Before you expose servers to the Internet, we recommend that you protect IIS by turning off all features and services except those that are required.
In Windows Server 2003, IIS features are already disabled by default to ensure the most secure defaults are in place for your server.
In Microsoft Windows Server 2000, you can protect IIS by downloading and running the IIS Lockdown Wizard and the UrlScan tool.
Windows Server 2003 SP2 and IIS 6.0
Microsoft Windows Server 2003 has many built-in features that help secure IIS 6.0 servers. To help protect against malicious users and attackers, the default configuration for members of the Windows Server 2003 family does not include IIS. When IIS is installed, it is configured in a highly secure, "locked down" mode, only allowing static content. By using the Web Service Extensions feature, you can enable or disable IIS functionality based on the individual needs of your organization even further.
For more information, see "Reducing the Attack Surface of the Web Server" (IIS 6.0) in the IIS Deployment Guide at http://go.microsoft.com/fwlink/?LinkId=67608.
UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will accept. By blocking specific HTTP requests, the UrlScan security tool helps prevent potentially harmful requests from ever reaching the server. UrlScan 2.5 will now install as a stand alone installation on servers running Microsoft IIS 4.0 and later.
UrlScan 2.5 is not included with IIS 6.0 because IIS 6.0 has built-in features that provide security functionality that is equal to or better than most of the features of UrlScan 2.5. UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. Also, if you have incorporated the use of UrlScan security tool into your server management practices for IIS and for other Microsoft servers, you may want to utilize the additional functionality and features of UrlScan 2.5.
To download the UrlScan security tool, visit the UrlScan Security Tool Web site: http://go.microsoft.com/fwlink/?LinkId=62665.
For more information about the UrlScan and functionality beyond those provided by IIS 6.0, see "Determining Whether to Use UrlScan 2.5 with IIS 6.0" on the UrlScan Security Tool Web site.
UrlScan must be correctly configured for use with Exchange Server 2003 SP2. For full details about how to configure UrlScan for use with Exchange Server 2003 SP2, see "Fine-tuning and known issues when you use the UrlScan tool in an Exchange Server 2003 SP2 environment" at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=62666.
Windows Server 2000
If you are using Windows Server 2000, you should download the IIS Lockdown Wizard to help you disable the IIS features and services that are unnecessary for your environment. To provide multiple layers of protection against attackers, the IIS Lockdown Wizard also contains an earlier version of the UrlScan security tool, which functions in an almost similar way to the UrlScan 2.5 feature discussed earlier.
The IIS Lockdown Wizard contains a configuration template for Exchange that turns off unwanted features and services. To use this configuration template, run the IIS Lockdown Wizard, select the Exchange template and then change or accept the default configuration options. Additional templates are provided as part of the lockdown tool as well.
To download the IIS Lockdown Tool (version 2.1) visit "IIS Lockdown Tool (version 2.1)" at the Windows 2000 Web site.
To help maximize the security of your Exchange servers, apply all the required updates both before and after you apply the IIS Lockdown Wizard. The updates help the servers remain protected against known security vulnerabilities.
Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices
After you enable the security features to help secure the communications between your client Windows Mobile-based devices and the Exchange front-end server, you also must protect the communications between the Exchange front-end server and the back-end servers. We recommend that you use Internet Protocol Security (IPSec) to encrypt IP traffic.
HTTP, IMAP, and POP communications between the front-end server and any server with which the front-end server communicates (such as back-end servers, domain controllers, and global catalog servers) are not encrypted. When the front-end and back-end servers are in a trusted physical or switched network, the absence of encryption is not a concern. However, if front-end and back-end servers are kept in separate subnets, network traffic may pass over unsecured areas of the network. The security risk increases when there is greater physical distance between the front-end servers and the back-end servers. In such cases, we recommend that this traffic be encrypted to protect passwords and data.
Using IPSec to Encrypt IP Traffic
Windows 2000 and Windows Server 2003 both support IPSec, which is an Internet standard that allows a server to encrypt all IP traffic except IP traffic that uses broadcast or multicast IP addresses. Generally, IPSec is used to encrypt HTTP traffic; however, you can also use IPSec to encrypt IMAP, Lightweight Directory Access Protocol (LDAP), POP, RPC traffic. With IPSec, you can:
Configure two servers that are running Windows 2000 or Windows Server 2003 to require trusted network access.
Use a cryptographic checksum on every packet to transfer data that is protected from modification.
Encrypt, at the IP layer, any traffic between the two servers.
In a front-end and back-end topology, you can use IPSec to encrypt traffic between the front-end and back-end servers that otherwise would not be encrypted.
For more information about configuring IPSec through a firewall, see How to Enable IPSec Traffic .