ࡱ> 7  %bjbjUU "F7|7|!l4444444H8L`lHB2pHHHH0B2B2B2B2B2B2B$C FVB4VB44HHkB4H4H0B0B*R ;44>H ^aH<>|B0B =F5fF>HH4444Relatively Concise Notes on Securing Exchange 2000 Servers and Active Directory Domain Controllers using Templates These notes refer to the situation of installing a new Windows 2000 Active Directory (AD) domain controller (DC2) and Exchange 2000 server (EX4) into an existing AD/Exchange environment. The environment includes a strong commercial departmental firewall. Firewall rulesets will not be addressed. The primary methodology is culled from the NSAs  HYPERLINK "http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf" Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool Set and the NSAs  HYPERLINK "http://nsa2.www.conxion.com/win2k/guides/w2k-21.pdf" Guide to the Secure Configuration and Administration of Microsoft Exchange 2000, used in combination with Microsofts  HYPERLINK "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/windows2000/staysecure/Default.asp" Security Operations Guide for Windows 2000 Server and  HYPERLINK "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/mailexch/opsguide/default.asp" Security Operations for Microsoft Exchange 2000 Server. Also used and blended were portions from the following Group Policy templates: Microsoft BaselineDC.inf (downloaded with the Security Operations Guides referenced above). Microsoft Exchange BackEnd Incremental.inf (also from the Operations Guides) NSA:  HYPERLINK "http://nsa2.www.conxion.com/win2k/guides/inf/w2k_server.inf" w2k_server.inf along with NSA supplied instructions for Exchange 2000 (see  HYPERLINK "http://nsa2.www.conxion.com/win2k/download.htm" instructions) The results of this effort are these (slightly) customized templates: For Exchange: SEWP_NSA_w2k_server_conf_for_exchange.inf For DCs: SEWP_BaselineDC.inf The templates are applied via Group Policy at the OU level. Further Background: The Outlook Web Access (OWA) architecture is two tier, front-end/back-end. The front-end server had previously been configured and is not in the scope of this document. Briefly though, the Security Operations for Microsoft Exchange 2000 Server guide was followed. The baseline.inf and OWA FrontEnd Incremental.inf templates were applied. IIS Lockdown was run using the OWA template with URLScan also being applied. An IPSEC policy was configured to allow only local domain activity (for NT Logons), 443 (SSL only), and a required ESP connection to each of the Exchange servers for port 80providing full transport mode