New Security Features in Exchange 2003

What are the new security features found in Exchange Server 2003 in comparison to Exchange 2000?
Exchange Server 2003 is much more secure “out of the box” than Exchange 2000 was. Here is a list of some of the new features found in Exchange Server 2003:

OMA Browse disabled by default (global)

Exchange 2003 includes the new OMA (Outlook Mobile Access) feature. However, although installed by default, OMA is in fact disabled by default. The setting to enable/disable OMA Browse is actually set during ForestPrep. Exchange 2003 ForestPrep will not enable OMA Browse by default. Exchange 2003 ForestPrep/Reinstall will keep it enabled if it was already enabled. This means that OMA Browse WON’T be enabled when running ForestPrep to upgrade from Exchange 2000, but WILL remain enabled when running ForestPrep to upgrade from an earlier Exchange 2003 build. You can find OMA Browse settings in Exchange System Manager (ESM), under Global Settings -> Mobile Services -> Properties.
oma settings small oma settings1 small

POP3, IMAP4 and NNTP services default to disabled (per server)

On a new Exchange 2003 server install, POP3, IMAP4, and NNTP will be set to disabled. On upgrades and reinstalls, the current state of the service is preserved.
protocols small
To enable these protocols go to Services in Administrative Tools and set the protocols startup type to Automatic, then start the services.

Basic Authentication for POP3 and IMAP4 is enabled by default (per virtual server instance)

Basic Authentication is enabled on POP3 and IMAP4 virtual server instances (VSIs).
There is a special case for upgrading Exchange 2000 servers to Exchange 2003:

  • BackEnd servers’ VSIs will not get touched
  • FrontEnd servers will get Anonymous Authentication disabled, Basic Authentication enabled and NT Authentication disabled

This will apply to default VSIs, and VSIs created through Exchange 2003 ESM. Pre-existing VSIs will not be touched (i.e, reinstall will preserve settings) except on FrontEnd server upgrades, as noted above

Basic Authentication for NNTP is enabled by default (per virtual server instance)

Anonymous Authentication is disabled, Basic Authentication and NT Authentication are enabled on the default NNTP VSI.
The default NNTP VSI will ALWAYS be touched (including upgrades/reinstalls). Non-default VSIs will not be modified on upgrade/reinstall. Additionally, NT Authentication will be disabled on UNINSTALL of Exchange 2003 (because NNTP is shipped with Windows 200x and not as part of Exchange). 

POP3, IMAP4, and NNTP cluster resources will not be created by default during the creation of a new Exchange Virtual Server

Creation of an Exchange Virtual Server (EVS) used to also create these resources by default. Now that the services are disabled on install, this will no longer happen. In order to create these resources, the services will have to be enabled/started on the cluster nodes, then the resources will be created through Cluster Administrator.

Domain Users are denied local logon by default on Exchange 2003 install (per server)

Domain Users will no longer be able to log on locally to the Exchange Server. Domain Users already can’t log on locally to Domain Controllers. Exchange 2003 on member servers will behave the same way. This will happen on clean installs of Exchange 2003 AND all upgrades and reinstalls. Server Operators, Local Administrators, and higher can still log on. This behavioral change has been implemented by telling Setup to remove “BUILTIN\Users” from the “Log on locally” policy.

Global maximum message size limit set to 10 megabytes (global)

When the very first Exchange 2003 server is installed into an organization, the Sending Message Size and Receiving Message Size will be set to 10240KB (10MB) if the value is not currently set. This also means that on upgrades from E2K or reinstalls of Exchange 2003 (including build to build) the global message size restriction will be set to 10MB if it isn’t already set. If the message size restriction is already set to a particular value, then that value will be preserved. You can find these limits in ESM, under Global -> Message Delivery -> Defaults
mess del prop small mess del prop1 small

Public Folder maximum message size set to 10 megabytes (per Public Folder store)

On every Exchange 2003 server installation, reinstall or upgrade, the maximum item size for Public Folder postings will be set to 10240KB (10MB) if the value is not already set, and preserved if it is. This setting also affects new Public Folder stores (MAPI and Application) created through ESM. This actual setting is held on the messageSizeLimit attribute on each Public Folder Store object in the Active Directory.
pf limits small

Removal of top level Public Folder creation permissions for Everyone and Anonymous (global)

The Exchange 2003 ForestPrep will remove the “Allow create top level public folder” ACE for ‘Everyone’ and ‘Anonymous Logon’ from the Exchange organization container. Other ACEs will be left untouched.