Services Used by Exchange Server 2003
Exchange Server 2003
comprises a number of processes, components, and services that
communicate with each other on local and remote computers. Exchange
servers must communicate with other Exchange servers, domain
controllers, and several different types of client. Depending on the
role an Exchange server plays and the clients it supports, some of these
services are not necessary and may be disabled. Disabling a service
increases security because the port that the service uses is no longer
available for port-based attacks.
Security Alert
Disabling
unused services increases security. If, however, any port is not used,
you should preferably block it at the firewall as well as stop any
service that uses it. Your firewall is your main method of protection.
Where a server is in a DMZ, it may not always be possible to block a
port, and in this case, it is particularly important to disable unused
services. |
When evaluating whether to
disable a particular service, you need to consider what other services,
processes, and components depend on it. Sometimes a service may not be
essential to the core operation of an Exchange server, but disabling the
service may reduce the functionality by disabling some useful
peripheral services.
Role-Independent Services
The Exchange Server
2003 services that you require mainly depend on the role that your
Exchange server provides in your environment. However, some Exchange
services are required for Setup to run, for administration to be
performed, and for routing and indexing to function, as well as
interoperability with previous versions of the product.
Setup Reinstall and Upgrade
For Exchange Server 2003 Setup to run, you must install and enable, but not necessarily start, the following services:
Note
Exchange
Server 2003 installs (but does not enable) its own IMAP4 and POP3
services during setup. It will not install on a Windows 2003 server
unless the Windows POP3 service (if present) is uninstalled. |
Exchange Server 2003
Setup disables a number of services by default. However, if these
services are subsequently enabled, their current state is preserved
during reinstalls or upgrades. These services are as follows:
NNTP
Microsoft Exchange IMAP4
Microsoft Exchange POP3
Administration
The following services are required to administer Exchange Server 2003:
Microsoft Exchange System Attendant
Microsoft Exchange Management
Windows Management Instrumentation
Routing
The following services are required to enable Exchange Server 2003 to route messages:
Compatibility
The following services are required to provide compatibility with earlier versions of Exchange:
Microsoft Exchange Event Service
Microsoft Exchange Site Replication Service
Exchange MTA Stacks (Exchange Server 5.5 compatibility only)
Additional Features
The following services provide additional features for Exchange Server 2003:
Services on an Exchange Front-End Server
An Exchange
front-end server accepts requests from clients and then forwards those
requests to the appropriate back-end server for processing. Therefore,
you can disable many of the Exchange services that are installed by
default.
Tip
Do
not try to memorize which services can or cannot be disabled on a
back-end or a front-end Exchange server. Instead, read and understand
the reasons why a service is or is not essential. Questions on this
topic can often be answered by applying reasoning and common sense. |
The following are required services on a front-end server:
Microsoft Exchange Routing Engine You require this service to enable Exchange routing functionality.
IPSEC Services
This service provides end-to-end security between clients and servers
on Transmission Control Protocol/Internet Protocol (TCP/IP) networks.
You require this service if you want to configure an Internet Protocol
security (IPSec) filter on OWA servers.
IIS Admin Service This service is dependent on the MSExchange routing engine. You require this service to allow Exchange routing functionality.
World Wide Web Publishing Service You require this service if you want client computers to communicate with OWA or Outlook Mobile Access front-end servers.
The following services can be disabled on a front-end server:
Microsoft Exchange IMAP4 You require this service only if the server is configured for IMAP4 clients.
Microsoft Exchange Information Store
You require this service only if there are user mailboxes or public
folders. It can therefore be disabled because front-end servers do not
contain user data.
Microsoft Exchange POP3 You require this service only if the server is configured for POP3 clients.
NNTP You require this service only for installation and if newsgroup funtionality is specified.
The following services could optionally be disabled on a front-end server:
Microsoft Exchange System Attendant
System Attendant can be disabled because it is required on a front-end
server only if you plan to make configuration changes to Exchange
Server. However, the justification for disabling this service is, at
best, debatable. If you do decide to disable it, make sure that it is
definitely not needed.
Microsoft Exchange Management
This service allows you to specify, through the user interface (UI),
which domain controller or global catalog server Exchange Server 2003
will use when accessing the directory. The service is also required for
message tracking. You can disable this service without affecting the
core funtionality of Exchange. However, you may need Message Tracking to
audit Exchange functionality.
SMTP
You need to enable the SMTP service only if you have configured your
front-end server to receive SMTP mail, either as a gateway or as a
front-end server for IMAP4 or POP3. If the server is an SMTP gateway,
the Information Store and System Attendant services are also required.
As with System Attendant, the advantages of disabling this service are
debatable. In practice, it is unusual for the SMTP service to be
disabled on any Exchange Server 2003 server.
Outlook Mobile Access
This service provides mobile access to users. If you are not using
Outlook Mobile Access, you can disable it globally. This makes the
application inaccessible, and no requests can be made to the back-end
server.
Note
ForestPrep disables Outlook Mobile Access by default. |
If
your front-end server is used to establish POP3, IMAP4, or SMTP
connections, do not enable the World Wide Web Publishing Service, and
enable the Microsoft Exchange POP3 or IMAP4 service, as appropriate. If
you enable POP3, IMAP4, or SMTP, then you also need to enable the
Exchange Information Store service (MSExchangeIS) and the Microsoft
Exchange System Attendant service (MSExchangeSA).
Services on an Exchange Back-End Server
The function of an
Exchange back-end server is to store user mailboxes. In a front-end and
back-end configuration, you can disable several of the Exchange services
that are installed by default.
The following are required services on a back-end server:
Microsoft Exchange Information Back-end servers contain user mailboxes and public folders. You require this service to enable the information store services.
Microsoft Exchange Management You require this service if you want to provide message tracking and to audit message flow.
Windows Management Instrumentation (WMI) You need to ensure this service is enabled. It is dependent on Microsoft Exchange Management.
Microsoft Exchange MTA Stacks You require this service if you need compatibility with previous versions of Exchange or if there are X.400 connectors.
Microsoft Exchange System Attendant You require this service if you want to perform Exchange administration and for Exchange maintenance to run
Microsoft Exchange Routing Engine You require this service if you want to coordinate message transfer between Exchange servers.
1PSEC Services You require this service if you want to implement an IPSec policy on the back-end server.
IIS Admin Service The MSExchange routing engine requires this service.
NTLM Security Support Provider You need to ensure that this service is enabled. It is dependent on System Attendant.
Microsoft Exchange SMTP Exchange requires this service to transfer messages.
World Wide Web Publishing Service You require this service if you want to provide communication with OWA and Outlook Mobile Access front-end servers.
The following services can be disabled on a back-end server:
Microsoft Exchange IMAP4 You can disable this service unless you have configured a corresponding front-end server for IMAP4 access.
Microsoft Exchange POP3 You can disable this service unless you have configured a corresponding front-end server for POP3 access.
Microsoft Search You can disable this service unless you need to implement full-text indexing of mailbox or public folder stores.
Microsoft Exchange Event Service You can disable this service unless you require compatibility with previous versions of Exchange.
Microsoft Exchange Site Replication You can disable this service unless you require compatibility with previous versions of Exchange.
NNTP
You can disable this service unless you require newsgroup
functionality. The service is required for installation but does not
need to be enabled.
Protocol Logging
Protocol logs track
the commands that an Internet protocol virtual server receives from
clients over a network, and you can also use them to track outgoing
commands. By setting the configuration properties of the virtual server
associated with each messaging transport protocol, you can audit client
operations and protocol traffic. You can then take steps to protect your
mail system if suspicious traffic is detected.
The Internet protocols
(SMTP, HTTP, and NNTP) enable you to use logging to track the commands
the virtual server receives from clients. For example, for each message,
you can view the client IP address, client domain name, date and time
of the message, and number of bytes sent.
When protocol logging is
used with Windows 2000 event logs, the protocol log enables you to audit
the use of the virtual server and identify problems.
Logging Formats
You can specify the
logging format that Exchange uses for recording information. You can
either use an ASCII-based format or you can create an Open Database
Connectivity (ODBC) database. The ASCII logs can be read in a text
editor but are generally loaded into a report-generating software tool.
ODBC logging format is a record of a fixed set of data fields that can
be read by ODBC-compliant database software, such as Microsoft Access or
SQL Server.
Protocol logs are, by
default, saved in the C:\WINNT\System32\LogFiles directory tree. For
example, log files for the Default SMTP virtual server are stored in
C:\WINNT\System32\LogFiles\SmtpSvc1.
