11-24 Chapter 11 Microsoft Exchange Server 2003 Security
Evaluating E-Mail
If Outlook receives an unauthenticated e-mail message from an external source, it eval-
uates the source IP address against the Accept and Deny lists and rejects the message
if a match is found on the Deny list. If the IP address is not on the Accept or Deny list,
Outlook evaluates the message against an RBL. If a match is found on the RBL, then
Outlook stops the message at the protocol level.
Otherwise, Outlook evaluates messages against any third-party, anti-junk e-mail prod-
ucts or plug-ins configured at the transport layer. The third-party product analyzes the
message and assigns it a Spam Confidence Level (SCL) value that indicates the degree
to which the message can be considered unsolicited commercial e-mail. The SCL value
is from 1 through 10—the lower the value, the higher the probability that the message
is junk mail.
Outlook moves the e-mail message into the information store and, based on the SCL
value and Outlook’s user settings, it either delivers the message to a folder or deletes
it. If you set Outlook’s filter to Low, it sends any message ranked below 4 to the Junk
E-Mail folder. If you set the filter to High, Outlook sends any message ranked below 7
to the Junk E-Mail folder.
Guidelines for Securing Mailboxes
When developing a strategy for securing Exchange Server 2003 mailboxes, you should
consider the following guidelines:
■ Prevent users outside your Exchange organization from receiving out-of-
office e-mail messages You can configure the default SMTP policy, or create
SMTP policies on a domain-by-domain basis, that do not reply to out-of-office
messages or forward such messages to the Internet.
■ Prevent users from receiving e-mail from unidentified domains or from
predetermined domains You can configure virtual servers to deny messages
from unidentified domains or from any domain that you select.
■ Limit access to e-mail content by digitally signing and encrypting e-mail
messages You can ensure that only the intended recipient views the message
content by using digital signatures and encryption.

■ Prohibit unauthorized users from using distribution lists You can config-
ure distribution lists to accept e-mail from authenticated users only.
Lesson 3 Securing Mailboxes 11-25
■ Filter unsolicited e-mail You can create a message filter and then apply that fil-
ter to each applicable virtual server. You can filter a message by sender, recipient,
or domain.
■ Prevent junk e-mail You can search incoming and outgoing e-mail for specific
words, phrases, and senders. You can configure OWA and Outlook 2003 to deter-
mine how junk e-mail should be handled.
Recipient and Sender Filtering
You can block unwanted e-mail based on IP addresses, sender e-mail address, recipi-
ent e-mail addresses, or e-mail domain. You block e-mail by configuring Accept and
Deny lists, which can be configured through the global Message Delivery object and
then applied to individual virtual servers.
Recipient Filtering You can use recipient filtering to reduce junk e-mail. You can filter
e-mail that is addressed to users who are not found in Active Directory or to whom the
sender does not have permissions to send e-mail. Exchange Server 2003 rejects any
incoming e-mail that matches the defined criteria at the protocol level and returns a 550
error. You can also use recipient filtering to filter messages that are sent to well-defined
recipients, such as root@domain and inet@domain. This practice is indicative of unso-
licited commercial e-mail.
Note Recipient filtering rules apply only to anonymous connections. Authenticated users
and other Exchange servers bypass these rules.
Sender Filtering Sender filtering reduces junk e-mail by enabling you to create filters
based on the sender of the message. You can, for example, filter messages that are sent
by specific users or messages that are sent without sender addresses. You can archive
filtered messages, or you can drop the connection if the sender’s address matches the
filter criterion.
Practice: Configuring the Junk E-Mail Feature in Outlook 2003 and
Enabling Connection Filtering

In this practice, you configure the level of junk e-mail protection that you require in
Outlook 2003 and enable and configure connection filtering on your front-end server.
Exercise 1: Configure the Junk E-Mail Feature in Outlook 2003
To configure the Junk E-Mail feature in Outlook 2003, perform the following steps:
1. Start Outlook.
2. On the Tools menu, click Options.
11-26 Chapter 11 Microsoft Exchange Server 2003 Security
3. On the Preferences tab, click Junk E-Mail.
4. Configure the required level of protection (No Protection, Low, High, or Safe Lists
Only).
5. If you want to delete junk e-mail instead of moving it to a folder, you can select
the relevant check box.
6. Add entries to the Trusted Senders, Trusted Recipients, and Junk Senders lists by
selecting the relevant tabs. You can also import lists from, and export them to, a
text file.
7. Click OK.
Exercise 2: Enable Connection Filtering
In this exercise, you configure Exchange Server 2003 to enable connection filtering on
Server02 and then block mail from a malicious user and a junk mail sender. Note that
fictitious names are used for the block list provider, the malicious user, and the junk
mail sender.
To enable connection filtering, perform the following steps:
1. Open Exchange System Manager and click Global Settings.
2. In the details pane, right-click Message Delivery, and then click Properties.
3. Select the Connection Filtering tab.
4. Click Add.
5. In the Connection Filtering Rule dialog box, in the Display Name box, type
Blocklist Provider. In the DNS Suffix Of Provider box, type contosoblocklists
.com, and then click OK.
6. Click OK to close the Message Delivery Properties dialog box.

7. Read the message in the Exchange System Manager dialog box, and then click OK.
8. In Exchange System Manager, navigate to Administrative Groups\First Administra-
tive Group\Servers\Server02\Protocols\SMTP.
9. Right-click Default SMTP Virtual Server, and then click Properties.
10. Click Advanced on the General tab of the Default SMTP Virtual Server Properties
dialog box.
11. In the Advanced dialog box, click Edit.
12. In the Identification dialog box, select the Apply Connection Filter check box as
shown in Figure 11-4, and then click OK.
Lesson 3 Securing Mailboxes 11-27
F11es04
Figure 11-4 Setting connection filtering
13. In the Advanced dialog box, verify that Filter Enabled is set to Yes, and then click
OK.
14. Click OK to close the Default SMTP Virtual Server Properties dialog box.
Exercise 3: Block an E-Mail Address and a Domain
To block a specific e-mail address and the domain of a known junk mail sender, per-
form the following steps:
1. Open Exchange System Manager.
2. In the console tree, click Global Settings.
3. In the details pane, right-click Message Delivery, and then click Properties.
4. Access the Sender Filtering tab in the Message Delivery Properties dialog box.
5. Click Add.
6. In the Add Sender dialog box, type , as shown in
Figure 11-5, and then click OK.
F11es05
Figure 11-5 Blocking e-mail from a specific user
7. In the Message Delivery Properties dialog box, ensure that the Drop Connection If
Address Matches Filter check box is selected, and then click OK.
8. In the Warning dialog box, click OK to acknowledge that this filter must be

enabled on the virtual server.
11-28 Chapter 11 Microsoft Exchange Server 2003 Security
9. In Exchange System Manager, navigate to Administrative Groups\First Administra-
tive Group\Servers\Server02\Protocols\SMTP.
10. Right-click Default SMTP Virtual Server, and then click Properties.
11. Select the Access tab in the Default SMTP Virtual Server Properties dialog box.
12. Click Connection.
13. In the Connection dialog box, ensure that All Except The List Below is selected,
and then click Add.
14. In the Computer dialog box, click Domain, click OK when warned that this is
a resource intensive configuration, type treyresearch.com, as shown in
Figure 11-6, and then click OK.
F11es06
Figure 11-6 Blocking e-mail from a domain
15. In the Connection dialog box, click OK.
16. Select the General tab in the Default SMTP Virtual Server Properties dialog box,
and then click Advanced.
17. Click Edit.
18. In the Identification dialog box, select the Apply Sender Filter check box, and then
click OK.
19. Click OK to close the Advanced dialog box.
20. Click OK to close the Default SMTP Virtual Server Properties dialog box.
Lesson 3 Securing Mailboxes 11-29
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and then try
the question again. You can find answers to the questions in the “Questions and
Answers” section at the end of this chapter.
1. How does Exchange Server 2003 filtering work, and what do you need to config-
ure in order to use it?

2. An e-mail message has an SCL value of 3. Which of the following statements is
true?
a. The sender was found on the Deny list.
b. The sender was found on the Accept list.
c. The message probably is not junk e-mail.
d. The message probably is junk e-mail.
Lesson Summary
■ Outlook 2003, OWA, and Exchange Server 2003 can filter junk e-mail.
■ E-mail can be accepted or rejected based on the address of a single sender or on
a domain name.
■ E-mail from an external source can be rejected based on the recipient address.
■ A Realtime Blackhole List or Relay Blocking List (RBL) provides a third-party solu-
tion to the junk e-mail problem.
11-30 Chapter 11 Microsoft Exchange Server 2003 Security
Lesson 4: Implementing Digital Signature and Encryption
Capabilities
This lesson describes digital signatures and encryption and then explains how these
capabilities enhance Exchange Server 2003 security. The lesson explains how public
key infrastructure (PKI) is used to send digitally signed and encrypted e-mail messages.
It also describes PKI components. Finally, the lesson describes how the enrollment
process enables digital signature and encryption capabilities.
After this lesson, you will be able to
■ Explain what digital signature and encryption capabilities are
■ Explain what a PKI is
■ Describe the PKI components that enable digital signature and encryption capabilities
■ Describe how the enrollment process enables digital signature and encryption
capabilities
■ Describe the process of creating and deploying digital signature and encryption
certificates
■ Configure Outlook digital signature and encryption capabilities

Estimated lesson time: 30 minutes
Digital Signature and Encryption
Digital signature and encryption enable you to secure your messaging system by pro-
tecting e-mail messages from modification and inspection by malicious third parties as
they are transmitted from the sender to the receiver.
A digital signature is a code attached to an e-mail message that ensures that the indi-
vidual who is sending the message is really who he or she claims to be. The code is
linked to the message content so that any modification of the content of the message
during transit will result in an invalid signature.
You can protect e-mail messages against inspection by using encryption. Encryption is
a cryptographic technique that translates the contents of an e-mail message into an
unreadable format. There are many different types of encryption. Exchange imple-
ments public key encryption, which uses a public key that is known to everyone and a
private key that is known only to the recipient of the message.
For example, when Don Hall wants to send a secure message to Kim Akers, Don uses
Kim’s public key to encrypt the message. Kim then uses her private key, known only
by her, to decrypt Don’s message. If a public key is used to encrypt messages, only the
corresponding private key can be used to decrypt those messages. It is almost impos-
sible to deduce a private key, even if you know the public key.
Lesson 4 Implementing Digital Signature and Encryption Capabilities 11-31
Real World Private Keys
The function of real-world security is to make it very difficult for an attacker to
breach the system. Remember that there is no known limit to human ingenuity
and no system is perfect. Remember also that a private key is effective only if no
third party knows it. The longer a private key exists, the more likely it is to be
cracked.
Exchange Server 2003 and Outlook 2003 implement digital signature and encryption
capabilities by using Secure Multi-Purpose Internet Mail Extensions (S/MIME), which is
the version of the MIME protocol that supports encryption.
Public Key Infrastructure

A PKI is a policy that is used to establish a secure method for exchanging information.
It is also an integrated set of services and administrative tools for creating, deploying,
and managing public key–based applications. It includes cryptographic methods and a
system for managing the process that enables you to identify users and securely
exchange data.
PKI signature and encryption capabilities enable you to strengthen the security of your
Exchange Server 2003 organization by protecting e-mail from being read by anyone
other than the intended recipient or from being altered by anyone other than the
sender while the message is in transit, or while the message is stored either on the cli-
ent in a .pst file or on the Exchange server in the mailbox store.
A PKI includes components that enable digital signature and encryption capabilities. A
PKI contains the components listed in Table 11-4.
Table 11-4 PKI Components
PKI component Description
Digital certificate Authenticates users and computers.
Certificate template Defines the content and purpose of a certificate. Typically one
certificate template is created for digital signatures and another is
created for encryption. However, a single certificate template can
be created for both purposes.
Certificate revocation list
(CRL)
Lists the certificates that are revoked by a CA before the certificates
reach their scheduled expiration date.
Certificate authority (CA) Issues certificates to users, computers, and services, and then man-
ages these certificates.
11-32 Chapter 11 Microsoft Exchange Server 2003 Security
Tip When a PKI is checking the validity of a certificate, one of the first things it does is to
check it against a CRL. If no CRL exists, an error may be returned. Therefore, you may need to
issue a certificate and then revoke it to create a CRL before a PKI will operate correctly.
Practice: Deploying Digital Signature and Encryption Certificates

Using a certificate for digital signatures or encryption requires that you deploy the cer-
tificate in Exchange Server 2003 by using auto-enrollment settings and that you verify
the Outlook configuration. Before starting this practice, you need to obtain a certificate,
if you have not already done so. To do this, open Internet Explorer, access http://
Server01/Certsrv and complete the wizard. If Server01 is not a CA, you need to obtain
a certificate over the Internet from an external CA, such as VeriSign.
Certificate publication
points and CRL
distribution points
Provide locations where certificates and CRLs are made publicly
available. Certificates and CRLs can be made available through a
directory service, such as X.500, LDAP, or through directories that
are specific to the operating system and Web servers.
Certificate and CA
management tools
Manage issued certificates, publish CA certificates and CRLs, config-
ure CAs, import and export certificates and keys, and recover
archived private keys.
Applications and services
that are enabled by
public keys
Use certificates for e-commerce and secure network access by
using digital signature and encryption capabilities.
Certificate servers Enable you to create, issue, and manage certificates by using
Microsoft Certificate Services. Using Certificate Services on Win-
dows Server 2003 with Exchange Server 2003 integrates all of the
certificate functionality into a single service, rather than relying on
multiple services, such as Microsoft Key Management Service
(KMS), which was required in previous versions of Exchange. The
benefits of certificate servers include the following:

■ Issuing certificates from a single, archived location.
■ Maintaining a copy of all the private keys on the server, thus
allowing users to retrieve their private key information if
they are unable to access the information locally.
■ Enabling automatic certificate deployment to users with
valid credentials.
■ Importing archived private keys and certificates into a CA.
Table 11-4 PKI Components
PKI component Description
Lesson 4 Implementing Digital Signature and Encryption Capabilities 11-33
Exercise 1: Implement Digital Signature and Encryption Capabilities on
Exchange Server 2003
To configure Exchange Server 2003 to allow users to digitally sign and encrypt mes-
sages, perform the following steps:
1. Open the Certification Authority console on Server01.
2. Expand Tailspintoys.
3. Right-click Certificate Templates, point to New, and then click Certificate Template
To Issue.
4. In the Enable Certificate Templates dialog box, click Exchange User, and then
click OK.
5. In the Certification Authority console, right-click Certificate Templates, and then
click Manage.
6. Right-click Exchange User in the details pane of the Certificate Templates console,
and then click Properties.
7. Select the Security tab in the Exchange User Properties dialog box.
8. Click Authenticated Users in the Group Or User Names box.
9. In the Permissions For Authenticated Users box, select the Allow check box for the
Enroll permission, as shown in Figure 11-7, and then click OK.
F11es07
Figure 11-7 Allowing Authenticated Users Enroll permission so they can digitally sign and

encrypt e-mail
10. Close the Certificate Templates management list and the Certification Authority
console.
11-34 Chapter 11 Microsoft Exchange Server 2003 Security
Exercise 2: Configure Digital Signature and Encryption Capabilities on Outlook 2003
After you deploy the digital signing and encryption certificates, you can then configure
Outlook to use the certificates to enable digital signature and encryption capabilities.
This would normally be done on a client workstation. On your test network, you can
do it on Server01.
To configure digital signature and encryption capabilities on Outlook, perform the fol-
lowing steps:
1. Open Outlook on Server01.
2. On the Tools menu, click Options.
3. On the Security tab of the Options dialog box, click Settings.
4. Type a name for the e-mail digital certificate (for example, mail-certificate) in the
Security Settings Name box, or accept the default.
5. In Certificates and Algorithms in the Signing Certificate pane, click Choose beside
Signing Certificate, select a signing certificate, and then in the Hash Algorithm box,
select an algorithm.
6. In Certificates and Algorithms in the Signing Certificate pane, click Choose beside
Encryption Certificate, select an encryption certificate, and then in the Hash Algo-
rithm box, select an algorithm.
7. Click OK to close the Change Security Settings dialog box.
8. On the Security tab, in the Encrypted box, select or clear the check boxes as
required. Figure 11-8 shows the available options.
F11es08
Figure 11-8 Encryption and signature options
9. Click OK to close the Options dialog box.
Lesson 4 Implementing Digital Signature and Encryption Capabilities 11-35
Tip If the CA issues you a multipurpose certificate, you can designate the same certificate

in both the Signing Certificate box and the Encryption Certificate box.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and then try
the question again. You can find answers to the questions in the “Questions and
Answers” section at the end of this chapter.
1. Which PKI component defines the content and purpose of a certificate?
a. Certificate template
b. CA
c. CRL
d. Certificate publication point
2. Don Hall sends an encrypted message to Kim Akers. How does Don encrypt it,
and how does Kim read it?
3. Kim Akers wants to send a message to Don Hall, but Don needs to be certain that
the message really is from Kim. How can he verify this?
Lesson Summary
■ Encryption ensures that only the person for whom a message is intended can read
it.
■ A digital signature proves the sender’s identity and gives an assurance that the
message has not been altered in transit.
■ Encryption and digital signatures are implemented using private and public key
pairs, which are issued as certificates. Exchange Server 2003 supports this process
by using a PKI.
11-36 Chapter 11 Microsoft Exchange Server 2003 Security
Lesson 5: Configuring Administrative Permissions
This lesson presents an overview of administrative groups and how to create them. The
lesson then explains how to configure administrative permissions by using the
Exchange Administration Delegation Wizard.
After this lesson, you will be able to
■ Explain the function and purpose of administrative groups

