10.9. Disabling Unnecessary Exchange Services
Problem
You want to minimize the attack surface of your Exchange servers by disabling unnecessary services.
Solution
Using a graphical user interface
Log in to the target Exchange server using an account with administrative privileges.
Open the Services snap-in (services.msc).
Check Table 10-2 for services that you need for your server type (Exchange 2000 or Exchange Server 2003) and role (front- or back-end server).
For each service in the table, verify that its startup type is set appropriately.
Table 10-2. Service settings for Exchange front- and back-end servers
Service name | Short name | Enabled on FE? | Enabled on BE? | Notes |
|---|---|---|---|---|
Microsoft Exchange Information Store | MSExchangeIS | Maybe | Yes | The IS is required for servers that serve mailboxes, but it's also required for SMTP bridgeheads so they can generate and process NDRs. |
Microsoft Exchange System Attendant | MSExchangeSA | Maybe | Yes | The SA is required to do any sort of Exchange management. You can disable it on the FE, but you'll need to reenable it before you can make changes to the server's ettings via ESM. |
IIS Admin Service | IISAdmin | Maybe | Yes | Required if you're using IMAP, POP, Web, SMTP, NNTP, or well as the routing service; can be disabled otherwise. |
FTP Publishing Service | FTPSvc | No | No | Not installed by default on Windows 2003. Don't ever enable this unless you're running an FTP server. |
World Wide Web Publishing Service | W3SVC | Maybe | Yes | The W3SVC is required for web access via OWA, OMA, or EAS. |
HTTP SSL | HTTPFilter | Yes | Yes | This service ... |
Get Exchange Server Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