The ASCII format options are as follows:
W3C Extended and NCSA
formats will record data in a four-digit year format, while the
Microsoft IIS format uses a two-digit year format and is provided for
backward compatibility with earlier systems.
If you want to enable
logging in an ODBC format, then you must specify the database you want
to be logged to and set up the database to receive the logging data. You
do not need to be a database programmer to administer Exchange,
however. Fortunately, setting up an ODBC database is a relatively
straightforward operation.
You create an
ODBC-compliant database by using a database program such as Access or
SQL Server. You need to create a table in the database that contains the
fields listed in Table 1. In Access, varchar(255) is equivalent to a Text data type with a Field Size setting of 255.
Table 1. ODBC-Compliant Database Fields
| Field name | Data type |
|---|
| ClientHost | varchar(255) |
| Username | varchar(255) |
| LogTime | datetime |
| Service | varchar(255) |
| Machine | varchar(255) |
| ServerIP | varchar(50) |
| ProcessingTime | integer |
| BytesRecvd | integer |
| BytesSent | integer |
| ServiceStatus | integer |
| Win32Status | integer |
| Operation | varchar(255) |
| Target | varchar(255) |
| Parameters | varchar(255) |
Practice: Enabling and Configuring Protocol Logging
The
method you use to enable and configure protocol logging varies
depending upon the virtual server you are configuring. HTTP servers,
including the Exchange virtual server (that is, the Default HTTP virtual
server), are configured using IIS Manager. SMTP and NNTP virtual
servers are configured using Exchange System Manager.
Exercise 1: Enable Logging for SMTP and NNTP Virtual Servers
This procedure is
performed on the Default SMTP virtual server on Server01. The same
procedure can be used for any SMTP or NNTP virtual server.
To enable and configure protocol logging on the selected server, perform the following steps:
1. | Open Exchange System Manager.
|
2. | Navigate
to Administrative Groups\First Administrative Group\Servers\Server01\
Protocols\SMTP, right-click Default SMTP Virtual Server, and then click
Properties.
|
3. | On the General tab, select the Enable Logging check box.
|
4. | In
the Active Log Format drop-down list, select the log file format, and
then click Properties. The default log file format for SMTP is W3C
Extended Log File Format (for NNTP, it is Microsoft IIS Log File
Format).
|
5. | On the General tab of the Logging Properties dialog box, shown in Figure 1, under New Log Schedule, select one of the following options:
Hourly Daily (this is the default) Weekly Monthly Unlimited File Size (this appends data to the same log file) When File Size Reaches (this creates a new log file when the size reaches the amount you specify in MB)
|
6. | Under Log File Directory, specify the log file location.
|
7. | If
you have selected the W3C Extended logging format, then you can select
the Advanced tab and select the items you want to track. Although the
names of these settings are based on WC3 conventions, they apply to
specific SMTP values. For a full description of these extended
properties, click Help in the Logging Properties dialog box.
|
8. | Click OK.
|
9. | Click OK again to close the Default SMTP virtual server Properties box.
|
Exercise 2: Enable and Configure Logging for the Exchange Virtual Server
The Exchange virtual
server, or Default HTTP virtual server, implements the default Web site
provided by IIS. You cannot manage this virtual server using Exchange
System Manager. It must be administered from the IIS Manager console. In
this console, the Exchange virtual server appears as Default Web Site. A
similar procedure can be used to configure additional HTTP virtual
servers.
To enable and configure protocol logging for the Exchange virtual server, perform the following steps:
1. | Start IIS Manager on Server01.
|
2. | Expand Server01\Web Sites, right-click Default Web Site, and then click Properties.
|
3. | On the Web Site tab, select the Enable Logging check box.
|
4. | In
the Active Log Format drop-down list, select the log file format, and
then click Properties. The default log format is W3C Extended Log File
Format.
|
5. | In
the Logging Properties dialog box, on the General tab, select the time
interval to write to the log file, the log file size, the directory
where the log file exists, and other parameters, depending on the type
of format you selected.
|
6. | If
you selected W3C Extended Log File Format in the Logging Properties
dialog box, then you can access the Advanced tab and specify Extended
Logging Options. For example, you can log the client’s IP address (c-ip)
and the protocol command or method sent by the client (cs-method).
|
7. | Click OK. Click OK again to close the Default Web Site Properties box.
|
8. | Verify
that you can also right-click HTTP_server1 on the IIS console and
configure logging for that virtual server using the same procedure.
|
