Wring the most out of Exchange with these top ten security and performance techniques.
Everyone wants to get the most they can out of Exchange -- the most security, the most speed. But many administrators don't have the practical knowledge to get it done, except they know that spending more money for more memory and faster processors will certainly help. This article presents a series of practical
Chances are you have already followed some of the directives discussed here. Nevertheless, there may be others you've overlooked or of which you are just not aware. Everyone can use some help in getting the most out of Exchange, and that's what these tips offer.
- Dedicate as many resources as possible to Exchange Server. If you can afford it, run Exchange on its own server with a good allotment of memory (256M bytes or better), plenty of storage based on your user load (Is 10M bytes per user for 250 users enough?), and a fast network segment. Each of these factors is critical. More memory means the processor can access information faster, servicing more users in a short period of time. More storage means easier access to the information store. And fast network links mean that the network won't be a bottleneck at those busy times, like when all your users log on between 8:45 a.m. and 9:15 a.m.
- Keep mailboxes to a manageable minimum. If you have Exchange as the repository for everyone's mail (rather than each client downloading mail locally as with a POP3 server), set a maximum mailbox size for everyone and stick to it rigidly. In Storage Limits (in the Information Store's Properties), you can configure Exchange to issue warnings when their mailboxes are getting full, as well as actively prohibit sending and receiving when things are really tight. This will mean that your seemingly inexhaustible information store will not fill up, in real life.
- Defrag and compress the Active Directory database. You need to keep as much free disk space as you can, and compressing and defragging help if you've just deleted, retired or migrated a whole slew of Exchange users. You can do this either with the NTDSUTIL program or Exchange's own ESENTUTL tool. This requires that you schedule some downtime, however. (See below for more on that.) Note also that the Exchange database automatically defragments itself online between 1:00 a.m. and 5:00 a.m., but this doesn't reduce the physical size of the data store if accounts have been deleted. Click here for more details.
- Plan your partitions. Place your boot and operating system files on separate partitions. This way, if there's a disaster, you can recover from it a little more gracefully by having the boot files isolated. This means less downtime, which will make your users happy. Also, if you can manage it, have your Exchange application files, Exchange databases, and transaction logs on separate partitions or physical disks. Spreading them out across multiple disks improves performance, and also makes it easier to perform recovery if there's a catastrophic failure.
- Don't allow Exchange servers to be used as open SMTP relays. More than almost anything else you do, this one thing is critically important; it keeps your Exchange server -- especially if it's publicly accessible -- from being used as a spammer's paradise. Fortunately, this is easy: In the Properties for your SMTP server, select Access | Relay, and set Relay Restrictions to either allow only authenticated computers to relay or only the machines you specify. The former's good if the Exchange server has to be publicly available; the latter, if you're using it in a private network segment.
- Stay on top of Service Packs, hotfixes, and other patches for Windows and Exchange. This is sometimes a daunting job, but Microsoft's Exchange Server site has security bulletins and service releases updated continually. Check once a week, and always have a pre-scheduled blackout period (such as late at night on a weekend, when usage may be low) for applying upgrades.
- Firewall your Exchange server (Exchange 5.5 only). Always a good idea, but you'll need to perform some registry edits to get Exchange to use static port assignments with a firewall. See KB article Q155831 for more details.
- Turn off NetBIOS. If you want extra security, unbind NetBIOS from TCP/IP unless you're communicating with other Exchange servers over the Internet. (Note that you will be able to manage the Exchange server only locally if you do this.)
- Don't allow users to create top-level folders in Exchange (Exchange 2000 only). By default everyone in an Exchange 2000 group is allowed to create top-level public folders in an organization. Disabling this requires a registry hack to enable the ability to turn it off. See this Microsoft article for the full story.
- Don't use POP3 to access other mail servers. It is possible to install a POP3 client in Exchange Server to poll other mailboxes, but this is a bad idea: The message headers get destroyed; POP3 is not secure enough for server-to-server communications; these clients are often buggy; etc.
Speed (all topics apply to both Exchange 5.5 and 2000)
Serdar Yegulalp is editor of the Windows Power Users' Newsletter.
Featured Topic: E.T. -- The Exchange Terror: An Exchange 2000 migration can be a dark and perilous journey, with hidden hazards lurking around every corner. But armed with the knowledge in this featured topic, you just might make it through unscathed. Bon voyage!
Free Exchange Tips: Sign up today to receive new Exchange tips in your inbox every Monday morning.
This was first published in September 2002