■ Explain where a new computer running Exchange Server is added
■ Create an administrative group
■ Grant Exchange Server administrative permissions by using the Exchange Administra-
tion Delegation Wizard
■ Configure advanced security permissions
Estimated lesson time: 45 minutes
Administrative Groups
An administrative group is a collection of Exchange Server 2003 objects that are
grouped together for the purpose of managing and delegating permissions. An admin-
istrative group can contain servers, routing groups, policies, and public folder hierar-
chies. If, for example, your organization has two administrators, and each one manages
a group of Exchange Server 2003 servers, then you can create two administrative
groups. You can then delegate permissions to each administrator.
You can create administrative groups to support the various administrative models
(centralized, decentralized, or mixed). Note that an administrative group is not a group
of administrators. Rather, it is a group of objects to administer. These objects include
the following:
■ System policy objects
■ Routing group objects
■ Public folder tree objects
■ Server objects
Adding an Exchange Administrative Group
When you set up an Exchange Server 2003 organization, you automatically create the
First Administrative Group container, and the Exchange Server 2003 server is added to
this group. If you then add a new computer running Exchange Server 2003 to your
Exchange organization, the computer is added to this administrative group.
Lesson 5 Configuring Administrative Permissions 11-37
If, however, you create additional administrative groups before adding further servers,
then Setup prompts you to select the administrative group to which any additional
server should be added. You use the Administrative Groups container to create an

administrative group in a practice later in this lesson.
Note The Administrative Groups container is not displayed by default in Exchange Server
2003. To display this container, you need to open Exchange System Manager and enable Dis-
play Administrative Groups in the Organization object's Properties box. This was done in a
practice in an earlier chapter and is usually one of the first tasks an Exchange Server 2003
administrator performs. It is therefore easy to forget that before you can create a new admin-
istrative group, you must first display this container.
The Exchange Administration Delegation Wizard
Exchange administrative permissions enable administrators to perform tasks in
Exchange Server 2003. You use the Exchange Administration Delegation Wizard to
select users or groups and grant them administrative permission to objects in your
Exchange organization. This makes administration more secure because you can spec-
ify who can gain access to which Exchange objects.
You can start the Exchange Administration Delegation Wizard from the Organization
object or from an administrative group object. If you start the wizard from the Organi-
zation object, then the permissions you assign propagate down the hierarchy to all the
objects in the organization. If, on the other hand, you start the wizard from an admin-
istrative group object, then the permissions you assign propagate to all the objects in
that administrative group. However, in the latter case, read-only permissions are also
granted from the administrative group object, up the hierarchy. This enables an admin-
istrator to view the hierarchy. To use the Exchange Administration Delegation Wizard,
you must have Exchange Full Administrator permissions at the organization level.
Tip The read-only permission does not appear in Exchange System Manager. You can view it
by using the Adsiedit.exe utility.
Roles and Associated Permissions
The Exchange Administration Delegation Wizard supports the following roles:
■ Exchange Full Administrator Exchange Full Administrators can administer
Exchange system information. They can add, delete, and rename objects, and
modify permissions. You should delegate this role to administrators who need to
configure and control access to your Exchange e-mail system.

11-38 Chapter 11 Microsoft Exchange Server 2003 Security
■ Exchange Administrator Exchange Administrators can fully administer
Exchange system information but cannot modify permissions. You should dele-
gate this role to users or groups who are responsible for day-to-day administration
tasks such as adding, deleting, and renaming objects.
■ Exchange View Only Administrator An Exchange View Only Administrator
can view Exchange configuration information. You should delegate this role to
administrators who do not need to modify Exchange objects.
Exam Tip It is common (if somewhat sloppy) usage to refer to Exchange Full Administra-
tors as Exchange administrators. If an exam question states that someone is an Exchange
administrator, it will mean just that. The person will not have an Exchange Full Administrator
role.
In addition to the roles supported by the Exchange Administration Delegation Wizard,
other Windows Server 2003 group memberships are required to manage Exchange. If,
for example, you want to assign write permission to an administrator for objects in an
organization or administrative group, then that administrator must be a local adminis-
trator on each Exchange Server 2003 server that he or she needs to manage.
When you create an Exchange Server 2003 organization, the Exchange Domain Servers
group and the Exchange Enterprise Servers group are created automatically. These two
groups are assigned permissions that allow Exchange servers to gain access to
Exchange configuration and recipient information in Active Directory. These are sys-
tem groups for use by Exchange only, and you should not use them to give adminis-
trative privileges to users or groups.
Advanced Security Permissions
A child object in Exchange Server 2003 inherits permissions from its parent object by
default. Advanced security permissions enable you to provide additional administrative
control by enabling you to modify or prevent inherited permissions. When, for exam-
ple, you create a new routing group, that group inherits the permissions from the
administrative group in which it was created. If you want different permissions applied
to the new routing group object, then you can access the object’s Properties box and

