Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Exchange Server 2010 : Securing Windows for the Edge Transport Server Role

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
3/26/2011 3:19:00 PM
In Exchange Server 2010, your Edge Transport server roles are installed as standalone servers in your perimeter network (also referred to as the boundary network or screened subnet).

Because these servers exist in your perimeter network, they are more vulnerable to potential attacks than servers located on your internal network. To prepare a server for the Edge Transport server role, you should first utilize the Security Configuration Wizard (SCW) to minimize the attack service of the server by disabling functions that are not needed to perform the functions of an Edge Transport server.

Although it is possible to manually secure the server, the SCW automates the process and applies Microsoft recommended best practices to lock the server down by utilizing a role-based metaphor to determine what services are needed on a particular server. By utilizing the SCW, you can minimize your exposure to exploitation of security vulnerabilities.

One of the challenges to locking down ports and services on a particular server is ensuring you do not remove functionality that is necessary for the server to perform its functions. Often, mistakes can be made that are not immediately visible and that can cause problems in your environment that will require troubleshooting at a later date. However, within Exchange Server 2010, there is an SCW template that can be applied to a computer that has the Edge Transport server role installed that can automatically lock down services and ports that are not needed to perform Edge Transport functionality.

When you run the SCW, you can create a custom policy based on this template that can be applied to all Edge Transport servers in your environment.

Implementing Network Security

Edge Transport servers in a perimeter network are generally configured with two network adapters—one to communicate strictly with the Internet, and the other strictly for internal communications.

Each adapter must have a different level of security applied to it. It is recommended that the Internet-facing (or external) adapter be configured to only allow SMTP traffic on port 25.

The internal adapter, on the other hand, needs the following ports open to properly communicate with the server within your organization:

  • Port 25/SMTP for SMTP traffic

  • Ports 50389/TCP and 50636/UDP for Lightweight Directory Access Protocol (LDAP) communication

  • Port 3389/TCP Remote Desktop Protocol

The LDAP ports are used during the EdgeSync process, and the RDP port is used to allow remote administration of the server.

Administrator Permissions on an Edge Transport Server

By default, when you install an Edge Transport server role, the server is administered using local user accounts. This is because the server is configured as a standalone server in the perimeter network and has no domain membership.

The local Administrators group is granted full control over the Edge Transport server, including administration permissions over the instance of AD LDS on the server. Logging on as an account with membership in the local Administrators group gives you permission to modify the server configuration, security configurations, AD LDS data, and the status of queues and messages currently in transit on the server.

Generally, you would utilize Microsoft Windows Terminal server to administer an Edge Transport server, and the local Administrators group is granted remote logon permissions by default. Rather than allowing all of your administrators to use the default Administrator account, it is recommended that you create a separate local account for each administrator who will be administering your Edge servers, and adding these accounts to the local Administrators group on the server.

Table 1 identifies administrative tasks that are commonly performed on an Edge Transport server, and the required group membership needed for each task.

Table 1. Edge Transport Server Administrative Tasks
Administrative TaskMembership Needed
Backup and restoreBackup Operators
Enable and disable agentsAdministrators
Configure connectorsAdministrators
Configure antispam policiesAdministrators
Configure IP Block lists and IP Allow listsAdministrators
View queues and messagesUsers
Manage queues and messagesAdministrators
Create an EdgeSync subscription fileAdministrators


Other -----------------
- Exchange Server 2010 : Edge Transport Server Connectors
- BizTalk 2010 Recipes : Creating Envelopes to Split Inbound Data
- BizTalk 2010 Recipes : Referencing Schemas
- BizTalk 2010 Recipes : Importing Schemas
- BizTalk 2010 Recipes : Creating Property Schemas
- Windows Server 2008 Server Core : Managing System Users - Obtaining User Login Information with the QUser Utility
- Windows Server 2008 Server Core : Managing System Users - Obtaining Session Status Information with the Query Utility
- Windows Server 2008 Server Core : Managing System Users - Managing Group Policies with the GPUpdate Utility
- SharePoint 2010 : Testing Office Web Apps Functionality (part 2)
- SharePoint 2010 : Testing Office Web Apps Functionality (part 1)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer