Module 3: Securing Exchange Server 2003 57

Lab: Securing Exchange Server 2003

*****************************ILLEGAL FOR NON-TRAINER USE******************************

Objectives After completing this lab, you will be able to:
„ Use the Security Configuration Wizard to apply a Security Policy and verify
the modifications performed by the Security Policy.
„ Delegate minimal administrative rights by using the Exchange Delegation
Wizard.
„ Install and configure Intelligent Message Filtering.

Instructions Ensure that the MTL-DC1, MTL-CL1, and MTL-NT1 virtual machines are
running.

Note This lab focuses on the concepts in this module and as a result might not
comply with Microsoft security recommendations.

Scenario You are the administrator for the Tailspin Toys messaging environment. A
new company policy states that security settings must be tightened for your
Exchange servers. Recently, another administrator has installed Windows
Server 2003 Service Pack 1 on all company servers. You need to secure your
messaging environment and limit the number of incoming malicious e-mails.
Estimated time to
complete this lab:
40 minutes
58 Module 3: Securing Exchange Server 2003

Exercise 1:
Applying a Security Configuration Wizard Security Policy
In this exercise, you will apply the security policy that was created in an earlier practice. To apply
the security practice, you will use the Security Configuration Wizard. You will then verify the
configuration of the Windows Firewall that was applied by the Security Policy.

Scenario
Another administrator has informed you that the Security Configuration Wizard has been run on all
servers and policies have been created for each Exchange Server. You must apply the security
policies and verify the settings modified through the policy. Additionally, you plan to enable the
POP3 service over SSL in the near future. Therefore, you must ensure that your Windows Firewall
will allow inbound communication for this service.

Tasks Detailed steps

1. On MTL-DC1, import the
MTL-DC1.xml Security
Policy by using the Security
and Configuration Wizard.
a. On MTL-DC1, start the Security Configuration Wizard from the
Administrative Tools folder.
b. On the Configuration Action page, select Apply an existing security
policy and click Browse.
c. In the Open dialog box, click mtl-dc1.xml and click Open.
d. On the Select Server page, ensure that MTL-DC1 is selected and click
Next.
e. On the Apply Security Policy page, click Next.
f. On the Applying Security Policy page, click Next.
g. On the Completing the Security Configuration Wizard page, click
Finish to close the wizard.

2. Open the Windows Firewall a. In the Control Panel, double-click Windows Firewall.
and verify all port b. Verify that Windows Firewall is enabled and verify that the ports and
configurations. applications required for this server are listed on the Exceptions tab.
c. Close all open windows.
 Module 3: Securing Exchange Server 2003 59

Exercise 2:
Delegating Administrative Rights Using the Exchange Delegation
Wizard
In this exercise, you will delegate the View-Only administrative role by using the Exchange System
Manager. You will also assign additional necessary rights to perform recipient management tasks
only. You will then verify that the permission has been assigned properly.

Scenario
A new junior administrator named Jae Pak has been recently hired to perform various recipient-
related tasks in the Exchange environment. You must ensure that Jae Pak has limited permissions
within the Exchange environment while still being able to create and manage Exchange recipients
from Active Directory Users and Computers.

Tasks Detailed steps

1. Delegate the Exchange a. On MTL-DC1, open the Exchange System Manager.

View-Only Administrator
role at the organization level
to Jae Pak.
b. Right-click TailspinToys Organization and click the Delegate
Control.
c. Configure Jae Pak with Exchange View Only Administrator
permissions for the Exchange organization.

2. Assign Jae Pak minimal
permissions in Active
Directory to allow him to
create and manage
Exchange recipients.
a. Open Active Directory Users and Computers.
b. Open the Builtin container and double-click the Account Operators
security group.
c. On the Members tab, click Add. When prompted to add the object
name, type Jae and click Check Names.
d. Click OK twice, and close Active Directory Users and Computers.

3. Verify Jae Pak’s
permissions and ability to
create mailbox-enabled
users in Active Directory.
a. Click Start, point to the Administrative Tools folder, right-click
Active Directory Users and Computers, and click Run as.
b. In the Run As dialog box, enter the following information:
x Username: Tailspintoys\jae
x Password: Pa$$w0rd
c. Browse to the Users container. Right-click Users, point to New, and
then click User.
d. Create a new user named Greg Weber with a logon name of Greg and
a password of Pa$$w0rd. When prompted to create a user mailbox,
verify that Create an Exchange mailbox is selected, and click Next.
Click Finish.
e. Close Active Directory Users and Computers.
60 Module 3: Securing Exchange Server 2003

Exercise 3:
Applying and Testing Intelligent Message Filtering
In this exercise, you will configure Intelligent Message Filtering for your Exchange environment.
You will also activate the filter on your inbound SMTP gateway. You will then verify the IMF
filters and ensure that messages are being blocked by the gateway.

Scenario
Employees of Tailspin Toys are complaining that they are receiving large amounts of unsolicited
commercial e-mail. You decide to enable Intelligent Message Filtering for the Exchange
organization and activate the filter for MTL-DC1. After the filter is installed, you want to ensure
that legitimate e-mails originating from Tailspin Toys clients and suppliers are not being blocked
by the filter while UCE is blocked.

Tasks Detailed steps

1. On MTL-DC1, from the a. On MTL-DC1, open Exchange System Manager.

Exchange System Manager, b. Expand Global Settings and open the Message Delivery properties.
configure the Intelligent
Message Filter with the c. On the Intelligent Message Filtering tab, under Gateway Blocking
following settings: Configuration, select 5 and select Archive.

x Gateway configuration: d. Under the Store Junk e-mail Configuration, select 3.

5+ e. Click OK.
x Action:
Archive messages
x Junk e-mail
configuration: 3+
2. Apply Intelligent Message a. Expand the following containers:
Filter for the MTL-DC1 x Administrative Groups
Default SMTP Virtual
Server. x First Administrative Group
x Servers
x MTL-DC1
x Protocols
x SMTP
b. Right-click Default SMTP Virtual Server, and click Properties.
c. On the General tab, click Advanced, and then click Edit.
d. On the Identification tab, clear the check box for Apply Sender ID
Filter and select the check box for Apply Intelligent Message Filter.
e. Click OK and close all open windows.

3. On MTL-CL1, use Outlook a. On MTL-CL1, open Outlook Express.

Express to send an e-mail b. Create a message to [email protected]; in the Subject field type:
message to Low mortgage rates ***; in the text box, type Cheap rates on your
[email protected]. mortgage $$.
c. Send the message and confirm that it has been sent from the Outbox.
 Module 3: Securing Exchange Server 2003 61

(continued)

Tasks Detailed steps

4. Verify that the message was
filtered and that the filtered
message is stored in the
UCEArchive folder on
MTL-DC1.
a. Open Internet Explorer. In the Address box, type http://MTL-
DC1.tailspintoys.com/exchange/ben, and then press ENTER.
b. In the logon dialog box page, log on as Tailspintoys\Ben with a
password of Pa$$w0rd. Click OK.
c. Confirm that the message from the Fabrikam administrator was not
delivered to the Inbox.
d. On MTL-DC1, browse to C:\Program Files\Exchsrvr\mailroot\vsi 1\
UceArchive.
e. Verify that the message was archived in the UceArchive folder. Open
the message by using Notepad.

5. Prepare for the next module. a. Shut down the MTL-CL1 virtual machine, and do not save changes.
b. Shut down the MTL-DC1 virtual machine, and do not save changes.
c. Shut down the MTL-NT1 virtual machine, and do not save changes
d. Start the MTL-DC1 and the MTL-CL1 virtual machines.