Microsoft KB Archive/824111

= Security Setting Changes and Updates That Are Introduced in Exchange Server 2003 =

Article ID: 824111

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-



SUMMARY
This article discusses some of the changes to security settings that are introduced in Microsoft Exchange Server 2003. Exchange 2003 includes many security-related updates and changes that are designed to help make it more secure than previous versions of Microsoft Exchange Server.



Organization-Level Settings
 ==== Microsoft Outlook Mobile Access Browse Functionality Is Disabled ====

The setting that enables or that disables the Microsoft browse functionality is set throughout the Exchange Server organization during the Exchange 2003 forest preparation operation (when you run the setup /forestprep command). By default, during the ForestPrep portion of Setup, Outlook Mobile Access browse functionality is disabled. However, the Exchange 2003 forestprep/reinstall command leaves the Outlook Mobile Access browse functionality enabled if it was previously enabled.

This means that Outlook Mobile Access browse functionality is not enabled when you run setup /forestprep to upgrade from Microsoft Exchange 2000 Server. However, if the browse functionality was already enabled, it remains enabled when you run setup /forestprep to upgrade from a previous version or a beta version of Exchange 2003.

To determine if the Outlook Mobile Access browse functionality is enabled:  Start Exchange System Manager. Under your organization, expand Global Settings, right-click Mobile Services, and then click Properties. Under Outlook Mobile Access, if the Enable Outlook Mobile Access check box is selected, Outlook Mobile Access browse functionality is enabled. If this check box is not selected, Outlook Mobile Access browse functionality is not enabled.

Note By default, Exchange ActiveSync and Always-up-to-date Notifications settings are not disabled during Setup.  ==== Maximum Message Size Limit Is Set to 10 Megabytes Throughout the Exchange Organization ====

When you install the first Exchange 2003 computer in an organization, the Sending message size and Receiving message size options are set to a maximum of 10,240 kilobytes (10 megabytes) if these values were not previously configured. This means that when you upgrade to Exchange 2003 from Microsoft Exchange 2000 Server, or when you reinstall Exchange 2003, the global message size restriction is set to 10 megabytes if another setting is not already configured. If a message size restriction is already configured, that value is preserved. To view the message size restrictions:  Start Exchange System Manager.</li> Under your organization, expand Global Settings, right-click Message Delivery, and then click Properties.</li> Click the Defaults tab.</li></ol>

For additional information about an issue you may experience when you configure message size limits, click the following article number to view the article in the Microsoft Knowledge Base:

298572 XADM: An E-Mail Message That Is Larger Than the Outgoing or the Incoming Message Size Limit Is Not Delivered

If you configure too large a message size limit, you may experience a problem where a very large e-mail message causes Exchange 2003 to temporarily stop responding. For example, if you send an e-mail message that is 81 megabytes, Exchange 2003 may temporarily stop responding. </li> ==== Permissions to Create Top-Level Public Folders Are Removed for the Everyone and the Anonymous Logon Security Groups ====

The Exchange 2003 forest preparation operation (when you run the setup /forestprep command) removes the Create top level public folder Allow permission for the Everyone and the Anonymous Logon groups from the Exchange organization container. Other access control entries (ACEs) are not changed. For additional information about a problem that may occur when you install Exchange 2000 Server in an organization, click the following article number to view the article in the Microsoft Knowledge Base:

822576 &quot;Allow Create Top Level Public Folder&quot; Access Control Entry for the Exchange Organization Container Unexpectedly Includes the Everyone and the Anonymous Logon Groups

</li></ul>

Server-Level Settings
<ul> ==== The POP3, IMAP4, and NNTP Cluster Resources Are Not Automatically Created When You Create a New Exchange Virtual Server ====

In previous versions of Microsoft Exchange, when you created an Exchange virtual server, the Post Office Protocol 3 (POP3) and the Internet Mail Access Protocol 4 (IMAP4) cluster resources were also created. Because these services are not enabled in the default Exchange 2003 installation, they are not automatically created. To create these resources, you must manually enable them and then start the corresponding service on the cluster node. You can then create the resource by using the Cluster Administrator utility.

Note Upgrades of existing Exchange virtual servers do not change these cluster resources. Additionally, Network News Transfer Protocol (NNTP) is not supported on a server cluster. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

259197 Status of Exchange 2000 Server and Exchange Server 2003 Components on a Server Cluster

</li> ==== Members of the Domain Users Security Group Are Denied the Allow Log on Locally Right on an Exchange 2003 Computer ====

By default, when you install Exchange 2003, members of the Domain Users group are denied the Allow log on locally right to that computer. By default, members of the Domain Users group cannot log on locally to a domain controller. However, this restriction is extended to include member servers where Exchange 2003 is installed. This change applies to new installations, to upgrades, and to reinstallations of Exchange 2003. Members of the Backup Operators group, the Administrators group, and other security groups that have greater permissions than the other groups can still log on locally. This change is made during Exchange 2003 Setup by removing the local (built-in) Users security group from the Allow log on locally policy. To view this policy:  Click Start, click Run, type gpedit.msc in the Open box, and then click OK.</li> Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.</li> In the right pane, double-click Allow log on locally.</li> View the users and the groups that appear in the Allow log on locally box.</li></ol> </li> ==== Access Control Entries Are Copied from the Program Files Folder When You Install Exchange Server 2003 ====

