442 Chapter 7 • Managing the Edge Transport Server NOTE The SCW can also be used to lock down the other Exchange 2007 server roles as well as Exchange 2003 front-end and back-end servers. Whether you want to do so depends on how aggressive the security policies are in your organization. Outlook Junk E-Mail Filtering When a message has been through all the fi ltering agents, the message will fi nally be send to the recipient mailbox, where the Outlook Junk E-Mail Filter will take the appropriate action, depending on the SCL rating of the message. If the message has an SCL rating that is equal to or greater than the SCL Junk E-Mail folder threshold, which is specifi ed on the Content Filtering Properties page, it will be moved to the Junk e-mail folder in the recipient’s mailbox. Securing the Edge Server Using the Windows 2003 Security Confi guration Wizard (SCW) Because the Edge Transport server is located in the perimeter network (the DMZ or subscreened network), it’s much more vulnerable to potential attacks than the other Exchange 2007 server roles on the internal network. It’s therefore highly recommended as well as a best practice to lock down the Edge Transport server role into as tight a state as possible. You can lock down the Edge Transport server with the Security Confi guration Wizard (SCW), a tool for reducing the attack surface of computers running Windows Server 2003 R2 or Windows 2003 server with Service Pack 1 (SP1) or higher applied. The SCW tool makes it a relatively easy and simple process to lock down the Edge Transport server, since you can do so using the SCW GUI wizard. you can reduce the amount of spam using different fi lters, mechanisms, and the like. Comparing the content of the document with the features included in the Edge Transport server role, you will notice that most of them have been implemented in Exchange Server 2007. To lock down our Edge Transport server with the SCW, you fi rst need to install the component. On the edge transport server, click Start | Control Panel | Add or Remove Programs. Now click Add/Remove Windows Component. Tick the Security Confi guration Wizard component and click Next (see Figure 7.50). When the component has been installed successfully, click Finish. Managing the Edge Transport Server • Chapter 7 443 You now need to register the Exchange 2007 SCW extension fi le, which is located in the Scripts directory under C:Program FilesMicrosoftExchange (or whatever the path to your Exchange installation is). Since you need to do so using the scwcmd register command, open a command prompt window and type the following: scwcmd register /kbname:MSExchangeEdge /kbfi le: “C:\program fi les\ Microsoft\Exchange Server\scripts\Exchange2007.xml.” Next, press Enter. See Figure 7.51. Figure 7.50 Adding the Security Confi guration Wizard Component Figure 7.51 Registering the Exchange 2007 SCW Extension File 444 Chapter 7 • Managing the Edge Transport Server Now that the Exchange 2007 SCW extension fi le has been properly registered, you can launch the SCW Wizard. This is done by clicking Start | Administrative Tools | Security Confi guration Wizard. Then follow these steps: 1. On the Welcome to Security Confi guration Wizard page, click Next. 2. Since you’re going to create a new security policy, select Create a new security policy and click Next (see Figure 7.52). Figure 7.52 Creating a New Security Policy 3. The NetBIOS name of the Edge Transport server will be pre-entered on the next page, and since you’re going to apply the security policy to this, leave it like this and click Next. 4. When the security confi guration database has been processed, click the View Confi guration Database button. Managing the Edge Transport Server • Chapter 7 445 If the Exchange Server 2007 SCW extension fi le has been properly registered, you should see an entry for the edge transport server role as well as the other Exchange 2007 server roles in the SCW Viewer, as shown in Figure 7.53. Figure 7.53 SCW Viewer NOTE If you don’t see any entries for the Exchange 2007 server roles in the SCW Viewer, try running the SCW register command again. If it still doesn’t show up, check the SCWRegistrar_log.xml fi le (located in the %windir%securitymsscwlogs directory) for any issues. 5. If you do see entries for the Exchange 2007 server roles in the SCW Viewer, close the viewer and click Next. 6. On the Role-Based Service Confi guration page, click Next. 7. Now choose Selected roles in the drop-down box; uncheck all roles except Exchange 2007 Edge Transport, as shown in Figure 7.54; and click Next. 446 Chapter 7 • Managing the Edge Transport Server Figure 7.54 Selecting the Edge Transport Server Role 8. On the Select Client Features page, leave the default settings untouched (because you under normal circumstances don’t need to change them, since they are confi gured based on the roles you chose in the beginning of the SCW). Click Next. 9. On the Select Administration and Other Options page, leave the default settings untouched. (As in Step 15, these are selected based on the role chosen in the beginning of the SCW.) Click Next. 10. Now you’ll get a list of additional services found on the server while the SCW processed the security confi guration database. When installing the edge transport server in a production environment, you should take your time and examine any services listed on this page, and then wisely decide whether they’re required or not. If they’re not required or you’re unsure about this, I suggest that you uncheck them (you can always can enable them again, should they be required) and click Next. . Exchange installation is). Since you need to do so using the scwcmd register command, open a command prompt window and type the following: scwcmd register /kbname:MSExchangeEdge /kbfi le: “C:program. relatively easy and simple process to lock down the Edge Transport server, since you can do so using the SCW GUI wizard. you can reduce the amount of spam using different fi lters, mechanisms, and the. security policy and click Next (see Figure 7.52). Figure 7.52 Creating a New Security Policy 3. The NetBIOS name of the Edge Transport server will be pre-entered on the next page, and since you’re