Edge Transport Server Security, Part 2

In the first article in this series, I talked about the edge transport server’s role within an Exchange server organization, and I talked about the firewall port requirements associated with an edge transport server. In this article, I want to conclude the discussion by talking about some more techniques that you can use to ensure that security of your edge transport server.

The Security Configuration Wizard

One of the absolute best things that you can do to secure an edge transport server is to run the Security Configuration Wizard. The Security Configuration Wizard is actually a Windows component. As such, it is completely unaware of Exchange Server, and if not initially contain any Exchange specific settings. Even so, Exchange server 2007 ships with a couple of XML files that can be used to extend the Security Configuration Wizard to make it Exchange Server aware.

Installing the Security Configuration Wizard

Although the Security Configuration Wizard is an excellent tool for helping you to secure just about any Windows server, it is not installed by default in Windows Server 2003. To install the Security Configuration Wizard, open the server’s Control Panel, and double-click on the Add or Remove Programs icon. When you do, Windows will open the Add or Remove Programs window. Click the Add/Remove Windows Components button, and Windows will display a list of the various optional Windows components that you can install. Scroll through the list of components and tell you locate the Security Configuration Wizard option, as shown in Figure A.

Edge Transport Server Security Part 2 1 small

Figure A The Security Configuration Wizard is a Windows component.

Choose the check box next to the Security Configuration Wizard option, and click Next. Windows will now copy the necessary files. When the process completes, click Finish.

Extending the Security Configuration Wizard

As I mentioned earlier, the Security Configuration Wizard is a part of Windows, not part of Exchange Server. Therefore, it is not initially contain any knowledge of Exchange Server or of Exchange Server’s security needs. To make the Security Configuration Wizard Exchange Server aware, we are going to have to associate an XML file with it.

Exchange Server 2007 comes with two separate XML files that you can use to extend the Security Configuration Wizard. One of these file is named Exchange2007.xml, and is used to provide the Security Configuration Wizard with general Exchange Server 2007 awareness. The other XML file is named Exchange2007Edge.xml, and this file is designed specifically to make the Security Configuration Wizard aware of the unique security requirements of an edge transport server.

To associate the XML file with the Security Configuration Wizard, open Windows Explorer, and make your way through the file system to \Program Files\ Microsoft\Exchange Server\Scripts. Entering the DIR *.XML command should reveal the presence of the two XML files that I mentioned earlier. Since we are securing an edge transport server, copy the Exchange2007Edge.xml file to the server’s %windir%\Security\msscw\kbs folder. In case you’re not familiar with it, %windir% is an environment variable that takes the place of the folder that Windows is installed in (typically c:\windows).

When you have finished copying the necessary files, open a Command Prompt window, and enter the following commands:

​
C:

CD\%windir%\System32\

SCWCMD Register \kbname:MSExchangeEdge kbfile:%windir%\security\msscw\kbs\Exchange2007Edge.xml

Upon the successful completion of these commands, the Security Configuration Wizard should now be prepared to help you to secure the edge transport server. You can access the Security Configuration Wizard directly from the server’s Administrative Tools menu.

Unfortunately, space requirements prohibit me from walking you through the entire process of securing your edge transport server. What I can tell you though is that the Security Configuration Wizard asks you a long series of questions regarding your needs in the server’s current configuration. As you answer these questions, the Security Configuration Wizard will use your answers to create a brand-new security policy that can be applied to the server.

When you finish entering all of these questions, the Security Configuration Wizard will prompt you to enter a name for the new security policy. At this point, you are given the option of either of applying the new security policy immediately, or applying it later on. One thing that you do need to know though, is that if you apply the policy immediately then the new policy will not take effect until you reboot the server.

Conclusion

In this article, I have explained that the Security Configuration Wizard can help you to spot potential security vulnerabilities on your edge transport server that you might otherwise have not noticed. I then went on to show you how to install the Security Configuration Wizard, and how to adapt it to an edge transport server’s unique needs.

Got a question? Post it on our Exchange Server Forums!