use the Advanced option on the Security tab to block permission inheritance.
You can also prevent inherited permissions from propagating to child objects by mod-
ifying the access control settings. You can specify, for each access control setting,
whether the permissions should apply only to the object, or to the object and to its
child objects.
!
Lesson 5 Configuring Administrative Permissions 11-39
If you remove inherited permissions and specify that permissions must be applied to
the parent object only, the child objects are left with no permissions (an implicit Deny
permission). Removing permissions prevents access to Exchange objects in Exchange
System Manager. However, you can restore the permissions by using the Adsiedit.exe
utility.
The Adsiedit.exe Utility
You can use the Active Directory Services Interface (ADSI) Edit Microsoft Management
Console (MMC) snap-in, otherwise known as the Adsiedit.exe utility, to grant advanced
security permissions that cannot be granted by using Exchange System Manager or
Active Directory Users And Computers. For example, the utility enables you to grant
permissions on the Administrative Groups container that are propagated to the new
child administrative groups.
Practice: Creating and Using an Administrative Group
In this practice, you create an additional administrative group and delegate control of
that group to a user named Don Hall. An account for Don Hall should have been cre-
ated in Chapter 9, “Virtual Servers.” If this account does not exist, create it before you
start.
Exercise 1: Create an Administrative Group
In this exercise, you create an administrative group. This group is required to complete
subsequent exercises in this practice.
To create an administrative group, perform the following steps:
1. Open Exchange System Manager.
2. Right-click Administrative Groups, click New, and then click Administrative

Group.
3. In the Properties dialog box, type NewAdmin, and then click OK.
4. In the console tree, expand Administrative Groups, right-click NewAdmin, click
New, and then click System Policy Container.
5. Expand NewAdmin and verify that a System Policies container exists.
6. Right-click the System Policies container under NewAdmin, click New, and then
select Mailbox Store Policy.
7. Enable all four Property pages in the New Policy dialog box, and then click OK.
8. Enter a name for the policy, for example, NewMail.
9. Configure the Properties box tabs as required. Figure 11-9 shows a possible, if
rather strict, configuration of the Limits (Policy) tab.
11-40 Chapter 11 Microsoft Exchange Server 2003 Security
F11es09
Figure 11-9 Configuring a limits policy
10. Click OK when you have configured the Mailbox policy.
11. Use the same technique to create a Public Store policy and a Server policy.
Tip This procedure created new policies from scratch. If policies already exist, for example
in the First Administrative Group’s System Policies container, you can paste them into the new
System Policies container and edit them as required.
Exercise 2: Delegate Control of an Administrative Group
In this exercise, you delegate control of the NewAdmin administrative group to Don
Hall. You grant Don the Exchange Administrator role, but not the Exchange Full
Administrator role, for that administrative group. If the NewAdmin administrative
group does not exist, then you need to create it by completing the previous exercise.
You cannot delegate control if you have only one administrative group.
To delegate control of an administrative group, perform the following steps:
1. Open Exchange System Manager and expand Administrative Groups.
2. In the console tree, right-click NewAdmin, and then click Delegate Control.
3. The Exchange Administration Delegation Wizard opens. On the Welcome page,
click Next.

4. On the Users Or Groups page, click Add.
5. In the Delegate Control dialog box, click Browse.
Lesson 5 Configuring Administrative Permissions 11-41
6. In the Select Users, Computers Or Groups dialog box, type Don Hall. Click Check
Names to verify that Don Hall’s account exists, as shown in Figure 11-10, and then
click OK.
F11es10
Figure 11-10 Delegating control to Don Hall
7. In the Delegate Control dialog box, in the Role box, click Exchange Administrator,
and then click OK.
8. On the Users Or Groups page, click Next.
9. Click Finish.
10. In the Exchange System Manager dialog box, read the warning, and then click OK.
Exam Tip Remember this warning. An Exchange administrator must also be a member of
the local machine administrator group on any Exchange Server 2003 server that he or she
administers. Watch out for the omission of this step in procedures described in exam
scenarios.
11. Open Active Directory Users And Computers on Server01.
12. Expand the domain name and click Users. In the details pane, right-click Don
Hall, and then click Properties.
13. In the Don Hall Properties dialog box, click Member Of.
14. On the Member Of tab, click Add.
15. In the Select Groups dialog box, type Administrators. Click Check Names to
confirm the group exists, and then click OK.
16. In the Don Hall Properties dialog box, click OK.
!
11-42 Chapter 11 Microsoft Exchange Server 2003 Security
Note Because of the restrictions of your two-computer test network, Don Hall has been
added to the Administrators group on a domain controller. You would not do this on a produc-
tion network. Exchange administrators should instead be added to the Administrators groups

