Rules to Better Exchange Server

Hold on a second! How would you like to view this content?
Just the title! A brief blurb! Gimme everything!
  1. Do you add a redirect from http to https for OWA?

    Do you configure redirection from HTTP to https for Outlook Web App (OWA)? To simplify OWA access for your users, you want to configure the Outlook Web App page to automatically redirect users to https. The HTTP redirect procedure in IIS Manager simplifies OWA URL and forces to SSL connection from to

    Step 1: Use IIS Manager to simplify OWA URL and force redirection to SSL

    1. Start IIS Manager.
    2. Expand the local computer, expand Sites, and then click Default Web Site.
    3. At the bottom of the Default Web Site Home pane, click Features View if this option isn't already selected.
    4. In the IIS section, double-click HTTP Redirect
    5. Select the Redirect requests to this destination check box.
    6. Type the absolute path of the /owa virtual directory. For example, type​.
    7. Under Redirect Behavior, select the Only redirect requests to content in this directory (not subdirectories) check box.
    8. In the Status code list, click Found (302).
    9. In the Actions pane, click Apply.
    10. Click Default Web Site.
    11. In the Default Web Site Home pane, double-click SSL Settings.
    12. In SSL Settings, clear Require SSL.

    Step 2: Remove redirection from virtual directories

    1. Open a Command Prompt window.
    2. Navigate to:

      <Window directory>\System32\Inetsrv.

    3. Run the following commands:

      appcmd set config "Default Web Site/autodiscover" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/ecp" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/ews" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/owa" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/oab" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/powershell" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/rpc" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/rpcwithcert" /section:httpredirect /enabled:false -commit:apphost
      appcmd set config "Default Web Site/Microsoft-Server ActiveSync" /section:httpredirect /enabled:false -commit:apphost

    4. Finish by running the command:


    Step 3: Test that HTTP to HTTPS redirect is working

    1. Open Internet Explorer and type in
    2. DONE - You are then redirected to 
    Figure: Bad Example, no redirect in place for OWA
    Figure: Good Example, redirect from HTTP to https for OWA
  2. Do you Monitor Company Email?

    Following from the previous rule, if email is actually the property of the employer, then it makes sense to actually track who is sending emails to whom.

    Using the Microsoft Exchange Web Storage System, you should track the number of emails sent internally (i.e. to a colleague) and emails sent to clients in your corporate database.

    Outlook Monitor Sent Items Figure: Monitor Sent Items

    One option is to ​use a Utility for Exchange Reports called SSW Exchange Reporter.

    Note that although it is acceptable for seniors to check juniors' email, it is not acceptable for juniors to check seniors' email.

  3. Do you turn off auto-update on your servers?

    It is not a good idea to have Windows Update automatically updating your servers.  There are a few reasons.

    1. The hotfix could bring down a production environment. (This issue previously happened)
    2. In fact, even in a development environment, this could be hours of lost work as the development team struggles to understand why only some of the developers' servers magically and mysteriously broke overnight.
    3. Windows Update could restart your server, or put your server in a state where it requires restarting - preventing any urgent MSI installs without bringing down the server.

    Windows Update remains the best thing for end-users to protect their systems.  But in a server, especially a production server environment - Windows Update patches are just like any new versions of the software that's built internally.  It should be tested and then deployed in a controlled manner.

    So recommendations for managing updates are as follows:

    1. Use WSUS to approve/deny updates for your servers.
    2. Update Staging/Development servers first to see if any issues arise from the updates.
    3. Roll these updates out to Production once confident there are no issues​.
    4. Windows Updates may be critical and should be kept relatively up to date.
    5. Do all of this on a schedule - have an email sent to your SysAdmins to remind them to review and reboot needed machines:
    Good Example: Scheduled email showing clear action points and WSUS stats

    ​​Related Rules