5 Things to Secure Microsoft Exchange Right Now

Operating systems and applications have vulnerabilities. In fact most patches that are issues by software vendors are released to close any exploitable holes in the software.

Microsoft Exchange is no exception. As a mail server running on the Windows operating system, its vulnerabilities are well documented when they are found. A good email administrator should be aware of MS Exchange vulnerabilities so he or she can address them in order to keep their mail systems secure. But unfortunately, most small to medium sized organizations don’t have the personnel resources to dedicate someone full time to securing mail servers; some don’t even have a full time person dedicated to email administration. But these circumstances don’t mean that security should fall by the wayside. In fact, attackers often target smaller organizations because they know that the security may not be as tight as a larger counterpart. The unsecured server gives them a chance to hone their skills and acquire computing resources for other attacks.

Your organization doesn’t have to be one that makes it easy for attackers to compromise your mail servers. No matter how large or small your IT team is, these simple steps can be followed to help lock down your Exchange servers and protect them from attack.

1. Install, Update and Run Anti-Virus Software

Just because it is a server doesn’t mean that it won’t get infected with any number of malicious programs.  In fact, there are anti-virus programs created specifically for Exchange. When researching this type of software, make sure that you use Exchange-aware anti-virus tools. Of course once the software is installed it needs to be constantly updated to help protect against newly discovered threats.

2. Make Sure That RPC Encryption Is Enabled

Microsoft build Exchange 2010 with security in mind, however service pack 1 disabled RPC encryption because Outlook 2003 did not support it and it was causing too many problems. If your organization is using Outlook 2007 or Outlook 2010 then you should make sure this is enabled by using the following command:

Get-RPCClientAccess | Set-RPCClientAccess –EncryptionRequired $True

This will help keep your data transfer between Outlook and Exchange from being visible to prying eyes.

3. Protect the Mobile Worker

ActiveSync mailbox policies allow you to ensure that mobile devices adhere to your organization’s security policies when connecting to the mail servers. Make sure that password policies are enforced or ensure that mobile users follow policies governing file attachments with this feature. You should also make sure that if your organization supports devices other than those deemed by Microsoft as fully provisionable that you pay attention to the Allow Non-Provisionable Devices setting.

4. Analyze Your System

The reason so many people turn to Microsoft Windows is because they make it easier to manage the server with the addition of so many tools. You are paying a price to use this software so why not use the features that are provided for you? Once you have secured your Exchange mail server, run the Microsoft Best Practices Analyzer (ExBPA) to see if your deployment adheres to what Microsoft believes to be best practices for Exchange. It will also alert you to things you can do to make your installation more secure.

5. Fight Back Against Spam

No installation of Exchange, or any other mail server, is complete without anti-spam protection. For the mail server, it is as important as anti-virus software because it cuts down on the amount of spam and phishing emails that your users will receive. By reducing the amount of junk email that your co-workers receive not only will you make them more productive, but you will help safeguard your organization from malware and other security threats that compromise your systems.

Bonus: Use Your Users

Some anti-spam solutions allow your users to determine if messages are in fact spam or legitimate. This helps the anti-spam engine better learn what to stop and what to let through. Teach your users how to identify malicious email and what to do with it when they spot it to help round out the security of your mail server.

Written by Jeff Orloff

3 Comments

  1. David · February 12, 2013

    I would add that if you are still stuck with Outlook 2003, security is a huge motivator to move to Outlook 2010, so if you haven’t done it by now, this encryption stuff should be enough of a reason to do it.

  2. Mario · February 22, 2013

    Let me remind all those that are in the IT department especially those who are in charge of server management to please not just update the system itself but also the policies. As there are new patches involved, there are also more innovative ways on how to deal with spam, error, etc. You are most likely not around all the time, as you can get sick, run for errands, etc. On the other hand, bugs and other problems don’t choose hours. So an updated policy ensures that server runs smoothly. Updating doesn’t take a lot of your time as well.

  3. Iris Jane · June 2, 2013

    The first step is almost always the only thing that most IT people do. Many think that once the anti-virus has been installed, things will run smoothly. Remember, attackers are now more creative in their ways when compromising a system. They will always try to find a way to break away from a strict security system. We should do the same, too. Thus, step numbers two to five are just as important as the first one. And I agree with Mario, it is essential to regularly update both the system and the policies if you want total safety and security.

Leave A Reply