WinDeveloper IMF Tune

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Windows 2003 SP1 and SCW trouble

Kenneth Spiteri

Kenneth Spiteri Photo

Kenneth is an Exchange Administrator who loves to share anything he finds interesting with the rest of the community. He also helps with the administration of the site.

  • Published: Apr 01, 2005
  • Category: General
  • Votes: none - none
Cast your Vote
Poor Excellent

Windows 2003 SP1 has just been released. We are watching out for any issues that may cause trouble to Exchange. The Security Configuration Wizard deserves the first note of caution.

The Security Configuration Wizard (SCW) is included with Windows 2003 SP1, but must be installed in a separate step. Exchange administrators have to be careful as it may cause some serious headaches. The issue is explained in detail by Nino Bilic in the MS Exchange blog - You Had Me At EHLO.

In summary, the SCW configures server access based on the machine role. Roles are detected by analyzing the running services such as DNS, File Server, Exchange 2003 server etc.

Server Roles

With this information, the SCW is able to configure the Windows Firewall to block server access except for the permitted server roles. In case of Exchange, the role is enabled by configuring firewall exceptions for the core Exchange executables. Referring to the following screen grab in my case an exception was created for emsmta.exe, mad.exe and store.exe.

Firewall Exceptions

I think you have already guessed it. SCW may fail to correctly configure the firewall exceptions leading Exchange to be blocked from communicating with its clients. This problem happens if Exchange was not originally installed in its default directory. You may check the exceptions from the Control Panel under Windows Firewall. In case of problems the path to the executable files will be incorrect.

Despite this issue the SCW is pretty powerful and can do a great job in securing a server. If you run into this problem you may fix it by correcting the Firewall exceptions manually. A step-by-step procedure on how to do this is available from KB896742. You should also find Nino's posting helpful. Just follow the reference links for more details.

References

Windows Server 2003 Service Pack 1 (SP1)

Windows 2003 SP1 Security Configuration Wizard and Exchange servers

KB896742 - After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts

Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation