Tightening Exchange Server 2010 security

Here's a quick checklist to tighten the security of Exchange server 2010.
The full article can be found here:

Don’t overlook these Exchange security vulnerabilities

Gaps in the patching process
Weak passwords
Leaving private data in public folders
Outlook Web Access and Outlook Web App
SMTP and POP3 access
Shared Exchange administrator accounts

Defending Exchange Server 2010 with native security tools

Transport security in Exchange 2010
Protecting Exchange 2010 users from spoofing
Exchange Server 2010 and Active Directory integration
Role Based Access Control (RBAC) in Exchange 2010
Client access server vulnerabilitiesProtecting Exchange Server 2010 with ForeFront

Exchange Server 2010 post-deployment security checklist

Install antivirus software for Exchange 2010
Deploy a certificate to your Exchange 2010 client access server

Take steps to control spam in Exchange 2010

Enable RPC encryption in Exchange 2010

Deploy Information Rights Management in Exchange 2010

Configure ActiveSync mailbox policies in Exchange 2010

Run the Exchange Best Practices Analyzer

All about Forefront Protection 2010 for Exchange

Exchange Server 2010 already has plenty of antispam transport agents built in.

Forefront Protection for Exchange Server (On-premises)

Microsoft Forefront Protection Server Management Console (FPSMC) 2010

New Forefront features to look for

Third-party spam and virus protection

Can the cloud reduce your spam carbon footprint? 

Deployment recommendations
Use the Forefront Protection 2010 for Exchange Server Capacity Planning Tool.

Custom email filtering with Forefront Protection 2010 for Exchange

ForeFront Protection 2010 for Exchange filter types

ForeFront Protection 2010 for Exchange action types

Exchange wildcard certificates: Do the benefits outweigh the risks?

What is a wildcard certificate?
Wildcard certificate security issues

Wildcard certificate management issues

Wildcard certificate compatibility with Exchange Server

Responding to Outlook Web App 2010 security concerns

Addressing Outlook Web App 2010 security concernsPublic access security in OWA 2010

Information Rights Management protection in Exchange 2010 SP1
Outlook Web App and IRM aggravations

Discussing Exchange Server security risks and vulnerabilities

Analyzing Exchange Server security risks and vulnerabilities

Authenticating to Exchange 2010 via NTLM: Smart move or security risk?

Addressing Outlook Web App 2010 security concernsPublic access security in OWA 2010

Free Exchange add-on enhances native spam filtering

Free Exchange add-on picks up native spam filtering slack
IMF Tune

This attachment was removed

After applying a file extension filter in Forefront Protection for Exchange 2010 we got complaints about .PDF, LNK, and .ZIP files not getting through.

The attachment would be removed and replace by a text file with the line "This attachment was removed" in it.

The first thing that attracts attention is the line "This attachment was removed".
This is not the standard text we configured in Forefront so it comes from another source.

Turns out after a standard install of Exchange 2010 (Edge) server, under water there is also a file filter active: "Attachment Filtering agent"

You can see this after running:

