Email is an essential business enabler in most organizations. Emails are also considered as legal transactions just like any other document created and circulated by a company. It is therefore important to secure and protect Exchange Server infrastructure from security threats. Email systems can be prone to attacks like spoofing, phishing, spamming, or other threats. Below we present fifteen tips to help you secure and protect your Exchange messaging systems.
- To protect the core network, deploy SMTP Gateway servers in the perimeter network and scan all inbound and outbound emails. Scanning should cover and protect against spam, viruses, malware, and also inspect attachments. The perimeter servers should also perform sender and recipient connection checking, as well as doing the content filtering.
- Deploy Exchange security software on the Exchange Servers. Most of the time viruses that infect email systems come from within the organization. So it’s vital that you don’t just scan email that is entering the organization from external sources. Security software on the Exchange Servers should scan all email for viruses, malware, and other threats.
- Deploy a reverse proxy appliance, such as a LoadMaster, in the perimeter network to publish Internet protocols used for Exchange Server services like Outlook on the Web, ActiveSync, Autodiscover, or any other protocols you need. It compromises security to expose Exchange Servers using these protocols directly on the Internet.
- Use a trusted Certificate Authority SSL certificate on the Internet facing Exchange Servers to secure and encrypt communications between Exchange Servers and clients.
- Microsoft releases security patches every month. Ensure that these patches are applied to protect the Exchange Servers from newly discovered vulnerabilities to Exchange Server and to host Windows Make sure to test the patches in a pre-production environment, and then apply to production servers.
- Apply SMTP relay restrictions and disable open relay on Exchange SMTP servers. Allow only authenticated and secured clients to send email via Exchange SMTP
- Implement Kerberos for Outlook Client By default clients connect to Exchange Server using NTLM Authentication which is not as secure as Kerberos. NTLM Authentication also puts additional load on the network, and the authentication servers in the Exchange Server infrastructure.
- Always monitor Exchange Servers via a tool like Microsoft System Center Operations Manager (SCOM). This proactively monitors the Exchange Servers for defined security threats and sends alerts to administrators if anything untoward occurs. SCOM also provides dashboards that show a summary of the health of an Exchange organization.
- Enable Mailbox Auditing on the primary mailboxes, or all mailboxes if possible. Auditing logs all the actions performed on a mailbox by the Mailbox owner, any delegates who have access, and administrators. These logs can be exported and analyzed when troubleshooting issues or security breaches.
- Enable Role-Based Access Control (RBAC) as the permissions model in the Exchange organization. This allows Administrators to provide very granular permissions and allows the security model to be precisely set to provide users the authorization to perform only necessary actions. It is the most efficient permission model and also means Administrators do not have to use Access Control Lists (ACLs) directly.
- Regularly run the Exchange Best Practice Analyzer (EBPA) against the Exchange organization. This tool collects all the configuration information for the Exchange organization and then analyzes it using best practice logic defined by Microsoft. It generates a report for Administrators with any recommended configuration changes that should be applied.
- Implement Data Loss Protection (DLP) to secure outgoing emails. Outbound emails are scanned using rules and any sensitive information such as social security numbers, credit card numbers, or any other information you don’t want to be sent in emails, can trigger the quarenteening of the outgoing email. Exchange Server has a predefined policy that will meet most of the requirements of an organization, but it can be modified as required.
- Protect Microsoft Windows client machines by installing anti-virus and anti-malware software such as Microsoft Security Essentials, or another 3rd party product, to detect and remove viruses and malware from the clients.
- Enable the default Windows built-in firewall and disable local Administrator permissions for users. Consider securing user computers further by blocking use of USB devices, and finally restrict users from accessing inappropriate
- Use Microsoft Baseline Security Analyzer (MBSA) and Microsoft Security Assessment Tool (MSAT). These are two great tools to help you secure your IT infrastructure. MBSA allows Administrators to scan local and remote computers for missing security patches and incorrect security MSAT asks a set of questions to the Administrator and based on the answers it analyses and recommends security changes to apply in the environment. Detailed information on the MSAT tool can be found in this TechNet article.
Securing Exchange infrastructure is an ongoing activity but it is essential to ensure the security of an Exchange server environment. Any overhead it adds to the administration of the solution is rewarded with better availability for the users, and less headaches for the Administrators.
Additional Information
Click here to watch our recent webinar on The Best Known Methods on Upgrading Microsoft Exchange