Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange Server 2003 Hardening Guide

Posted on 2004-10-19
4
Medium Priority
?
314 Views
Last Modified: 2013-12-04
Am using the Exchange Server 2003 Hardening Guide to tighten down security on my Exchange servers. Under "Exchange Domain Controller Baseline Policy" in the guide, the second paragraph states:

"The Exchange Domain Controller Baseline Policy template (Exchange 2003 DC Incremental.inf) is included with this guide. You shuold import this template into a Group Policy object (GPO) at the Domain Controllers organizational unit in Active Directory Users and Computers and shold precede the Domain Controller Baseline Policy supplied by Windows Server 2003."

Now, if the Incremental policy is applied first and then the DC Baseline policy, the Domain Baseline policy will win out when it comes to conflicts in the policies, yes?

Looking at the Audit Policy for both policies I see that the DC Baseline policy calls for:

   Account logon event auditing: Success/Failure
   Logon event auditing: Success Failure

The Audit policy for the Exchange Incremental is set to:

   Account Logon event auditing: Failure
   Logon event auditing: Failure

Should not the Exchange 2003 DC Incremental policy come after the DC Baseline policy so that the Exchange 2003 DCI changes take and are not displaced?

Thank you
0
Comment
Question by:keatscon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Expert Comment

by:msice
ID: 12352421
You can click options on the GPO and check the No Override box to prevent the Domain Controller Baseline Policy from taking over.
0
 

Author Comment

by:keatscon
ID: 12352499
Thought someone would say this.

See "Windows Server 2003 Security Guide" p. 22:

"Do not enable this option (referring to "No Override") in any other group policies specified in this guide."

I know, we are talking about the Exchange Hardening Guide, right?
See "Exchange Server 2003 Security Hardening Guide" under "Hardening the Windows Infrastructure"

"As previously mentioned, this guide assumes that you applied the configurations recommended in the Windows Server 2003 Security Guide. Before you harden your Exchange environment, you must complete the following two steps:

1. Deploy the Domain, Domain Controller and Member Server Baseline policy templates throughout your forest.
2. Deploy the Exchange Domain Controller Baseline Policy template in all of the domain controllers in your organization."

The two guides contradict each other!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 12352866
You can alter the precedence of Policies at OU level - although this isn't clear at first glance.

To make life easier it would be a good idea to pick up the Group Policy Management Console if you haven't already installed it (although it requires Windows XP or Windows 2003 Server):

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx#EEAA

There are some differences in the policies, and with the Exchange Policy set to a higher precedence in the OU it will override the other (and I'm sure you've seen this in the documentation, but just for completion):

Option:-   Additional restrictions for anonymous connections
Windows Server 2003 Domain Controller Baseline:-  No access without explicit anonymous connections
Exchange 2003 Domain Controller Baseline:-  None. Rely on default permissions, because Outlook versions previous to Outlook 2003 require anonymous connections.

Option:-   Shut down your system immediately if unable to log security audits
Windows Server 2003 Domain Controller Baseline:-  Enabled
Exchange 2003 Domain Controller Baseline:-  Disabled

Option:-   Account logon event auditing
Windows Server 2003 Domain Controller Baseline:-  Success and Failure
Exchange 2003 Domain Controller Baseline:-  Failure

Option:-   Logon event auditing
Windows Server 2003 Domain Controller Baseline:-  Success and Failure
Exchange 2003 Domain Controller Baseline:-  Failure

The reasons for these changes is included in the documentation, for those auditing options it's to prevent your logs being completely overwhelmed with information.

Hope that all makes sense.
0
 

Author Comment

by:keatscon
ID: 12359236
Chris,

    Thank you. This does make sense and I thought that this was the case.
    Just wanted to make sure that I did not miss something.

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question