When you install Exchange 2003 as a stand-alone server or on a cluster node, the permissions to the Exchange installation folder (by default, they are located in the C:\Program Files\Exchsrvr folder) are copied from the parent Program Files folder. If you install Exchange 2003 to a location other than the Program Files folder, these permissions are copied from the Program Files folder to the Exchange installation folder. Because of this, if you grant the Allow log on locally right to users who are not administrators, such as members of the Domain Users security group, these users are permitted access to sensitive information in the Exchsrvr installation folder(s). For example, they may be able to view sensitive information in the Mailroot\ \BadMail, PickUp, or Queue folders.

Note This issue also applies when you install Microsoft Mobile Information Server (MIS). Authenticated users who are permitted to log on locally to the server can view information in the PickUp folder. </li> ==== A Global Event Object Has a Null Discretionary Access Control List ====

A security descriptor is created with a null discretionary access control list, and a security attributes class is configured to point to it. An event is then created by using these security attributes. Because a null discretionary access control list is used, if you permit the Allow log on locally right to users who are not administrators (such as members of the Domain Users security group), the potential exists for a malicious user to change the discretionary access control list of the object and interfere with its use. </li> ==== The POP3, IMAP4, and NNTP Services Are Disabled on the Server ====

By default, in a new Exchange 2003 installation, the Exchange POP3 service, the IMAP4 service, and Network News Transfer Protocol (NNTP) Service are set to Disabled. When you upgrade to Exchange 2003 or reinstall Exchange 2003, the previous state of these services is preserved. </li></ul>

Storage Group-Level Settings
<ul> ==== Maximum Public Folder Item Size Limit Is Set to 10 Megabytes for Each Public Folder Store ====

When you install Exchange 2003, the Maximum item size (KB) option is set to 10,240 kilobytes (10 megabytes). If you upgrade to Exchange 2003, or if you reinstall Exchange 2003, this option is set to 10,240 only if it was not already assigned another value. If this option was configured before you upgraded to, or reinstalled Exchange 2003, the previous value is not changed. This setting also affects new MAPI and Application public folder stores that you create by using Exchange System Manager. The Maximum item size (KB) value is stored in the messageSizeLimit attribute on each public folder store object in the Microsoft Active Directory directory service. </li></ul>

Protocol-Level Settings
<ul> ==== Basic Authentication for the POP3 and IMAP4 Exchange Virtual Servers Is Enabled ====

By default, basic authentication (Basic_Auth) is enabled for the POP3 and IMAP4 Exchange virtual server instances in a new installation. However, when you upgrade to Exchange 2003, you experience the following: <ul> On an Exchange back-end server, the available authentication methods in the Exchange POP3 and IMAP4 virtual server instances do not change.</li> <li>On an Exchange front-end server, the authentication methods in the Exchange POP3 and IMAP4 virtual server instances are configured as follows: <ul> <li>Anonymous authentication (Anon_Auth): Disabled</li> <li>Basic authentication (Basic_Auth): Enabled</li> <li>Integrated Windows authentication (NT_Auth): Disabled</li></ul> </li></ul>

This applies to the default Exchange virtual server instances and to virtual server instances that you create by using the Exchange System Manager utility. However, Exchange virtual server instances that you created before you upgrade to Exchange 2003 or virtual server instances that you create before you reinstall Exchange 2003 are not modified. An exception is an Exchange front-end server, as noted previously. </li> <li>==== Basic Authentication for the Exchange NNTP Virtual Server Is Enabled ====

By default, basic authentication (Basic_Auth) is enabled for an Exchange NNTP virtual server instance in a new installation. Authentication methods for the default Exchange NNTP virtual server are as follows: <ul> <li>Anonymous authentication (Anon_Auth): Disabled</li> <li>Basic authentication (Basic_Auth): Enabled</li> <li>Integrated Windows authentication (NT_Auth): Enabled</li></ul>

When you upgrade to Exchange 2003 or reinstall Exchange 2003, the default NNTP virtual server instance is always modified. Other Exchange NNTP virtual server instances that you create are not modified during an upgrade or a reinstallation of Exchange 2003. Additionally, if you remove Exchange 2003, integrated Windows authentication (NT_Auth) is disabled. This occurs because Network News Transfer Protocol (NNTP) is a Windows component and not part of Exchange 2003. </li></ul>

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

818474 Overview of Security-Enhanced Settings in the Default Configuration of Exchange Server 2003

Additional query words: XCCC autd EVS VSI ACE

Keywords: kbinfo KB824111

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.