Microsoft Exchange is the most common email server solution used by private businesses, government organizations, and educational institutions across all sectors. It holds the most valuable and confidential information, making it the top target in the lists of various state-sponsored and financially motivated threat actors.
In recent times, malicious attacks on Exchange Server have substantially increased—undermining the Exchange Server security. Although Microsoft releases monthly security updates and quarterly Cumulative Updates to patch the vulnerabilities, more than 20,000 Exchange Servers are still vulnerable to ProxyShell and ProxyLogon (better known as Hafnium) attacks.
To protect the Exchange Server from ongoing malicious attacks and newer threats, you must strengthen the server security by following the best practices discussed below.
Best Practices to Strengthen Microsoft Exchange Server Security
By following these best practices, administrators can secure their Exchange servers from cyber-attacks, unauthorized access, malware, and viruses.
1. Update Exchange Server
For cybercriminals, it is easier to exploit a vulnerable Exchange server and steal confidential data or compromise the network that can halt the business activities and put your organization at risk.
By installing the Security and Cumulative Updates released by Microsoft, you can patch these vulnerabilities and safeguard your servers from malicious attacks to a significant extent.
Ideally, you should install the updates as they arrive to stay protected from cyber-attacks. But updating Exchange Server takes time and requires planning that can delay the update process. To tackle this situation, Microsoft released a new Exchange Mitigation Service with September 2021 Cumulative Update that provides temporary protection against newer threats—providing enough time to the organization for updating the server.
However, you should expedite the update process as more threat actors become active after Microsoft releases the patches. In addition to Exchange Server updates, you should also update the Windows Server operating system and other third-party software, including plug-ins (if any), as soon as possible to safeguard your servers from various known and unknown threats.
2. Analyze Server Health and Security
It’s is highly advisable to check and review the server security and health status periodically. For this, there was an Exchange Best Practices Analyzer (EBPA) tool maintained by Microsoft. Although it is no longer available for newer Exchange versions, you can still download and use this Exchange Analyzer tool available for Exchange 2013 and 2016.
You can also download and use the Health Checker tool released by Microsoft to check server health. It helps detect vulnerabilities, common configuration issues known to cause performance issues. The script is recommended before and after installing an update, adding a server to DAG, or performing other major administrative tasks.
To use it, download the HealthChecker.ps1 script and use Command Prompt, PowerShell, or Exchange Management Shell to run the script. The command is as follow,
This creates a detailed HTML file at the same location where the script is located. You can open the HTML file to check the vulnerabilities and fix them by following the recommendations mentioned.
3. Enforce Strict Password Policy
Enforce users to change their passwords after a certain duration, such as after a month or 45 days. Ideally, you should implement the shortest timeframe possible for password change.
Also, prevent users from reusing their old passwords and implement a password complexity policy to enforce users to create a strong and unique password using a combination of uppercase/lowercase letters, numbers, and special characters.
4. Implement Multifactor Authentication
To further fortify authentication and prevent malicious actors from logging into OWA or ECP through brute-force or phishing attacks, enable 2-Factor Authentication or Multi-Factor Authentication (MFA).
This will safeguard user mailboxes from unauthorized access and protect user accounts even if users use weak passwords or reuse the same passwords for other websites.
5. Review and Update Allow List and Blocklist
You should regularly check and update the blocklists and allow lists. This will help you allow or block messages or communications from specific IP addresses. Enable Windows Firewall on Exchange server. By default, the Exchange setup automatically adds rules to the Windows Firewall when you install the Exchange server. Many blogs and articles online suggest disabling the Windows Firewall and relying on the network firewall. However, disabling the firewall could be dangerous and can put your Exchange server at greater risk.
6. Use VPN for Secure Remote Access
You should always use a secure network to access your mailboxes and Exchange Server remotely. Never use public networks or Wi-Fi hotspots, as it can leak your credentials and put your server at risk. Install and use secure VPN software to access your server network remotely. Also, install and use SSL certificate obtained from a Certificate Authority (CA) for external services, such as OWA, Outlook Anywhere, ActiveSync, etc. It will help secure the server from attackers and ensure data transmitted to or from the server is encrypted and can’t be intercepted or traced by threat actors.
7. Access Control
Auditing access control is also a critical task to keep a check on user accounts with administrator privileges. Exchange Server is based on the Role-Based Access Control (RBAC) permission model. Use RBAC to grant permissions to users and administrators based on the principles of least privilege and separation of tasks or duties. You may also grant temporary permissions for specific tasks and revoke them once the task is done. This will help keep a check on the access control.
8. Educate and Train Users
To reduce the risk of phishing attacks, it is important to educate and train users or employees in your organization to identify phishing emails. You may also enforce a policy to disable hyperlinks received in the emails to prevent users from downloading an infected file or malware from the internet. You may also add a banner to emails received from outside your organization to inform users.
9. Implement Backup and Restoration Policies
Backups are critical. They come in handy when the database gets damaged or the server crashes after a malicious attack or hardware and software failure.
In Exchange, you can use Windows Server Backup or any third-party Exchange-aware backup utility to create Volume Shadow Copy Service-based (VSS) backups. Label the backup correctly and verify it to ensure it’s going to work when needed.
It is recommended to back up Exchange Server at the volume level containing both database and logs at a network location. Also, follow the 3-2-1 backup rule to reduce the risk of a single point of failure.
NOTE: Keep an Exchange recovery software, such as Stellar Repair for Exchange, handy as it will help you restore mailboxes when the backup gets damaged or fails to restore data when required. The software can extract mailboxes from corrupt or damaged database (.edb) files and help you recover mailboxes in the event of database or server failure, server breakdown after a malicious attack. It is a reliable solution to directly restore mailboxes from corrupt or inaccessible databases to a live Exchange server or Office 365 tenant.
Follow the best practices discussed in this article to fortify and strengthen your on-premises Exchange Server security, protect the server and confidential information from theft or malicious attacks. The most important practice is to keep the Exchange Server updated with the latest Cumulative and Security Updates. Also, use the Health Checker script once in a while to keep a check on Exchange Server health, issues, and any vulnerabilities. Also, keep an Exchange recovery tool installed as it comes in handy when you need to recover data or mailboxes from your Exchange server database in case any disaster strikes.
16,143 views last month, 371 views today