Protecting Exchange 2003 Using the Windows Firewall
Windows XP SP2 introduced a security overhaul for the Microsoft client operating system. It actually became a new operating system with almost all of the code changed. A lot of the coding and testing effort went into creating the Windows Firewall, Microsoft's version of a personal firewall. A personal firewall is a piece of software that filters incoming and/or outgoing TCP/IP activity for a single workstation by using a special network driver.
Granted, there were and still are a lot of personal firewalls around. These firewalls had always been a big headache for support centers since more often than not they would break a crucial application or prevent access to important resources. Also, sometimes when Microsoft released patches and service packs the personal firewall would break.
Microsoft initially provided for Windows XP a very limited port filtering option called Internet Connection Filtering which blocked access from the Internet unless it had been initiated by the user. Windows 2000/3 had a more advanced port filtering option which was hardly used due to severe limitations.
The new Windows Firewall was meant to be easy to use and yet flexible enough to not disturb productivity. It was specifically designed with the enterprise in mind allowing computers and users to log in to the domain before restricting ports. It also had an option for central configuration using Group Policy.
The outbreak of viruses and the misuse of corporate networks by using P2P applications that use typically open ports (such as port 80) meant that implementing the Windows Firewall throughout an organization became a valid option, especially for companies where security is a high priority.
Windows 2003 SP1 is the first Microsoft server operating system that has its own personal firewall, which essentially is very much like the Windows XP SP2 version.
This article aims to provide an overview of protecting Exchange server using the personal firewall. This can become a valid choice for servers hosted at an ISP, remote branch offices that have no corporate firewall and for companies willing to take the time to increase security internally.
Windows Firewall Interface
The Windows Firewall, when activated, blocks all TCP/IP ports. You can open ports by specifying the port number or you can allow access to an application on all ports.
You can also decide the "Scope" when unblocking a port or an application to limit connectivity using a network and a subnet mask.
You also have some common services already defined and ready for use. For an Exchange server, for example, you would typically open the SMTP port if it is meant to receive e-mail from the Internet.
In the above configuration I opened HTTPS (port 443) to allow Outlook Web Access connectivity to the server.
Logging is naturally the second most important thing for a firewall after blocking connections.
The Security Configuration Wizard (SCW)
Windows 2003 SP1 provides a handy wizard which simplifies allowing access to server applications. It also does some basic operating system hardening and allows you to disable unnecessary services.
SCW is not installed by default when you install Windows 2003 SP1 so in order to run it you need to add it from the Control Panel "Add or Remove Programs" applet.
You can run it from the Administrative Tools folder or by typing SCW in the Run dialog box or the command prompt.
The following step is crucial because it determines open ports.
As you can see Windows uses quite a lot of ports. In this case all of these ports were selected because my test server is also a Domain Controller.
If Exchange is not installed in the default location ("%program files%\exchsrvr") you will have to help SCW find the location of the Exchange executables by adding it manually.
This issue is covered by the following Microsoft KB Article:
SCW adds inbound access to all the ports for which Exchange listens. So basically, after running SCW, you might find that your server is not that much protected even though a few ports are closed. In order to make your server more secure you can limit inbound connectivity to certain IP addresses by selecting the "Advanced" option and entering the allowed subnets.
Limiting Outlook Used Ports
So, after running SCW in the manner described in the previous section you will have opened Exchange to the internal network. But what about opening it to the Internet or another external network for Outlook use?
To do this you can implement RPC over HTTP (which uses a single port, 443) or limit regular RPC connectivity to the server.
RPC uses multiple ports. Since the Windows Firewall doesn't allow you to define a range of ports you need to restrict port access to Exchange on the server side using the registry.
You can use Microsoft KB article 270836 to do this:
Then you can open the required ports to the Internet using either SCW or the Windows Firewall applet.
Configuring Multiple Servers
The SCW settings are saved in an XML file. You can use this file to apply settings to multiple servers.
Alternatively, you can group all your Exchange servers in to a single OU and define a group policy for them.
The Windows 2003 SP1 Firewall, SCW and Group Policy options provide you with various ways for securing your Exchange 2003 server using a mixture of rules distinguishing between internal and external connections.
It is not meant to replace the corporate firewall but as shown in the article can be a handy, flexible and accurate second layer defense and might thwart some internal TCP/IP based attacks.