Microsoft Exchange is no exception. As a mail server running on the Windows operating system, its vulnerabilities are well documented when they are found. A good email administrator should be aware of MS Exchange vulnerabilities so he or she can address them in order to keep their mail systems secure. But unfortunately, most small to medium sized organizations don’t have the personnel resources to dedicate someone full time to securing mail servers; some don’t even have a full time person dedicated to email administration. But these circumstances don’t mean that security should fall by the wayside. In fact, attackers often target smaller organizations because they know that the security may not be as tight as a larger counterpart. The unsecured server gives them a chance to hone their skills and acquire computing resources for other attacks.
Your organization doesn’t have to be one that makes it easy for attackers to compromise your mail servers. No matter how large or small your IT team is, these simple steps can be followed to help lock down your Exchange servers and protect them from attack.
1. Install, Update and Run Anti-Virus Software
Just because it is a server doesn’t mean that it won’t get infected with any number of malicious programs. In fact, there are anti-virus programs created specifically for Exchange. When researching this type of software, make sure that you use Exchange-aware anti-virus tools. Of course once the software is installed it needs to be constantly updated to help protect against newly discovered threats.
2. Make Sure That RPC Encryption Is Enabled
Microsoft build Exchange 2010 with security in mind, however service pack 1 disabled RPC encryption because Outlook 2003 did not support it and it was causing too many problems. If your organization is using Outlook 2007 or Outlook 2010 then you should make sure this is enabled by using the following command:
Get-RPCClientAccess | Set-RPCClientAccess –EncryptionRequired $True
This will help keep your data transfer between Outlook and Exchange from being visible to prying eyes.
3. Protect the Mobile Worker
ActiveSync mailbox policies allow you to ensure that mobile devices adhere to your organization’s security policies when connecting to the mail servers. Make sure that password policies are enforced or ensure that mobile users follow policies governing file attachments with this feature. You should also make sure that if your organization supports devices other than those deemed by Microsoft as fully provisionable that you pay attention to the Allow Non-Provisionable Devices setting.
4. Analyze Your System
The reason so many people turn to Microsoft Windows is because they make it easier to manage the server with the addition of so many tools. You are paying a price to use this software so why not use the features that are provided for you? Once you have secured your Exchange mail server, run the Microsoft Best Practices Analyzer (ExBPA) to see if your deployment adheres to what Microsoft believes to be best practices for Exchange. It will also alert you to things you can do to make your installation more secure.
5. Fight Back Against Spam
No installation of Exchange, or any other mail server, is complete without anti-spam protection. For the mail server, it is as important as anti-virus software because it cuts down on the amount of spam and phishing emails that your users will receive. By reducing the amount of junk email that your co-workers receive not only will you make them more productive, but you will help safeguard your organization from malware and other security threats that compromise your systems.
Bonus: Use Your Users
Some anti-spam solutions allow your users to determine if messages are in fact spam or legitimate. This helps the anti-spam engine better learn what to stop and what to let through. Teach your users how to identify malicious email and what to do with it when they spot it to help round out the security of your mail server.