protection of the connection between the front-end and back-end servers. There are no downlevel clients in the environment (no 98 or NT). All clients are XP or 2000. Office software is predominately at XP level. Exchange Server Disk/Partition Security ACLs: Exchange was installed in its own Program Files directory on its own disk partition (E:). Exchange Log Files were place on their own partition (F:, which is RAID 1). The Exchange DB files were places on their partition (G:, which is RAID 5). The following partition ACLs were set for E:, F:, and G: System (Full Control) LOCAL_EXCHANGE_MACHINE_NAME (Full Control) Domain Admins (Full Control) Authenticated Users (Read & Execute). IPSEC Policy: Created initial IPSEC ruleset via export, importing, and modifying previously configured exchange server IPSEC ruleset. Allows all local net connection for users, other exchange servers, and domain controllers Only accepts port 80 connection from OWA servers and requires this connection to be protected via ESP. Also updated a local Blackberry Enterprise server to have connectivity to this exchange machine. Blocked all other access. Exchange Configuration: Exchange installed on own partition (E:) Installed SP3. Moved Logs to their own partition (F:) Private and Public message stores to separate partition (G:). SMTP server, renamed our sending domain to EX4.sewp.nasa.gov, defined a SMARTHOST to internet-facing-server.sewp.nasa.gov, checked Attempt direct delivery so that mail to other local sewp_domain servers is direct. OWA: setup sewpmail virtual directory, enabled Exchange Path, Mailboxes for sewp_domain.sewp.nasa.gov (access the whole domain, not just one server, required for OWA). Deletion Setting (Mailbox store property). Set/confirmed: Keep deleted items/15 days, Keep deleted mailboxes/30 days, checked Do not permanently delete items/mailboxes until the store has been backed up Messages tracking enabled via server properties. Checked Enable subject logging and display and Enable message tracking Enabled SMTP extended logging: Date, Time, Client IP, User Name, Method, URI Query. Enabled Full Text indexingconfigured index to be at G:\ExchangeServer_EX4\Projects. Enabled to run updates at 20:00 daily. Used information on pp. 268-269 of the Exchange 2000 Server 24seven book. Security Other: Virus Scanning: Version 6.2 of TrendMicro ScanMail for Exchange 2000. Configured for real time scan, and full stores scan nightly at 0400. Configured for virus definition update hourly. Backups: Until a 3rd party backup client is installed NTBACKUP will be used. Scheduler service was enabled to support backups. Note: since the Removable Storage service is disabled, NTBACKUP will generate a warning at startup. Make sure to check Do not display message again at least once to allow the scheduled backups to run. The initial target of system backups is a share in . There is a 100GB partition available (RAID 5) for backups. System backups will write to share Sysbackups$ Exchange backups will write to share Exbackups$ Only administrators have any access to these shares Whenever there is a significant system configuration change a full system backup, titled fullsystemmmddyy.bkf will be written to the Sysbackups$ share. Also, an Emergency Repair Disk (floppy) will be created. Daily exchange backups will be done Monday through Saturday. They are titled Ex4Storesxxx.bkf where xxx is MonSat. Daily System State backups are done Monday through Saturday. They are titled Ex4SSxxx.bkf where xxx is MonSat. Domain Controller DC Configuration Steps: DCPromo Configured as a Global Catalog Configured time services (in anticipation of being FSMO PDC Emulator master). Used the net time /setsntp: command. Also followed Q articles 216734 and 307937 to enable additional time logging (the default is minimal time logging of failures, these articles provide for extended logging including successful attempts). An internal DNS was configured with forwarding set up to external DNS. IPSEC Policy: Created initial IPSEC ruleset via export, importing, and modifying previously configured domain contoller IPSEC ruleset. Allows all local net connection for users, other exchange servers, and domain controllers Blocked all other access. Templates Changes to supplied templates are documented but are not guaranteed to be complete . For Exchange: SEWP_nsa_w2k_server_conf_for_exchange.infSEWP modifications: User Rights AssignmentAccess this computer from the networkAdd: Authenticated Users, Backup Operators, ENTERPRISE DOMAIN CONTOLLERSManage auditing and security logAdd: \Exchange Domain ServersLocal Policies/Security OptionsNumber of previous logons to cache (in case domain controllers is not avaiable)3Shut down system immediately if unable to log security auditsDisabledSystem ServicesIisadminAutomaticImap4svcDisabledIPSEC Policy AgentAutomaticmsexchangeesDisabledmsexchangeISAutomaticmsexchangemgmtAutomaticmsexchangemtaAutomaticmsexchangesaAutomaticmsexchangesrsDisabledmssearchAutomaticNT LM Security Support ProviderAutomaticPop3svcDisabledRemote Procedure Call (RPC) LocatorAutomaticResvcAutomaticSMTPSVCAutomaticTask SchedulerAutomaticTermServiceAutomaticW3SVCAutomaticWindows Management InstrumentationAutomatic For DCs: SEWP_BaselineDC.infSEWP modifications: Local Policies/Security OptionsDigitally sign client communication (always) DisabledDigitally sign server communication (always)DisabledLAN Manager Authentication LevelSend LM & NTLM use NTLMv2 session security if negotiatedSystem ServicesIPSEC Policy AgentAutomaticPrint SpoolerAutomaticTask SchedulerAutomaticTermServiceAutomaticWindows Management InstrumentationAutomatic  stmn<=   X Y % ,  5CJaJj5CJUaJmHnHu5jaUjxUj!UjUjU0JjU jU OJQJ^JCJOJQJ^JaJ>;st n % B C  Pn & F hh^hh`h & F & F ^ & F$a$% %n@VNpD & F & F  & F hh^h23D OPPQ-.ab561K \i *H*CJaJ5<h23CD  PQ.b612JKSr & F $a$ & F & F Z\$If$a$ & F & F 0 1 R ~  2!8L $Ifw$$Ifl0,"h0 t0644 la2!;!"D/%}bІ[zcC^Ъ$\ȅ'5>y'}4hc(x5t%Qh |x̅V.# 8jчA%hF`yk>'QGAo_C }n=<3|i98 (41 `px4`^]܇N> fmhh୷̅ Kk 1Ft + ]_} $~=njtO{t#qL`Ck`#jHF Eɚ6S虶1^9 [JFC=g=幣*NЄ 'ŒM'XSCLR=< w&"fEs!0D2Be~Ff51FèaB KOPR}6'q74A lZ)*dјLce:q78B<1 >q;)9nrT8;^$"`e,IJ]m21:=)ɂ!r9ٚ7v_2{tUnƤp1f㤊P:.F:c&aQ?0$`1 z-Nѵ &H=R"eؒ4 'щBt M<\zd.(]RA«(EkYDA=fz=9?ͳ$lQGYzu8X,0—8%p_(fZ{TFO..G6]r.246M qQQK1!ep;x:t:\p< mhs0]8 xЁOB;˄מAРP6G,~(#`ЇQn( A~o7)†Ldi}9]4}$sO@8W/>򳑹~ %ֳBkw;am4f<cϭ^}?@֙p}hW³GA"HkE6Ah!uQF_؀6/)㤲غGn\ϥa%6= i2؃ApY\+|C"/h(7IH{׮oǎ;O6UkVpZuI'0O"}`3E6Hkd)uaKbs=l쒁mRg#!^[) M ; "A9 ~?K~?zv|5?SaėnּGEA80v,DɈE`y䮕:an<wI`;M5G*ʛMBrZ8u&9(6)l$Peasˇ=zTL>nc'}Ĕ6#jԪE1|##>mxN ӍTB0VrB uўKrp42'jS~jI$VH"ROXrbM2:u-דh(qoĤ_Br K uwHN5&aqTb8> VC.Fk pmHű[.&}ѿ'`uT7Tz. _JOރЧ)>I qm;_/֟BƧޞLƞ5bx7ԬL"[d8u51vwFmD/NMklD_E^{!HS߾\$RK& $2cѩ 4jqHC{TbF )>>7_ӭM5&pTF\֣}s͛3y]5iKEhw}`II]qHǽ-hK =8(yv9G.ѕ}v&Y`ߓ?i 3úspr@q t @l7JFZZ~:98fjuH#a&ڂ(Bow/5~OvEE # )p v}WF& x\3LP t0bju[^bstYCr= k{Ӡ}F![;p~FF E]*"j`or*tvÁ͍ϱ/txl70B( AoXܳ3ɖ4Anн~";]YH ӿxw\cxCBO3y l8uǷ/^D{z~W?!T3ˎetR7q9Ĺd1[$P;ٝ~)#J"q ǪezOq MNm Y.,qW=]'MB^z3ю8n8CZe ر+ ;"`´&OԘKBk<_^cOfn"P0ҤfTLܶ ꋡ-guПd>x}Fpsz{{'4ޅpOBVQ}[~#ڱ1Ԏ&&ٚfbkn!Z$DJT`9LľOpI8p^4)+; Էg_@.:$π؉G#뵩GF Cu}KXQQKFэD"6tX)Yx\R#>iL(Ɠ4 ,`0p %]"* *D;q#qwDc>1<ݎIŒȕYK.`'$:ģ#ऻX8& E`uї~FkDOȇ#4z>z>d<> b/е }Cmc.V*YdƍFSH6v֗e/0Vӂ}f/Nr5]Y啻eSl1 ;gN-IQ+׉MŝOc͛I"9}:voJ׫ :ؒN˃*.ϤkV{˴oEqTVN-e yfi '\KǾ%(XI ұ$/k-b =Se@\M+ns]ܨG+h%NMW@!Gfp$/ግfxۘQsI1K'B BOGH;9pdo8fPzia03oBJ4/op۞(XR1d]f44ntJ&*,ioi|{3c@s ̅pY L#Lߦ.D`Cj>&0UKRG{pD⡉swvSru׏^GΨ߮DW"o,KAq7#u `mX<: @؁8Z>;>]TyeK9;rIg.*tI 8pwυ1GLR8y.' swSwzdT}u>K}Kx4/-C*HjMz8NL䡙ښ9"JB^hADphRocp]r">B_*,9Y|R ې09a)PgwaUpƝ sɥ%"bNWG_qDlwcqn98hod#ٶY̎jJup`yЬ Vc`J`a$Viw3#6\[8z.$ i[#6Wrpu_b)p9Q01Bz=6R L{&l^z=<}Xtf)+e]q'Qa[%DtRkGNmࢲ9.&qkoCH naή/ŽMEQZW<{ @V/ eQV`XC, tNGmhn.:gt*ʱȠᐙ"yX$# vjܦ Z (tD4"ѨJ Hƥb>J!J4Hϼq;c_䃿xu&8:&c}GЍ<>? ߡmZ+M䐹hk69K&ǮgD%)]m!ٗXg;(&ØqKY\`f'/ڿ16OѨ]9R̊L]ÜgOce_}# 2y*ms#6 w2w*oE-zAji]}][%Sn8Ootz&{V tmA2"dhaEgn"?oݳts2P9M$u0T]q[%X#vGCy 1^4g{bh-{7^i4!Tzפ5jf$U} t_DoJ_b(;פuA°"fõ?A?4|E~?ߺ@?6|ZsGm:_Gf}= ЎAi@bqY!y˪- "3A, ;~BrN;'LشQRj0a:Ê; :whÔh D 7o5!螠| \[G{V7 HJvflp ]? !XYR#Xh N q"XKa8[n1gNaMte)hIDAM+A#A"*509FqEcÎϐl4q8,=xk &M b.>Y}m @]f 3S! wK.xSSP_V'JV}@?~ ~=זTbx?7ܓ$s޿xm3+ZqhjG KfKP=l%]@WzgbUI9K+0dZ[:a bGli0!M@G1WRd(/\ ˞M\Rl: E\TQK@Ba%#5pQ15(q9I-FFB⅀Gi *DnmT&FYDA pR:X =ܱKMNHܛiInup*vG Ӻ\6N޽ta=0ٳg.'qƭy8|2H$[(0:zH\d1RkIإ hB: {^w}iu?~իOW޳g{5J=jl:PA,pl (sQDV(˺_4j4m5z&- =#Оm+K@d".ۦ:v\C)p5kD,Tc#2!٥ !%#%PA'] E_}}$D\At Gv [Ї%Uԣh9Fh ef!RR9lPM0i$/a2yr}`BXu>7r2ڼG{Q\;* hg|Mui9W8ElI8nQ婺ncT3p̨ OfGv!ml&Aߩcx^V@{$($*gawU\8Dk7ᕻgqß}K{_RFO +g:l89&8*жREkn3Wvͻ1:DŽ>A(xkN\VQoxP>oe5z}o+Z6̶u eMUv)ۻkDwIw[[\!r#OSAd r i7p:`)plwfFk‘SNH6oqڽT<0%1g m|Ur]*e$@п7[g_2Xs3A Bv*&9U$x3LPb Hzן;gLJ{y,8z>ifp4HiLbqh0>EWt>|1 o"OX':z>~rNއρw/mF NFv0&y~l3&><:p%xq B3 T(uJ<]^8%bNo\N ܮF6X8*tb8վ1v?>*z8eV0דU4͠j\w᫫/Dí<`z)#P -Ah~M3 4,끌(Pr%X#Iψ/_[p(mYl'qdcra H ' Z6Ꮔ L?ov)#gy n,5WK=7x*h޼>SL5pǶ^*zu0C[X`%#;~p=vKo>3A!Uw73{ӓ[G3K]z_}ّ8#A2phWa=\./49r(`anG1+8L)au؜Tt",٦ \2MOwVOt{[>tu;lQ&E yC{ػD8@I̵u L2 N$bNvSԥH) 5FaOXH0G_=Ie:> :M>+=$%xAÞk{j٥]I4ia*R$t k7(d'r)RIKJ nLiZǥ(p"0 wk3 "1\Fx_!tc~&ԇ_95Suعgk+?Z;D²<#_򱙙b>{ݍ_Om=w|RZYF)Rt6)L tB UsvdflS{<|l `z9b gm'%4F&sVљUȉnE`|`'Z-؜ -]S쉁L nS37.i;I As6m> [/  fJ* G ag|Y& ivtڑˉ*z-tpЋ0:YY8Ƭ 污2P Bǽ\* 6)SKKNL<ܘf8ND"!%xw]bnIt4S S8:þb/u5wQpI}Q&',T(gEp'^iK1%qt* #'N <0kxV0{(V5(<# Wy%YxRԔmoԦƀȦ)݊ak3h(F?E%_Gѻ=c~=L3?iÃ}Gu//Z k__ܖ뱸7 xһswȗX, Žx2ODnC&Z}J1K];Ly8 a@-X!f+NTQ(Vkøp9"l wa32Y9Hi *GSUՁ$}waC987`mC\B@)k=QpcD/"z@ƘrsUU]Pjm 78UnAb4xSKHmu-j vwp$z!R1!TC-2` ,<G, 41CiUxq:1a*U <;Im+u(wGn V`\3'7zlaهvg.+ܛs5$~in}s/~,{Xb0hn"Gh{ ljqa縶s̞Zi ; k:ó)Nu. dBsIye:Hr]v*n8~B%,,5/qC/5K9'25 ,bíT4WpNwdRm?VD*ɵj'5ƽFI!rFGkNNtGμؒj2Ah| *}Bv F=x$37 ^!Ovc5F}!"aBf#l&h2S7$Byfثe&EΆZ-ÀD!Ap@5t #q6۰pAC"yq*G Tr܆'92%#v$FnL^O ΈcIuғ=g\THǸO38@CATGz Hc kdF  r*yaU3 ;23Sha ud冑 (r W W L[x(BAzE(d~iD,ZU?6t01@w3ML V=HKVYSi" :@}.]ir{@|B"l,#4dhp*ւ?!CXȲ#ЗUHZhDr os.y:(H0dH)x&O5`Q<>U vwߞ/k7?7>55ޗj4eΓ-w]6QH;db&H9nق`Oppk$Nf2\}\-C?S .FmSd巀~k&,.:ѓ 2IT(d=3Qvʴ׀ :ńEa$)2lŝ.3<(_UO ?<352n ^MGm INlàѠx@{ȫ&N@6T .D1ŪZ& F6Bl&|P2(&iJHkd2pش:~J 0J ZZ?k_eeJO'Чܯ!Z~p,ݿgQMEWyPA# @:pMk| :)P%8P?s s<~T^* 𩠘 V N` j#S QV샠NU=j>@*t+GiJ}20 *@̠/WE $e"A?]Wx#eK H%?p2=S^}ǃ:G H>`9%zQ ,(kPSpv/A8ց9W=;Ǯne:4L6$|9nxעDiuZ~g(^,$5nAGiÃ#^K1 ʘM -:`N?