Instructions for configuring Microsoft Exchange to work with the Windows 2000 Security Recommendation Guides // National Security Agency //

Instructions for configuring Microsoft Exchange to work with the ".INF" files distributed with the Windows 2000 Security Recommendation Guides

There are three actions required to ensure that Microsoft Exchange will work in concert with the Windows 2000 guidelines.

First, applying the Windows 2000 guidelines can cause an "unknown user name or bad password error" when logging into an Exchange Server via IMAP or POP3. There are two ways that the problem can be fixed:

Set the client to use Secure Password Authentication (preferred)

or

On both the Exchange Servers and Domain Controllers, set the LAN Manager Auth Level to "send NTLMv2 response only/refuse LM" (Level 4). This is a change from the recommended setting of "send NTLMv2 response only/refuse LM & NTLM" (Level 5).

Second, ensure the Exchange Enterprise Servers group is given the right to manage audit and security logs on the security policy applied to Domain Controllers.

Third, allow Exchange Domain Servers Group full control access to the \MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key.