Exchange
Server 2003 Deployment Guide, The Microsoft
Corporation:
http://www.microsoft.com/technet/prodtechnol/
exchange/guides/Ex2k3DepGuide/
f9918adf-057a-4235-8f7e-f7f27f3a8789.mspx
Joey Masterson and Andrew Moss, Exchange Server
2003 and Exchange Server Front-End and Back-End
Topology, The Microsoft Corporation, July
2004.
Barry Gerber, Mastering Microsoft Exchange
Server 2003, SYBEX Inc., 2003.
Kurt Dillard, Jose Maldonado, and Brad Warrender,
Windows Server 2003 Security Guide, The Microsoft
Corporation, 2003.
CIS, Windows Server 2000 Operating System
Level 2 Benchmark Consensus Baseline Security
Settings Version 1.02, 2 September 2003.
|
| NIST
Identifier |
1091 |