Ֆƍ1]Kmj#0 m3%3fFh,`E&ؠA0wl~܁It\v<75r^fPEFtR-X;ӧ`rK5߂iYLCzPƠ3&6£;hC4 qdv #>R.l۰g=v*T0%pѨ$69Af(?96kؽx% qR`Uh>UI,~N~o`Dў8 %ů(ϸ'UH{䙤;kgֈfdNS{@@tJt c)ww7ͪ'ix]19)LV5TXV}cKFT}ˬX؃h2Lhe@Cb5p&fxt w`|&< IGo|4ydSn{yڏ#k|g^oo֧[ϣ13z@kg)h :~_n7wJ}q{G-}8 ߾z_[w輷0[{ -G%`nO}-fos~u̷Wo~(\ūc~07Ro?jKÍk;rjխ`,G:~a9گTGa Kg>T/敷FO^]vh̍GgWϚߙ/{͘o(uY݋vqq^ )Cp!{sN`)Cװ)0q(#HDp.TYzc}%<61>Ӆx M g+ d?qEC$4DMI&ב6Eu<>*yU4- Ʋ1՗{#Y})ȩxksXeAs*@ECFeOvW!9 2@ۻ;0q)ӃW[!ʩ[*&u +2Åe8XNϸp8qjE<2X9zȡ\{,i[7L2 ؿ]aN" $35Vw"lA \I}={a/ANQxi~FO\\މ'􎧘kjcNƧG`R. i"#Ep! KPeW5b`je۫2#U L >綱 u<$1.MUt0STRGK^TʻrRK"-Gu!hOc**^mr~GKF}t@q\w3t±F)̇WUut=:45 S5y rד:>Rwsj9:u w+^F=i,"~&:!XiC. EGX]Vy<9mOCi$h)JIIBx,cg&x]:=!>! ` SHQU!ul2BAy gtljS.%Lu:Ce(lIH:,ñ\~eYĥH4,$JD$gmpU' AQ&HJnC6k<\M*NEHC,6͛t21Q+x۪_ǒ4e2{ ܨ\r{{KJz^W.ɕK˽ˠ6WugU8ϥ]`ec{bvU;StvUpNkk$KBjdg۵ՁZBjmobv3 EyndwNoR1F'4IT 648d~-{qiMvvD$Bkmf ` !ʻDFām5SHBL5([FnOtyzL\k6ź5,TVD-=2PqI7 )Ab>&0Y!Z,$,E֓!oκku˓v1r1~hpQ9͚N@~h R [Y~KӨs~(6$>ۖsxAe7@e~ج !WLMmŠu ȗ>` % C g Ϛ-"1I)ek,oV[y6 PQ妨ξ?Nm5 }̅!@=ʖæR! A^ed8atzPن-vL&d`(e ȭ]|P`7U;#j.j3w_T0D˧"WTOsF(TXņ'ⳣeJgXRbXWK#{i^ wz晒ul4_I5"S(oIjr;hP7H"  m;qߝS,%'I *5JYj}uJ*&+5}35(d¶:oU'O?^ICN$(-AMe|K@:551&ViNaLq"9vLJj(vw6֯ 6/d5TkVJȞ!Fq\Wc9,OyťLC|_"yopI0iRX - q߀p6Ԙ)t[6)E-/1V d#kB@]3!Dʕz4%M!\XW:.]S\){BN7MNr=n ~든DETf1'(l fx}$`Q{_dd_o[oa#6Xրlc$#DBQj=&-f6B [ BDLWX_ґn׆ŀ->I)Q0c )zij"CXݎbP2z/SiŚLii%)v*b WֹO HBA,?[ڥjlQRFg,Lܓzf_Z2aAtq{EOtPm ,[n)&Dէ& R"7@v1m<i՟ǘ-"/'ͶW9g{GgɊPO`{]Yh`TKv+>(Tpϩ5(94/?`- X ~(À7T@5zd. UvP++c9x9V(+&}}֝ؠNJ/_Y,QbU?jGXiŨRUQn(AAbƳW0Ƈgqk4 .M7:|"I\ۙdc{:O~k] kmxB Es*%b'VٜoN'@əruU&4/E;ƺ1=XNr m %3vk]͆% ~ M(-bPϒtpF-) e(M"$|5$am̄:L,$T';B"f?:ܼ$Rx\@i_klخQKeXԩG2xb$, r߅" +̯lSs M#7_w[˭,FPU1>M7J3iUPޥWX,qQ{0/SiZQ M'{,޺2f"~S}CJeo4ުt9jLLPb#ORᛏW(j6(dwEh7´ 4C&MLEVWO[{DҒyIRƈ5RٞjWl6]0Q|SsX%yG (ʋWz#U5g|Xvo@"τ }J-II kvH5IPZ"J-.L٠4)F>d Cg9:d~|4H"k(˕*3V7fSu@ uĢ<(ЌGr%X\e3&Ai1ڲ(쓑h}U=w nGL}F#hk7=i,R Q:y}gOi&r!* Brˢbq6_a掑xء!lT iU^@ca`ma ?èr$Ʃ7c}"qC)cq$8PnߧSj9IENDB` i8@8 NormalCJ_HaJmH sH tH <A@< Default Paragraph Font.U@. Hyperlink >*B*ph,@, Header  !, , Footer  ! !F;stn%BCP D  PQ.b612JKSr Z\01R~2;<LMNWabktu  $%.89Ycdluv  .89:;l Z [ k l m !!!!!! ! !!0000 0 0 000 0 000000 0 0 0000 0 0 0 0 0 0 0 0 000000 0 0 0 0000 0 0 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000@0@0 0 %n2!! """#$% % !" %m< X !XXXXXX8@r(  HB  @ C DHB   C DHB @ C DHB  C DHB @ C DHB  C DB S  ?  !  !t  t !t t !ttx};*!"&X),.A % ^ g   #  )1dnow#,KRirNV %-?BDW !! !!;>  2 4 ]`!!333333333333<X%C@ V p3D 5BJKr 29Yv;l [ !! !!dtaylortadepojuC:\Documents and Settings\tadepoju\My Documents\Dev\SEWP Security Center Web Site\Securing Exchange 2000 Servers and AD DCs.doc *M>09Q6$uػafTf*](-Wx/T7~49rhXI*A ;yϖ9{j_z)Ԅh^`.