Our system includes a 2008 R2 enterprise server (64 bit) that hosts our web server, ftp server, exchange server and file server. (Our server includes 2 Xeon processors and 32 GB RAM.)
I know that we are not supposed to have all of these services on a single server, but we do. We are a small business, and everything has worked very well in the past, with minimal load on the server. System backups to tape are fairly easy to manage with a high level of dependability.
We recently needed to renew our Exchange SSL certificate. Apparently, the renew function on Exchange Servers encrypts the .req file so the third-party certificate provider could not use that file, and we were required to request a new certificate. (This may not be critical to the discussion, but this is a major certificate provider who says the renew .req files from an exchange server never works. You would think Microsoft would fix that.)
We did request a new certificate and installed it successfully. In the process, our web page security was changed to require a secure connection for access. We changed that in IIS to no longer require SSL. Users can now access our website.
This whole process made me question the optimum security and authentication settings for my server. I need to allow Anonymous Authentication for my website, yet I would like good security for remote access to our Exchange Server that is connected to our website.
It seems to me that should be fairly easy using the correct SSL and authentication settings. Because we have a range of smart phones that access our Exchange Server from android, to IOS to windows phones, I want to make sure authentication is set up properly. We also access our site using VPN and Remote Desktop.
I found the default settings on the attachment on the web, but I don't believe they will work for our configuration:
Any help for recommended settings would be appreciated.