Configuration tasks that Exchange Admins often overlook
Presently 70% of email is spam and the volume of this unwanted email is increasing year on year. The amount of malicious email gives us a clear idea of the intensity of the threat to email systems. New viruses, Trojans, malicious code and other threats are coming our way every day. The number of new spam domains are also increasing. These volumes of unsolicited email can cause performance problems on business critical communications systems, which in turn can cause damage to the reputation of an organisation if business processes are affected.
It is therefore vital to protect Microsoft Exchange servers from the storm of unsolicited email, and from other common security threats. Some of the basic steps that can be taken to protect Exchange servers are presented below. It’s not uncommon for overworked Exchange Administrators to miss some, or all of these points:
1. Running the Exchange Best Practice Analyzer: Exchange Best Practice Analyzer is like a Doctor for your Exchange servers. It performs in depth health checks of Exchange. It scans the complete Exchange organisation to identify all security configuration issues. It then outlines what necessary hotfixes, rollups, and driver updates should be deployed. The Analyzer also provides configuration change suggestions to help improve the security and performance of the Exchange organization.
2. Enable and configure Data Loss Prevention (DLP): There are many third party vendors who offer DLP applications for Exchange. The latest version of Exchange also includes DLP functionality. DLP can prevent users from sending sensitive information out of an organization, either accidentally by a user or intentionally. Sensitive information can be data such as credit card numbers, social security numbers, confidential company documents, or any other personally identifiable information. DLP solutions provide in-depth customization options to block emails that have sensitive data included, or it can notify the users about a risk, or even encrypt an email when it finds sensitive information. Microsoft also offers pre-configured templates for Exchange that are ready to use and which conform to compliance and regulatory body requirements. These templates can be customized to suit each organisations needs and are a good starting point for DLP.
3. The Security Risks of Exposing CAS servers to the Internet: Many organizations configure Exchange Client Access Servers (CAS) to directly face the Internet. Since CAS’s are placed on the internal network, and given they are also Active Directory domain joined, they can be a security risk. If a CAS is compromised it provides a doorway to other servers on the corporate network. Because of this threat it is recommended to use a Load Balancers reverse proxy function that is not directly joined to the Active Directory but placed in the perimeter network. The Load Balancer should be configured to handle client access requests, then pass them to the CAS servers on the corporate network. So there are no direct connections between Internet users and the Exchange servers. A LoadMaster Load Balancer with ESP (Edge Security Pack) & AFP (Application Firewall Pack) installed can fulfil this roll perfectly. It can also provide authentication via Active Directory, without compromising core network security, and help with DLP.
4. Exposing Hub servers to internet and configuring them as open relays: Exchange administrators often configure Hub transport servers as open relays to allow internal applications to connect and route emails. Sometimes these Hub transport servers are also configured to accept email from the Internet. Open relay servers are an easy target for spammers. They can use these open relay servers to sent huge amounts of spam email. This can cause email performance issues for your organisation as the email routing servers can be overwhelmed with this unsolicited server hijack. In addition, the spam flowing out of the open relay servers to other email domains can cause your legitimate email server IP addresses to be blacklisted. Which results in other email relay servers rejecting your users legitimate emails. Open relay servers can also be used to participate in illegal Denial of Service (DOS) attacks on websites. Rather than exposing open relay hub servers to the Internet, it is recommended that an SMTP Gateway solution is deployed in the DMZ network. These servers can receive emails from the Internet, process them, validate and scan them to make sure they are legitimate, and then forward valid emails to the internal Exchange servers.
5. Monitor the Exchange Environment: It is very important to monitor Exchange servers. Monitoring and alerting allows administrators to be informed if anything untoward occurs, so they can take immediate action to address any issues. Proactive monitoring and alerts also play a vital role in maintaining the security of the Exchange servers. The system logs that are produced as part of the monitoring and alerting process help to perform root cause analysis of any issues that occur. They also help with capacity planning for future Exchange server upgrades.
6. Trusted Certificate: Exchange servers by default create self-signed certificates for the Client access servers. These are certificates that are signed locally with both a public key and a private key. If these local self signed certificates are used on any Internet facing servers then there is a risk that they can be compromised. This exposes any other servers using the same certificate to attack. It is recommended that the self-signed certificates are replaced with a valid certificate provided and signed by a trusted Certificate Authority. It is also recommended that the internal Exchange server names are not used in the certificates. This helps to hide the internal server name space from any attackers. Wildcard certificates are also not recommended for Exchange servers. If one server is compromised, then is is easy to breach all the other servers using the same certificate. Wildcard certificates also add a management overhead if they need to be revoked for any reason. They will need to be removed from all servers that were using it, and then the new certificate will need to be reapplied on all servers. Having separate certificates allows for just the compromised certificate to be replaced on a single server.
7. Update Windows and Exchange security hotfixes and services packs: Microsoft releases a Microsoft Security Bulletin every month with the list of security fixes and details of the issues addressed. This bulletin also provides information on the criticality of each issue. It is very important for the Exchange Administrators to review these security bulletins and take necessary action if any patches have been made available for Exchange server and the underlying Windows Operating system that hosts Exchange. It is also recommended that the latest Cumulative Updates and Service Packs for Exchange server are tested and deployed whenever they are released.
8. Role Based Access Control (RBAC) permission model: RBAC is the best permission model to use to secure Exchange servers. It simplifies the granting and revoking process for permissions, and allows administrators to manage permissions at a granular level. It helps to deliver a role based permission model so that administrators only have the necessary permissions to allow them to perform the actions they are authorized to do. There are various predefined management roles included with Exchange. These are ready to use, and can also be as modified as required.
9. Anti-virus and Attachment filtering: Anti-virus software protects Exchange servers from security threats such as viruses, worms, Trojans and other malicious code. Attachment filtering helps prevent spam and content leaking, by scanning both inbound and outbound email. Anti-virus software needs to be configured correctly so that it doesn’t scan and quarantine Exchange application and database files.
10. Enabling Outlook Anywhere for remote users: Outlook Anywhere is commonly known as RPC over HTTP. It allows remote users to connect to Exchange servers and access email without a connection to the infrastructure via a secure VPN. It provides encryption and more secure communication between Exchange servers and remote clients by encapsulating RPC packets into HTTPS packets, which are then protected with encryption based on an SSL certificate.
These configuration tasks are some of the steps that Administrators should take to help protect their Exchange servers. It is not an exhaustive list. Attackers are always looking for loopholes to compromise servers of all types. Administrators should be proactive and make sure to protect their environment with all necessary steps from a basic to an advanced level.