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.hh^h`OJQJ^Jo(hHo ^`hH. pp^p`hH. @ @ ^@ `hH. ^`hH. ^`hH. ^`hH. ^`hH. PP^P`hH.hhh^h`OJQJo(hHoh 88^8`o(hH.h^`OJQJo(hHh  ^ `OJQJo(hHh  ^ `OJQJ^Jo(hHohxx^x`OJQJo(hHhHH^H`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHoh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHhhh^h`OJQJo(hHoh ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h^`OJQJo(hHoh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH8 hh^h`o(hH()8 hh^h`hH.8 8L8^8`LhH.8 ^`hH.8   ^ `hH.8  L ^ `LhH.8 xx^x`hH.8 HH^H`hH.8 L^`LhH.hhh^h`OJQJo(hHoh88^8`OJQJ^Jo(hHoh^`OJQJo(hHh  ^ `OJQJo(hHh  ^ `OJQJ^Jo(hHohxx^x`OJQJo(hHhHH^H`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHoh ^`o(hH.h  ^ `OJQJo(hHh  ^ `OJQJo(hHhxx^x`OJQJ^Jo(hHohHH^H`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHhh^h`OJQJ^Jo(hHo ^`hH. pp^p`hH. @ @ ^@ `hH. ^`hH. ^`hH. ^`hH. ^`hH. PP^P`hH.hhh^h`OJQJo(hHoh88^8`OJQJ^Jo(hHoh^`OJQJo(hHh  ^ `OJQJo(hHh  ^ `OJQJ^Jo(hHohxx^x`OJQJo(hHhHH^H`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHhh^h`OJQJ^Jo(hHo ^`hH. pp^p`hH. @ @ ^@ `hH. ^`hH. ^`hH. ^`hH. ^`hH. PP^P`hH. ;y Q6 )P Q6ahXIu-Wx/](7~49{*MfT0@yTj30;41@yTj30V;41@yTj30V;41                                              x                                                     01R~2;<LMNWabktu  $%.89Ycdluv  .89l Z [ k l m !!!@ !@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;Wingdings"1h/tf/tfs&; :;!20dp!!  3QH:Relatively Concise Notes on Securing Exchange 2000 ServersdtaylortadepojuOh+'0 ( <H d p | ;Relatively Concise Notes on Securing Exchange 2000 ServerseladtaylortaytayNormal tadepojuy C2deMicrosoft Word 9.0N@@C@ca@ca;՜.+,D՜.+,p, hp   NASA/GSFCy: p! ;Relatively Concise Notes on Securing Exchange 2000 Servers Title8@ _PID_HLINKS_AdHocReviewCycleID_EmailSubject _AuthorEmail_AuthorEmailDisplayNameA*z>/http://nsa2.www.conxion.com/win2k/download.htm^d <http://nsa2.www.conxion.com/win2k/guides/inf/w2k_server.inf01 shttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/mailexch/opsguide/default.asp"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/windows2000/staysecure/Default.asp$74http://nsa2.www.conxion.com/win2k/guides/w2k-21.pdf/j3http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdfls%header;iXUpdated paperspdtaylor@sewp.nasa.goveDennis Tayloras  !"#%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPRSTUVWXYZ[\]^_`abcdefghijklmnopqrstvwxyz{|~Root Entry F◆aData $Y1TableQFWordDocument"FSummaryInformation(uDocumentSummaryInformation8}CompObjjObjectPool◆a◆a  FMicrosoft Word Document MSWordDocWord.Document.89q