Exchange Server 2010 : Securing Windows for the Edge Transport Server Role

Because these servers exist in your perimeter network, they are more vulnerable to potential attacks than servers located on your internal network. To prepare a server for the Edge Transport server role, you should first utilize the Security Configuration Wizard (SCW) to minimize the attack service of the server by disabling functions that are not needed to perform the functions of an Edge Transport server.

Although it is possible to manually secure the server, the SCW automates the process and applies Microsoft recommended best practices to lock the server down by utilizing a role-based metaphor to determine what services are needed on a particular server. By utilizing the SCW, you can minimize your exposure to exploitation of security vulnerabilities.

One of the challenges to locking down ports and services on a particular server is ensuring you do not remove functionality that is necessary for the server to perform its functions. Often, mistakes can be made that are not immediately visible and that can cause problems in your environment that will require troubleshooting at a later date. However, within Exchange Server 2010, there is an SCW template that can be applied to a computer that has the Edge Transport server role installed that can automatically lock down services and ports that are not needed to perform Edge Transport functionality.

When you run the SCW, you can create a custom policy based on this template that can be applied to all Edge Transport servers in your environment.

Implementing Network Security

Edge Transport servers in a perimeter network are generally configured with two network adapters—one to communicate strictly with the Internet, and the other strictly for internal communications.

Each adapter must have a different level of security applied to it. It is recommended that the Internet-facing (or external) adapter be configured to only allow SMTP traffic on port 25.

The internal adapter, on the other hand, needs the following ports open to properly communicate with the server within your organization:

• Port 25/SMTP for SMTP traffic

• Ports 50389/TCP and 50636/UDP for Lightweight Directory Access Protocol (LDAP) communication

• Port 3389/TCP Remote Desktop Protocol

The LDAP ports are used during the EdgeSync process, and the RDP port is used to allow remote administration of the server.

Administrator Permissions on an Edge Transport Server

By default, when you install an Edge Transport server role, the server is administered using local user accounts. This is because the server is configured as a standalone server in the perimeter network and has no domain membership.

The local Administrators group is granted full control over the Edge Transport server, including administration permissions over the instance of AD LDS on the server. Logging on as an account with membership in the local Administrators group gives you permission to modify the server configuration, security configurations, AD LDS data, and the status of queues and messages currently in transit on the server.

Generally, you would utilize Microsoft Windows Terminal server to administer an Edge Transport server, and the local Administrators group is granted remote logon permissions by default. Rather than allowing all of your administrators to use the default Administrator account, it is recommended that you create a separate local account for each administrator who will be administering your Edge servers, and adding these accounts to the local Administrators group on the server.

Table 1 identifies administrative tasks that are commonly performed on an Edge Transport server, and the required group membership needed for each task.