There's one nice feature in Exchange 2007 that I suspect will get overlooked far more than it deserves, and that's the built in support for the Windows Server 2003 SP1 Security Configuration Wizard. Out of the box, the SCW provided support for an impressive number of current-generation Microsoft applications, but the big question was always what would happen when newer versions of software were released.
Exchange 2007 comes with SCW support. While it doesn't register the SCW extensions during installation (or even give you the option of doing so, which would have been a nice touch), the Post-Install steps in the Exchange Management Console (and the Exchange documentation) give you the complete process for using the SCW to harden your Exchange 2007 servers. While the documentation is impressively complete, I found a couple of typos that might put some small bumps in the road.
In the How to Register Exchange Server Role SCW Extensions topic, they give you a couple of command lines to register the extensions used to tell SCW how to secure Exchange 2007. Here's the command lines I ended up using:
Registering the SCW extensions for one or more of the MB, CAS, HT, or UM roles:
scwcmd register /kbname:"Ex2007KB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007.xml"
Registering the SCW extensions for the ET role:
scwcmd register /kbname:"Ex2007EdgeKB" /kbfile:"%programfiles%\Microsoft\Exchange Server\scripts\Exchange2007Edge.xml"
Let me know how it works for you.