Keep Exchange Secure: A Checklist
It’s impossible to imagine modern business without e-mail. While your users may scoff at the idea of a fax or hard line phone, in the background your IT department is working to make sure the e-mail systems your business relies upon continue to function smoothly, both in the moment of sending and receiving and for long term archive and retrieval.
A key element of a functional Exchange server is security. E-mail is an easy route for phishing, social engineering, and malware to enter your environment. It’s also a great way to access confidential information.
E-mail security can often be brushed off as unimportant. It’s just e-mail after all, right? Except those e-mails may contain business decisions that are strategic and not public information. They might contain transaction information, like a payment authorization form, or personal identifying information, which can land your organization in legal hot water if it is breached.
To maintain Exchange server security and the integrity of your business e-mail, follow this security checklist.
1) Maintain strong password requirements
We’ve talked quite a bit about passwords before, so this is old news…right?
Either way, you’ll want to use the Active Directory setting to Enforce Complex Passwords, setting a character minimum and requiring special characters and numbers. In addition, you’ll want to automatically expire passwords after a certain period to encourage users to come up with fresh ones periodically.
2) Create an e-mail policy for use, access, and administration
This document is a set of guidelines for everyone who uses and administrates e-mail in your organization. It should contain the following sections:
- Introduction with overall goals
- Scope of the policy, including the users, employees, hardware, and software covered by it
- The job titles and responsibilities of those who will administrate according to the policy
- Policy statements covering e-mail access, mobile devices, password requirements, encryption, attachments, spam, sensitive information, and archiving
- Any exceptions allowed to the general policy rules, if there are high-up individuals or departments that may be exempt
- Procedures that describe how the policies will be enforced and how compliance will be benchmarked and evaluated
- Any references to specific compliance or security standards as well as related documents within your organization
- Revisions made to the document as it changes over time
3) Enforce a mobile access policy
Users are going to access their e-mail on-the-go, and you want them to for the sake of productivity, but don’t be naïve about the security risks. Mobile devices go missing or are stolen frequently.
Be sure to train your users on securely accessing sensitive company data over their phone, tablet, or laptop, including how to judge the security of a public wireless connection (if you even allow access over public wifi).
Configure a mobile policy and your server settings with access and security settings you are comfortable with. For example, Green House Data staff must allow access to remotely wipe their device and set a pin code for their unlock screen. Make sure your policies account for who has access rights, what happens if a device is lost or stolen, what happens when someone leaves the company and still has access to Exchange.
4) INSTALL PATCHES AS SOON AS THEY ARE RELEASED
It can be nerve wracking to patch and update such a critical service, but with hosted Exchange it is easy to create a snapshot and roll back if necessary. Critical security patches must be installed as soon as possible to avoid exploits.
A monthly or biweekly patch schedule is recommended. If you miss a patch, keep a tracking sheet for what you need to install on the next go around. This way you are at least aware of potential vulnerabilities.
5) Perform regular audits of Exchange logs
Exchange Servers can create a wide variety of log files that administrators should review at regular intervals to troubleshoot and analyze performance or potential security threats. These logs are often paired with Windows event logs, services logs, and Internet Information Services logs to provide a clearer picture of what is happening on your Exchange server. You can learn more about how to call up and analyze these logs in this article.
Use a third party tool to search for keywords like “fail” or “error” within your logs. Some software vendors and freeware can be found here. Check each event that caused a failure or error to see if there is a recurring underlying issue.
Look at the log files themselves. Is one month much larger than another one? What might be the underlying cause? Log audits can be a time consuming task. If you don’t have the manpower, consider outsourcing.
6) Secure any other software on the server
If your Exchange server is pulling double duty — say, as an FTP server or a web host — you must patch, update, and monitor those services just as attentively. Consider using a virtual machine dedicated for each purpose, or be sure to monitor the entire attack vector across a multi-service server.
Of course you should also secure the server itself with best practices like malware, antivirus, and IPS/IDS protection. While this may impact performance, when you are dealing with sensitive information like HIPAA protected ePHI, it may in fact be required.
E-mail might be a simple service on the surface, but it deserves the same care and attention as your database or critical application servers when it comes to security. Take the time now to set policies and maintain servers so you don’t end up scrambling during a security event.