Because Microsoft Exchange is so often targeted by ransomware gangs and other malicious organizations, it’s critical to do everything possible to secure your Exchange environment. And for organizations that still host some or all their Exchange servers on-premises, it’s doubly important.
Recommendations regarding the security of your Exchange systems aren’t much different than the advice your doctor prescribes to maintain a healthy lifestyle. You know the drill: eat a well-balanced diet, don’t smoke, limit your alcohol intake, get a good night’s sleep, and make sure you exercise a minimum number of times a week.
Similarly, the recommended strategy to secure your Exchange servers includes a list of pragmatic steps that, like your doctor’s advice, you’ve probably heard before. That’s because they work.
The adage goes that repetition is the mother of learning and the father of action. “Keep your systems patched and up-to-date” may seem like an overstated mantra, but ransomware gangs and other threat actors continue to exploit the same list of common vulnerabilities and exposures.
Many of these were published back in 2021, such as CVE-2021-31207, CVE-2021-34473, and CVE-2021-26855, yet they still remain unpatched today, giving external threat actors a clearly defined attack avenue to infiltrate the server. (You can refer here for a complete list of Exchange updates.) Of course, patching your Exchange server also includes the underlying Windows Server OS that hosts it.
Multifactor authentication isn’t just for Office 365. You should enable MFA for Outlook on the Web (OWA) and Exchange admin center logins. MFA has been available since Exchange 2013, and adds a second layer of security should an email user or admin credential be compromised by an imposter. All it takes is one compromised account with elevated privileges, and an imposter can being implementing a ransomware attack using a Trojan or backdoor.
We all know the importance of configuring the perimeter firewall to restrict incoming and outgoing traffic to only what’s required for the server’s functionality—things like SMTP and HTTPS. While this is critically important, don’t forget about the local Windows Firewall and Advanced Security feature embedded within the hosted server’s operating system. This will help protect Exchange from attacks implemented from within the internal network as well.
Exchange servers are reliant on SSL certificates for things such as OWA and RCP-over-HTTP connections. These certificates ensure that the information transmitted to and from the server is encrypted and can’t be accessed if intercepted. While recent versions of Exchange do install a self-signed certificate by default as part of the installation process, the self-signed cert should only be viewed as a temporary measure. You should replace it with a new certificate from a trusted certificate authority before the server is placed into production. A trusted certificate confirms that the identity of the connected Exchange server.
Microsoft provides multiple tools that offer valuable insight into ensuring your Exchange servers are configured securely. Best Practices Analyzer (BPA) is a server management tool available in all Windows server operating systems going back to Windows Server 2012. It can quickly identify best practice violations based on the installed server roles. You can also download Security Compliance Manager to ensure that you’re complying with current regulatory requirements and recognized cybersecurity standards.
Finally, remember to back up your system regularly. Regardless of how through your security measures may be, you should assume that your Exchange server will be compromised in some way in the future. In the event of a ransomware attack, the ability to restore the host server, Exchange system ecosphere and mail store quickly is essential. You should also test your restore processes on at least a semi-regular basis.