Checklist Summary:

This document is a general guide for securing Microsoft Exchange Server 2007 (Exchange) hosted on the Windows Server 2003 platform. The first section pre-installation and installation prescribes general advice for installing Exchange. The document breaks down the (five) 5 roles Exchange 2007 can perform, and makes security recommendations for each. These sets of rules constitute a benchmark. This benchmark represents an industry consensus of "best practices" listing steps to be taken as well as rationale for their recommendation.

Checklist Role:

• Enterprise Mail Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system administrators, but can be read by anyone involved with or interested in installing and/or configuring Exchange. We assume that the reader is a knowledgeable �?�¢??system administrator.�?�¢?�¯�¿�½ In the context of this document, a knowledgeable system administrator is defined as someone who can create and manage accounts and groups, understands how operating systems perform access control, understands how to set account policies and user rights, is familiar with how to set up auditing and read audit logs, and can configure other similar system-related functionality. Additionally, it is assumed that the reader is a competent Exchange administrator. Consequently, no tutorial-type information is provided regarding Exchange or electronic messaging in general. Many documents and books exist which provide this information, including Microsoft�?�¢??s web presence at http://www.microsoft.com. That site leads to an extensive array of Exchange-related material.

Target Operational Environment:

Testing Information:

This document is a general guide for securing Microsoft Exchange Server 2007 (Exchange) hosted on the Windows Server 2003 platform. Security Levels Legacy - Settings in this level are designed for Exchange Servers that need to operate with older systems such as Exchange 2003, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Enterprise - Settings in this level are designed for Exchange 2007 where legacy systems are not required. It assumes that all Exchange servers are 2007 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Specialized Security �?�¢?? Limited Functionality �?�¢?? Formerly �?�¢??High Security,�?�¢?�¯�¿�½ settings in this level are designed for Exchange servers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind.

Product Support:

Exchange Server 2007 Solution Center: http://support.microsoft.com/default.aspx?scid=ph;en-us;10926&sd=gn

Point of Contact:

http://www.cisecurity.org/

Sponsor:

cis-feedback@cisecurity.org

Licensing:

http://www.microsoft.com/exchange/howtobuy/default.mspx Exchange Server 2007 Licensing Licensing Modes Exchange Server is licensed in the Server / Client Access License (CAL) model. Under this model, an Exchange Server license is required for each operating system environment running Exchange Server. A CAL is required for each user or device accessing Exchange Server. Server and Client Access License Editions Exchange Server 2007 is offered in two server editions: �?�¢?�?�¢ Standard Edition �?�¢?�?�¢ Enterprise Edition Exchange Server 2007 is also offered in two CAL editions: �?�¢?�?�¢ Standard CAL �?�¢?�?�¢ Enterprise CAL Either version of the CAL may be run against either version of the server. To learn more about the server and CAL editions, see Exchange Server 2007 Editions and Client Access Licenses. The Exchange Server Standard and Exchange Server Enterprise CAL licenses are also included in the Enterprise CAL Suite. Note: The External Connector license (EC) is an optional additional server license for external users that enables access to your servers running Exchange Server 2007. With this license, you do not need to buy individual Exchange Server CALs. The EC license is purchased for every copy of Exchange Server 2007 that can be accessed by the external user. An example of an external user is a person who is not an employee or similar personnel of the company or its affiliates. This license allows access to the Exchange server by an unlimited number of external users that can include, but is not limited to, business partners, suppliers, customers, retirees, and alumni. It is licensed per server. Upgrading Exchange Server 2007 Evaluation Software to Exchange Server 2007 Standard Edition or Enterprise Edition You can upgrade your server running Exchange Server 2007 evaluation software to Exchange Server 2007 Standard Edition or Enterprise Edition at the end of the 120 day evaluation period with your product key. For more information about obtaining a product key, see Volume License and Online Services Keys. For more information about upgrading Exchange Server 2007 evaluation software, see Enter Product Key Wizard > Enter Product Key Page.

Change History:

Not provided.

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 11/17/2009