Keep Exchange Secure: A Checklist

It’s impossible to imagine modern business without e-mail. While your users may scoff at the idea of a fax or hard line phone, in the background your IT department is working to make sure the e-mail systems your business relies upon continue to function smoothly, both in the moment of sending and receiving and for long term archive and retrieval.

A key element of a functional Exchange server is security. E-mail is an easy route for phishing, social engineering, and malware to enter your environment. It’s also a great way to access confidential information.

E-mail security can often be brushed off as unimportant. It’s just e-mail after all, right? Except those e-mails may contain business decisions that are strategic and not public information. They might contain transaction information, like a payment authorization form, or personal identifying information, which can land your organization in legal hot water if it is breached.

To maintain Exchange server security and the integrity of your business e-mail, follow this security checklist.

1) Maintain strong password requirements

We’ve talked quite a bit about passwords before, so this is old news…right?

Either way, you’ll want to use the Active Directory setting to Enforce Complex Passwords, setting a character minimum and requiring special characters and numbers. In addition, you’ll want to automatically expire passwords after a certain period to encourage users to come up with fresh ones periodically.

2) Create an e-mail policy for use, access, and administration

This document is a set of guidelines for everyone who uses and administrates e-mail in your organization. It should contain the following sections:

• Introduction with overall goals
• Scope of the policy, including the users, employees, hardware, and software covered by it
• The job titles and responsibilities of those who will administrate according to the policy
• Policy statements covering e-mail access, mobile devices, password requirements, encryption, attachments, spam, sensitive information, and archiving
• Any exceptions allowed to the general policy rules, if there are high-up individuals or departments that may be exempt
• Procedures that describe how the policies will be enforced and how compliance will be benchmarked and evaluated
• Any references to specific compliance or security standards as well as related documents within your organization
• Revisions made to the document as it changes over time

3) Enforce a mobile access policy

Users are going to access their e-mail on-the-go, and you want them to for the sake of productivity, but don’t be naïve about the security risks. Mobile devices go missing or are stolen frequently.

Be sure to train your users on securely accessing sensitive company data over their phone, tablet, or laptop, including how to judge the security of a public wireless connection (if you even allow access over public wifi).

Configure a mobile policy and your server settings with access and security settings you are comfortable with. For example, Green House Data staff must allow access to remotely wipe their device and set a pin code for their unlock screen. Make sure your policies account for who has access rights, what happens if a device is lost or stolen, what happens when someone leaves the company and still has access to Exchange.