Locking down exchange 2007
Hello,
We are being asked to make sure that our exchange 2007 mailbox server are locked down. We noticed that there are some shares called address and are open as a read to everyone. Are ther needed for exchange 2007? What is their pupose? If yes, can they be hidden
shares and locked down evn more without affecting anythis else like?
September 19th, 2010 6:42pm
Please don't mess with default shares; you'll just break things. You are welcome to run the Exchange Security Configuration Wizard (SCW) as described here:
http://technet.microsoft.com/en-us/library/aa998208(EXCHG.80).aspx
You can learn more about securing Exchange 2007 by reading the Exchange 2007 Security Guide, here:
http://technet.microsoft.com/en-us/library/bb691338(EXCHG.80).aspxEd Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2010 8:12pm
Those are created during the install. Old article:
http://support.microsoft.com/kb/147376
I dont see any reason to mess with them.
September 19th, 2010 8:24pm
I’ve taken a bit of time researching this and also only found the links above.
From what I can tell the shares aren’t used under normal conditions, but since I’m not sure I’d leave them alone too.
But it does make you wonder what they are for.
RUS is gone (one of the references to the share) and another reference was for a notes connector, which is also not likely used.
Anyone know what this share does in Exchange 2010?
Mike Crowley
Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2010 8:36pm
I understand we are not supposed to mess with things but that's not an answer people (management in this case) would like to hear. I need to let them know exactly why we should leave that share alone even though it's not being used in exchange 2007.
Or is it? If it's there in a pure exchange 2007 enevironment then it must be shared for a reason? the question is what? Is the proxy address generator using it in exchange 2007? if yes, can soneone elaborate?
September 19th, 2010 11:06pm
Agreed. This essentially is my question as well. Ed and Andy, perhaps you could use your MVP powers to look at some internal stuff and figure out what these do? :)
I can't find anything online with a current justification in the 2007+ world.
Mike Crowley
Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 11:55am
Those dlls are shared so that 3rd party apps can generate addresses. Anything that isnt SMTP based is considered Custom and will need the appropriate dll to generate the address. Those need to match up with what is set for the Addressing types in AD
( Under the Config container Exchange Objects
So, that is why they still exist in 2007/2010. Sharing those directories allows for remote apps to generate the address by using the shared dlls. Note that they are localized versions of those files if you install the 2010 Complete Language. Hence the warning
about letting them be. :)
Described here in more detail:
http://technet.microsoft.com/en-us/library/bb232171.aspx
In Exchange, all non-SMTP e-mail addresses are considered custom addresses. Exchange doesn't provide unique dialog boxes or property pages for X.400, GroupWise, or Lotus Notes e-mail address types. If you add a non-SMTP custom e-mail address, you
must have the appropriate dynamic-link library (DLL) files. If you don't provide the appropriate DLL files, you won't be able to create a customized e-mail address policy. The following error will be logged in Event Viewer: "The e-mail address description
object in the Microsoft Exchange directory for the 'SADF' address type on 'i386' machines are missing
September 20th, 2010 12:22pm
Thank you for the explanation. I would have loved to see an option during the setup which asks if you will be using any third party apps. If yes then you know that you will be sharing those directories (at your own risk :) ), if not then they will not
be shared and everybody is happy...Maybe something for SP2???
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 1:31pm
The permissions are read-only for authenticated users, so I dont think there is any security issues.
September 20th, 2010 1:42pm
Thanks Andy! I was looking for articles with the shared path in them, but that note was a good find.
An article discussing all data shares and their purposes (not just presence) would be a good idea!
Mike Crowley
Check out My Blog!
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 9:15pm
On Mon, 20 Sep 2010 17:40:08 +0000, AndyD_ wrote:
>
>
>The permissions are read-only for authenticated users, so I dont think there is any security issues.
IIRC, the contents of the "address" directory/share are replicated
between the servers. Adding a new address type, or updating an
existing one, is only necessary on one server -- the others will
receive the addition/update too.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
September 20th, 2010 10:04pm