Checklist Summary:

This document is a general guide for securing Microsoft Exchange Server 2007 (Exchange) hosted on the Windows Server 2003 platform. The first section pre-installation and installation prescribes general advice for installing Exchange. The document breaks down the (five) 5 roles Exchange 2007 can perform, and makes security recommendations for each. These sets of rules constitute a benchmark. This benchmark represents an industry consensus of "best practices" listing steps to be taken as well as rationale for their recommendation.

Checklist Role:

• Enterprise Mail Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system administrators, but can be read by anyone involved with or interested in installing and/or configuring Exchange. We assume that the reader is a knowledgeable "system administrator." In the context of this document, a knowledgeable system administrator is defined as someone who can create and manage accounts and groups, understands how operating systems perform access control, understands how to set account policies and user rights, is familiar with how to set up auditing and read audit logs, and can configure other similar system-related functionality. Additionally, it is assumed that the reader is a competent Exchange administrator. Consequently, no tutorial-type information is provided regarding Exchange or electronic messaging in general. Many documents and books exist which provide this information, including Microsoft's web presence at http://www.microsoft.com. That site leads to an extensive array of Exchange-related material.

Target Operational Environment:

• Managed

Testing Information:

This document is a general guide for securing Microsoft Exchange Server 2007 (Exchange) hosted on the Windows Server 2003 platform. Security Levels Legacy - Settings in this level are designed for Exchange Servers that need to operate with older systems such as Exchange 2003, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system. Enterprise - Settings in this level are designed for Exchange 2007 where legacy systems are not required. It assumes that all Exchange servers are 2007 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended technical controls. Specialized Security - Limited Functionality - Formerly "High Security," settings in this level are designed for Exchange servers in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

The Center for Internet Security ("CIS") provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere ("Products") as a public service to Internet users worldwide. Recommendations contained in the Products ("Recommendations") result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems, and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties, or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness, or completeness of the Products or the Recommendations. CIS is providing the Products and the Recommendations "as is" and "as available" without representations, warranties, or covenants of any kind.

Product Support:

Exchange Server 2007 Solution Center: http://support.microsoft.com/default.aspx?scid=ph;en-us;10926&sd=gn

Point of Contact:

http://www.cisecurity.org/

Sponsor:

cis-feedback@cisecurity.org

Licensing:

Not provided.

Change History:

12-01-2007-Public Release
07-02-2010-Version 1.1.0

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 03/23/2011