Get-AttachmentFilterEntry |fl

Type     : ContentType
Name     : application/x-msdownload
Identity : ContentType:application/x-msdownload
Type     : ContentType
Name     : message/partial
Identity : ContentType:message/partial
Type     : ContentType
Name     : text/scriptlet
Identity : ContentType:text/scriptlet
Type     : ContentType
Name     : application/prg
Identity : ContentType:application/prg
Type     : ContentType
Name     : application/msaccess
Identity : ContentType:application/msaccess
Type     : ContentType
Name     : text/javascript
Identity : ContentType:text/javascript
Type     : ContentType
Name     : application/x-javascript
Identity : ContentType:application/x-javascript
Type     : ContentType
Name     : application/javascript
Identity : ContentType:application/javascript
Type     : ContentType
Name     : x-internet-signup
Identity : ContentType:x-internet-signup
Type     : ContentType
Name     : application/hta
Identity : ContentType:application/hta
Type     : FileName
Name     : *.xnk
Identity : FileName:*.xnk
Type     : FileName
Name     : *.wsh
Identity : FileName:*.wsh
Type     : FileName
Name     : *.wsf
Identity : FileName:*.wsf
Type     : FileName
Name     : *.wsc
Identity : FileName:*.wsc
Type     : FileName
Name     : *.vbs
Identity : FileName:*.vbs
Type     : FileName
Name     : *.vbe
Identity : FileName:*.vbe
Type     : FileName
Name     : *.vb
Identity : FileName:*.vb
Type     : FileName
Name     : *.url
Identity : FileName:*.url
Type     : FileName
Name     : *.shs
Identity : FileName:*.shs
Type     : FileName
Name     : *.shb
Identity : FileName:*.shb
Type     : FileName
Name     : *.sct
Identity : FileName:*.sct
Type     : FileName
Name     : *.scr
Identity : FileName:*.scr
Type     : FileName
Name     : *.scf
Identity : FileName:*.scf
Type     : FileName
Name     : *.reg
Identity : FileName:*.reg
Type     : FileName
Name     : *.prg
Identity : FileName:*.prg
Type     : FileName
Name     : *.prf
Identity : FileName:*.prf
Type     : FileName
Name     : *.pif
Identity : FileName:*.pif
Type     : FileName
Name     : *.pcd
Identity : FileName:*.pcd
Type     : FileName
Name     : *.ops
Identity : FileName:*.ops
Type     : FileName
Name     : *.mst
Identity : FileName:*.mst
Type     : FileName
Name     : *.msp
Identity : FileName:*.msp
Type     : FileName
Name     : *.msi
Identity : FileName:*.msi
Type     : FileName
Name     : *.psc2
Identity : FileName:*.psc2
Type     : FileName
Name     : *.psc1
Identity : FileName:*.psc1
Type     : FileName
Name     : *.ps2xml
Identity : FileName:*.ps2xml
Type     : FileName
Name     : *.ps2
Identity : FileName:*.ps2
Type     : FileName
Name     : *.ps11xml
Identity : FileName:*.ps11xml
Type     : FileName
Name     : *.ps11
Identity : FileName:*.ps11
Type     : FileName
Name     : *.ps1xml
Identity : FileName:*.ps1xml
Type     : FileName
Name     : *.ps1
Identity : FileName:*.ps1
Type     : FileName
Name     : *.msc
Identity : FileName:*.msc
Type     : FileName
Name     : *.mdz
Identity : FileName:*.mdz
Type     : FileName
Name     : *.mdw
Identity : FileName:*.mdw
Type     : FileName
Name     : *.mdt
Identity : FileName:*.mdt
Type     : FileName
Name     : *.mde
Identity : FileName:*.mde
Type     : FileName
Name     : *.mdb
Identity : FileName:*.mdb
Type     : FileName
Name     : *.mda
Identity : FileName:*.mda
Type     : FileName
Name     : *.lnk
Identity : FileName:*.lnk
Type     : FileName
Name     : *.ksh
Identity : FileName:*.ksh
Type     : FileName
Name     : *.jse
Identity : FileName:*.jse
Type     : FileName
Name     : *.js
Identity : FileName:*.js
Type     : FileName
Name     : *.isp
Identity : FileName:*.isp
Type     : FileName
Name     : *.ins
Identity : FileName:*.ins
Type     : FileName
Name     : *.inf
Identity : FileName:*.inf
Type     : FileName
Name     : *.hta
Identity : FileName:*.hta
Type     : FileName
Name     : *.hlp
Identity : FileName:*.hlp
Type     : FileName
Name     : *.fxp
Identity : FileName:*.fxp
Type     : FileName
Name     : *.exe
Identity : FileName:*.exe
Type     : FileName
Name     : *.csh
Identity : FileName:*.csh
Type     : FileName
Name     : *.crt
Identity : FileName:*.crt
Type     : FileName
Name     : *.cpl
Identity : FileName:*.cpl
Type     : FileName
Name     : *.com
Identity : FileName:*.com
Type     : FileName
Name     : *.cmd
Identity : FileName:*.cmd
Type     : FileName
Name     : *.chm
Identity : FileName:*.chm
Type     : FileName
Name     : *.bat
Identity : FileName:*.bat
Type     : FileName
Name     : *.bas
Identity : FileName:*.bas
Type     : FileName
Name     : *.asx
Identity : FileName:*.asx
Type     : FileName
Name     : *.app
Identity : FileName:*.app
Type     : FileName
Name     : *.adp
Identity : FileName:*.adp
Type     : FileName
Name     : *.ade
Identity : FileName:*.ade

As shown above, the attachments .ZIP, .LNK, and .PDF are not shown.
Problem is that the attachment gets identified as an "invalid attachment" by the "Attachment Filtering agent".

Solutions;

Disable-TransportAgent -Identity "Attachment Filtering agent"

Restart-Service MSExchangeTransport

Or:

1.Stop the Microsoft Exchange Transport service.

2.Locate the EdgeTransport.exe.config file. This file is located in the following path:
drive:\Program Files\Microsoft\Exchange Server\Bin\
 
3.Add the following entry between the <appSettings> element and the </appSettings>  element          of  the EdgeTransport.exe.config file:
  
<add key="AllowInvalidAttachment" value="true" />
4.Restart the Microsoft Exchange Transport service.

Source 1

Source 2





 

Forefront Protection Server Management Console 2010 403 forbidden

Trouble accessing your newly installed Forefront protection for exchange 2010 management console from a remote machine by browser?

After a new install, forefront doesn't out of the box let you access the Frontpage of the management console.

If you try, you get a 403 Forbidden.

After adding your user account to the local admin group, you are able to access the Frontpage.