on the Exchange servers that are in the administration group that they administer. In a pro-
duction network, you would not normally install Exchange on a domain controller.
Exercise 3: Configure Advanced Security Permissions
In this exercise, you enable the Security tab for all Exchange objects and then configure
advanced security permissions for the user Kim Akers. If a user account does not
already exist for Kim Akers, then you need to create one before starting this practice.
Note The ADSI support tool is not installed by default. To complete this practice, you need
to install the Windows Server 2003 support tools. The installation file is in Support/Tools on
the Windows Server 2003 installation CD.
To configure advanced security permissions, perform the following steps:
1. On Server01, from the Start menu, click Run, type regedit, and then click OK.
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Exchange.
3. Expand Exchange, right-click EXAdmin, click New, and then click DWORD Value.
4. Change New Value #1 to ShowSecurityPage, and then press Enter.
5. Double-click ShowSecurityPage. In the Edit DWORD Value dialog box, in the
Value Data box, type 1, as shown in Figure 11-11, and then click OK.
F11es11
Figure 11-11 Creating the ShowSecurityPage registry entry
6. Close the Registry Editor.
7. From the Start menu, click Run, type mmc, and then click OK.
8. In the MMC console, click File, and then click Add/Remove Snap-In.
9. In the Add/Remove Snap-In dialog box, click Add.
Lesson 5 Configuring Administrative Permissions 11-43
10. In the Add Standalone Snap-In dialog box, click ADSI Edit, click Add, and then
click Close.
11. In the Add/Remove Snap-In dialog box, click OK.
12. Right-click ADSI Edit, and then click Connect To.
13. In the Connection Settings dialog box, in the Select A Well Known Naming Con-
text box, select Configuration, and then click OK.
14. Navigate to ADSI Edit\Configuration\CN=Configuration,DC=Tailspintoys,DC=com\

CN=Services\CN=Microsoft Exchange\CN=Tailspintoys. Right-click CN=Adminis-
trative Groups, and then click Properties.
15. On the Security tab, click Add.
16. In the Select Users, Computers, Or Groups dialog box, type Kim Akers and then
click OK.
17. In the CN=Administrative Groups Properties dialog box, click Advanced.
18. In the Advanced Security Settings For Administrative Groups dialog box, in the
Permission Entries list, click the entry for Kim Akers, and then click Edit.
19. In the Permission Entry For Administrative Groups dialog box, in the Apply Onto
drop-down list, click This Object And All Child Objects. The dialog box is shown
in Figure 11-12. Click OK.
F11es12
Figure 11-12 Granting Kim Akers permissions on all administrative groups
20. In the Advanced Security Settings For Administrative Groups dialog box, clear the
Allow Inheritable Permissions From The Parent To Propagate To This Object And
All Child Objects. Include These With All Entries Explicitly Defined Here check
box, and then click OK.
11-44 Chapter 11 Microsoft Exchange Server 2003 Security
21. In the CN=Administrative Groups Properties dialog box, click OK.
22. To verify that permissions are configured correctly, right-click any administrative
group in Exchange System Manager, select Properties, and access the Security tab.
Verify that Kim Akers has permissions on the administrative group.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and then try
the question again. You can find answers to the questions in the “Questions and
Answers” section at the end of this chapter.
1. You use Exchange System Manager to delegate control of an administration group
to Don Hall. The administration group contains three Exchange Server 2003 serv-
ers called Server A, Server B, and Server C. You give Don the Exchange Adminis-

trator role. Don reports that he is unable to carry out any administration on the
servers. What do you need to do?
2. You want to grant advanced permissions on an administration group. You make
the necessary registry changes, then try to add the ASDI edit snap-in to the
Microsoft Management Console. ASDI Edit is not on the list of snap-ins. What have
you forgotten to do?
3. You create a new routing group and find that the group inherits permissions from
the administrative group in which it was created. You want different permissions
applied to the new routing group object. What do you do?
Lesson 5 Configuring Administrative Permissions 11-45
Lesson Summary
■ An administrative group is a group of Exchange objects that can be administered.
You can delegate various levels of administrative control over an administrative
group to users and security groups.
■ If you delegate administrator roles to users and groups to enable them to manage
the servers in an administration group, you also need to grant local administrator
rights on the servers to these users and groups.
■ Objects in an administrative group inherit their property settings from objects
higher up in the hierarchy. You can block properties inheritance.
■ You can use the Asdiedit.exe support tool to configure advanced administrative
settings.
11-46 Chapter 11 Microsoft Exchange Server 2003 Security
Lesson 6: Disabling Services and Protocol Logging
This lesson discusses the services that are used by Exchange Server 2003, explains ser-
vice dependencies, and explains which services can be disabled to provide enhanced
Exchange security. The lesson also discusses protocol logging and how this can be
used to audit access on the various Exchange Server 2003 protocol virtual servers.
After this lesson, you will be able to
■ Describe the services that Exchange Server 2003 uses
■ Explain why you should allow only required services to run on Exchange Server 2003

■ Identify the required services on an Exchange front-end server
■ Identify the required services on an Exchange back-end server
■ Manage protocol logging on HTTP virtual servers including the Exchange virtual server
■ Manage protocol logging on NNTP and SMTP virtual servers
Estimated lesson time: 30 minutes
Services Used by Exchange Server 2003
Exchange Server 2003 comprises a number of processes, components, and services that
communicate with each other on local and remote computers. Exchange servers must
communicate with other Exchange servers, domain controllers, and several different
types of client. Depending on the role an Exchange server plays and the clients it sup-
ports, some of these services are not necessary and may be disabled. Disabling a ser-
vice increases security because the port that the service uses is no longer available for
port-based attacks.
Security Alert Disabling unused services increases security. If, however, any port is not
used, you should preferably block it at the firewall as well as stop any service that uses it.
Your firewall is your main method of protection. Where a server is in a DMZ, it may not always
be possible to block a port, and in this case, it is particularly important to disable unused
services.
When evaluating whether to disable a particular service, you need to consider what
other services, processes, and components depend on it. Sometimes a service may not
be essential to the core operation of an Exchange server, but disabling the service may
reduce the functionality by disabling some useful peripheral services.
Lesson 6 Disabling Services and Protocol Logging 11-47
Role-Independent Services
The Exchange Server 2003 services that you require mainly depend on the role that
your Exchange server provides in your environment. However, some Exchange ser-
vices are required for Setup to run, for administration to be performed, and for routing
and indexing to function, as well as interoperability with previous versions of the
product.
Setup Reinstall and Upgrade For Exchange Server 2003 Setup to run, you must install

and enable, but not necessarily start, the following services:
■ NNTP
■ SMTP
■ World Wide Web Publishing Service
■ IIS Admin Service
Note Exchange Server 2003 installs (but does not enable) its own IMAP4 and POP3 ser-
vices during setup. It will not install on a Windows 2003 server unless the Windows POP3
service (if present) is uninstalled.
Exchange Server 2003 Setup disables a number of services by default. However, if
these services are subsequently enabled, their current state is preserved during rein-
stalls or upgrades. These services are as follows:
■ NNTP
■ Microsoft Exchange IMAP4
■ Microsoft Exchange POP3
Administration The following services are required to administer Exchange Server 2003:
■ Microsoft Exchange System Attendant
■ Microsoft Exchange Management
■ Windows Management Instrumentation
Routing The following services are required to enable Exchange Server 2003 to route
messages:
■ Microsoft Exchange Routing Engine
■ IIS Admin Service
■ SMTP
11-48 Chapter 11 Microsoft Exchange Server 2003 Security
Compatibility The following services are required to provide compatibility with ear-
lier versions of Exchange:
■ Microsoft Exchange Event Service
■ Microsoft Exchange Site Replication Service
■ Exchange MTA Stacks (Exchange Server 5.5 compatibility only)
Additional Features The following services provide additional features for Exchange

Server 2003:
■ Microsoft Search
■ World Wide Web Publishing Service
Services on an Exchange Front-End Server
An Exchange front-end server accepts requests from clients and then forwards those
requests to the appropriate back-end server for processing. Therefore, you can disable
many of the Exchange services that are installed by default.
Exam Tip Do not try to memorize which services can or cannot be disabled on a back-end
or a front-end Exchange server. Instead, read and understand the reasons why a service is or
is not essential. Questions on this topic can often be answered by applying reasoning and
common sense.
The following are required services on a front-end server:
■ Microsoft Exchange Routing Engine You require this service to enable
Exchange routing functionality.
■ IPSEC Services This service provides end-to-end security between clients and
servers on Transmission Control Protocol/Internet Protocol (TCP/IP) networks.
You require this service if you want to configure an Internet Protocol security
(IPSec) filter on OWA servers.
■ IIS Admin Service This service is dependent on the MSExchange routing
engine. You require this service to allow Exchange routing functionality.
■ World Wide Web Publishing Service You require this service if you want cli-
ent computers to communicate with OWA or Outlook Mobile Access front-end
servers.
!