Microsoft Exchange Server is a popular email server application that runs exclusively on the Windows Server operating system. In January 2021, a zero-day vulnerability was exploited by a state-sponsored group called HAFNIUM, which allegedly operates out of China.
On the 16th of March, Microsoft published a set of tools, patches, and documents, designed to help security teams identify and remediate these vulnerabilities. The vulnerabilities that were identified allowed for remote code execution on devices running Exchange Server, although web shell implantation and data exfiltration activities were also observed.
Following Microsoft’s guidance to help address these vulnerabilities is a good place to start, however, there are numerous other Exchange Server security best practices that should be adhered to in order to adequately protect oneself from future attacks. In this article, we will go through some of those best practices.
Exchange Server Should be Up to Date
The first and most obvious Exchange Server security best practice is to ensure that Exchange Server is always up-to-date. Microsoft frequently publishes patches and bug fixes, which users must install as soon as they become available.
Use Security Utilities
Microsoft also provides a number of Exchange security utilities that will help to ensure that you are able to protect yourself from unauthorized access, viruses, malware, and other threats. These utilities include;
Microsoft Exchange On-Premises Mitigation Tool: Microsoft has recently released a new one-click mitigation tool that is designed to make it easier for customers who don’t have a dedicated IT team to install the relevant security updates.
Exchange Best Practices Analyzer (EBPA): EBPA is a tool that helps administrators gauge the health of their Exchange Server environment. The tool will collect data from the Exchange server, analyze the results, and then offer guidance based on Microsoft’s recommended best practices.
Microsoft Safety Scanner: This tool will scan for any malware installed on your Windows environment, and remove it accordingly. The tool is also known as the Support Emergency Response Tool. It should also be noted that the Microsoft Safety Scanner is included with the Exchange On-Premises Mitigation Tool, mentioned above.
Microsoft Defender Antivirus: This is the standard anti-virus/malware solution that comes with recent versions of Windows, and also covers Exchange.
Microsoft Security Configuration Wizard (SCW): SCW gives administrators the ability to easily change a server’s default security settings. This includes the ability to customize network security policies, audit policies, registry values, and services.
Microsoft Security Compliance Toolkit (SCT): SCT is a suite of tools that enables enterprise administrators to download, analyze, test, edit, and store recommended security configuration baselines for Windows, including Exchange.
Exchange Analyzer: This is a PowerShell tool that scans Exchange Server and provides reports on various common configuration issues as well as recommendations for improving Exchange security.
Microsoft Exchange Online Protection (EOP): EOP, which has now been integrated into the Microsoft 365 Defender portal, is designed to protect Exchange mailboxes. EOP can be used with on-premises, cloud, and hybrid environments.
Microsoft Exchange antispam and antimalware: Both Exchange Server 2016 and Exchange Server 2019 come with antispam and antimalware protection features, which are enabled by default on Exchange Mailbox servers.
Use Allowlists and Blocklists
As with most popular email clients, you can allow/block emails from trusted/untrusted senders. Within Outlook you can find a list of allowed domains via the Safe Senders tab, and a list of blocked domains in the Blocked Senders tab.
Restrict Administrative Access
Giving your users remote access to your Exchange servers is a huge security risk. As such, it is imperative that you limit access to Exchange Servers to internal users only. In cases where remote access is genuinely required, implement multi-factor authentication as an additional layer of security.
Enable SSL/TSL for External Services
SSL (Secure Sockets Layer) and its successor, Transport Layer Security (TLS), are used to provide an encrypted communication channel between two computers over the Internet. By enabling SSL/TLS encryption for both the incoming and outgoing mail servers, we can ensure that our emails have not been intercepted and tampered with.
Monitor Exchange Server and Mailbox Access
Exchange Online users can take advantage of Azure Monitor, which will scan your entire Azure infrastructure, including Exchange Server, and deliver performance reports to your inbox. Azure Monitor pricing is based on the amount of event data you collect, and the number and types of alert rules and notifications you use.
Having the ability to monitor, detect and alert on suspicious or unauthorized changes is a crucial part of Exchange Server security. There are numerous Exchange Server security software available, some of which are provided by Microsoft, some of which are provided by third parties. If you want a more comprehensive audit with customizable reports and real-time alerting capabilities, then you will probably be better off opting for a third-party solution.
A third-party Exchange Server security solution will give you visibility into who is accessing which mailbox accounts, when, from where, and activities that were performed. They can monitor changes across on-premise, cloud, or hybrid environments. A real-time alert will be sent to the administrator when a user tries to access a mailbox that they are not unauthorized to access.
A third-party solution will also deliver alerts when sensitive data is sent via email, even if the recipient is a member of your organization. Most sophisticated third-party solutions use machine learning algorithms to establish typical usage patterns and will send an alert anytime user activity deviates from these patterns.
General Exchange Security Measures
There are numerous other best practices that bolster Exchange Server security. For example, you will need to make sure that your firewall is enabled and properly configured. You will need a strong password policy, and use MFA where possible.
Ensure that you regularly backup your Exchange database and consider using Exchange recovery software which can extract mailboxes from damaged database files in the event of a server failure or cyber-attack.
Finally, consider using OS hardening tools, such as Microsoft Attack Surface Analyzer, which will help you configure your OS security settings, install patches, set up security rules and remove any unnecessary or unused applications and services.