Security breaches cause organizational chaos, financial and reputation risk. Given how organizations have shifted to a hybrid of in-office and work-from-home, there is a significant increase in the security threat landscape, and it’s more important than ever to improve and harden Exchange Server security. These best practices help provide a baseline security framework that all Exchange security administrators should know.
In fact, over 45% of companies have reported a security breach since 2014. The recent wave of attacks on Microsoft Exchange servers in 2021 emphasizes the need for companies to prioritize their security best practices. Companies must reduce their attack surface against unauthorized access, cyber-attacks, viruses and malware.
To help mitigate these security issues, we put together the 10 best ways to tighten up your Exchange Server security, reduce post-incident impact recovery, and to help to protect the day-to-day operations of your company.
1. Keep Microsoft Exchange Server Up-To-Date
Foremost, keep your Exchange servers up-to-date. Leaving your servers unpatched and delaying updates puts your company at risk.
Failing to update could allow attackers to exploit unresolved bugs and critical vulnerabilities. Companies need to update their servers as and when Microsoft releases the latest Exchange Server Security Updates.
2. Properly Educate Users
Keeping your servers secure is only half the battle. If your employees are not update-to-date on email security best practices, it can cause a compromised system. According to a Verizon Data Breach Investigations Report from 2019, 34% of the breaches involved an internal user. When employees know how to identify online attacks, prevent data theft, practice public access safety and implement password best practices, they are more likely to report potential risks.
Employee’s education can be one of the strongest barriers of defense because they learn to identify the tactics attackers use to infiltrate organizations. Provide training for employees on an annual or bi-annual basis. Keep them up-to-date on best practices, including:
- Email security when reading messages
- Email content, including what to send and not to send in emails
- How to safety search the internet including social networks
- How to properly secure mobile devices
3. Have a Robust Backup in Place & Keep Backups Off-Site
Securing your Exchange server is not always just about software measures. If your company is the target of a malicious attack and incurs a data breach, having implemented a backup plan could be the difference between disaster and the continued operation of your business.
- Implement a comprehensive backup system
- Test your backups by simulating a mock disaster-and-recovery scenario
- Implement Microsoft approved backup solutions for your Exchange server
- If your servers are on premise, make sure your backups are off-site or stored in the cloud
For additional information, see Exchange Server: Use Windows Server Backup to back up and restore Exchange data
4. Make use of Exchange Server Security Tools
Microsoft has a set of tools designed to help tighten Exchange Server security against vulnerabilities. Putting these tools into practice helps reduce the likelihood of a server being compromised. Some of these tools include:
- Exchange HealthChecker: The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by configuration changes within an Exchange Server Environment. It also helps collect useful information about the Exchange Server to help speed up the process of common information gathering.
- Exchange Analyzer: Is a PowerShell tool designed to help IT, professionals and administrators by scanning Exchange Server. It reports on a series of checks for common configuration issues. Based on the findings, implement recommended best practices.
- Attack Surface Analyzer 2.0: This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes.
- Microsoft Safety Scanner: If you’re looking for malware, then this is Microsoft’s recommended tool. It’s designed to scan for any malware installed on your Windows environment and remove it.
- Microsoft Defender Antivirus: If you’re looking for additional protection that covers Exchange servers and endpoints, consider using Microsoft’s built-in tool. It’s an anti-virus/malware solution designed to help enterprise organizations prevent, detect, investigate, and respond to advanced threats.
- Microsoft Security Compliance Toolkit: The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
5. Teach & Enforce Strong Password Policies
Easy passwords are easy access. Implement password best practices. Enforcing minimum password length and the use of unique characters is the best way to thwart brute force and password spraying attacks. For instance, passwords that have phrases like ‘mydogcharlie’ are more likely to be compromised by attackers, but are used often for simplicity by end-users.
If you’re an IT professional or administrator, consider implementing a password policy that requires users to create passwords with a combination of uppercase and lowercase letters, numbers, and characters.
6. Consider Blocklists & Reputation Filtering
IP allowlists and IP blocklists provide additional security by filtering messages from specific IP server addresses. For instance, if a server is known to spread spam or launch attacks, lists can quickly isolate whether they are trustworthy. Further, configure secure messaging frameworks like the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain Message Authentication Reporting (DMARC) to help eliminate sources of illegitimate and potential malicious content in messages.
7. Limit Administrative Access to Internal Users
Limiting administrative access to internal users is critical for Exchange server security. Remote access poses a significant risk if not properly implemented.
If remote access is essential, mitigate the risk by enforcing password standards, use multi-factor authentication and IP whitelists. When companies enable multi-factor authentication, especially for remote access, it prevents potential attackers from compromising accounts.
If your company has a BYOD policy, be sure to read: Rethinking BYOD Security with Exchange Outlook Web
8. Have Proper Off-Boarding Protocols
Ensuring a smooth off-boarding process is critical to maintaining the security of Exchange servers. Administrators or IT professionals should block access to Microsoft 365 services, wipe and block a former employee’s device, and disable the former employee’s user account.
These steps ensure that a former employee doesn’t have access once they have departed the company. Regular user audits help to avoid any floating accounts that make Exchange servers more vulnerable.
9. Audit Mailbox Activities
Preventing security breaches in Exchange servers requires monitoring for suspicious behavior, unauthorized changes and multiple unsuccessful logon attempts.
For a comprehensive audit, you need customizable reports and real-time alerting notifications, all of which are provided by Microsoft. For additional layers of protection, consider a third-party security solution for the Exchange Server. Messageware’s on-premise security software enhances Microsoft Exchange Server with a series of valuable endpoint, session, logon and in-application security products, built specifically for Exchange Server and also Outlook Web.
10. Security Audits and Penetration Testing
Another way to audit the security of your Exchange Server is to perform penetration testing. Penetration tests are simulated attacks on your server. During this process, exploitable vulnerabilities are detected. Insights gained are used to harden systems, patch vulnerabilities, and discover other weaknesses.
While Microsoft doesn’t offer this test for your company, you can still reach-out to Microsoft’s approved testing partners.
Strengthen Your Windows Server Security with Messageware
Data breaches have increased by 72%, highlighting the constant threat to organizations. Ensure you have multiple layers of security software that protects all aspects of your Windows Servers.
Messageware offers two powerful security solutions:
- Z-Day Guard for All Windows Servers: Acts as a Managed Detection and Response (MDR) tool, specifically designed to detect and alert on zero-day threats targeting your Windows servers.
- EPG for Exchange Servers: Provides advanced protection against a variety of logon and password attacks, with real-time reporting and alerts for suspicious activity.
Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.