#1 W2k w/ svc pack 3 on my domain controller. IIS 6.0 no FTP, certs required for all access with basic password. Symantec Anitvirus w/ latest updates and outlook protection. W2k latest updates (all but svc pack 4).
#2 Exchange 2000 svc pack 3 OWA and Public Folders SSL access only.
#3 Symantec Gateway 320 Firewall only allowing port 80, 443, pop3, SMTP to the server BUT IIS only accepting 443 (certs).
#4 I ran MS base-line security analyzer 1.2 and trying to weed out any bad stuff there without blowing up my server.
#5 Regular users are allowed logon locally as it is required for OWA but that is locked down tight and they can't do anything on the console. But feel free to comment as I could be missing something.
Can I just allow 443 without allowing port 80? Also, please add suggestions or comments. Any holes? I may have to split the points, I understand. Thanks!!