When it comes to Exchange Server security, I am hardly a
set-it-and-forget-it kind of guy. To maintain optimal security, it’s imperative
to periodically review your configurations and make adjustments where and when
it is necessary. There are several aspects you need to regularly check so keep
this list within reach and make sure nothing slips through the cracks.
1. Verify security patches
The most important thing you can do to keep Exchange Server
2010 secure is keep both Exchange and Windows Server current with the latest
security patches. You can use Windows Update, Windows Server Update Services
(WSUS) and other third-party products to automate patch management, but it’s
still smart to take the time to make sure the patches you’ve approved have
actually been deployed.
2. Verify antivirus software updates
Every antivirus product I know of is designed to update
itself automatically, so it’s easy to forget that the functionality of your
antivirus software should also be verified periodically.
There are three important factors you need to check
regarding to your antivirus software:
- Make sure that updates download.
- Double-check the date that your antivirus update subscription expires; you don’t want to be left without protection.
- Make sure that your antivirus software is still running, because many viruses shut software down.
- Run the Exchange Best Practices Analyzer
The Microsoft Exchange Best Practices Analyzer (ExBPA) helps
admins ensure that their Exchange Server deployment adheres to Microsoft’s
recommended best practices. You should run it at least once a month for two
reasons:
Microsoft’s
recommended best practices evolve over time. Running ExBPA regularly makes sure
that you’re up-to-date on all updated best practices.
If something has
unexpectedly changed in your Exchange organization, ExBPA will help you to spot
it.
Most patch management software contains a reporting feature
to help keep tabs on patch deployment. If you’re relying on Windows Update
however, there is no centralized reporting mechanism. Your only option is to
open the Windows Control Panel, navigate to Programs section and click View
Installed Updates.
4. Perform a port scan
Several firewall ports must be open for Exchange to function
correctly. The exact port requirements vary depending on the server roles that
are installed, but some of the most notable port requirements include:
- Client access server
- IMAP4: 143, 993 (TCP)
- POP3: 110, 995 (TCP)
- Outlook Web App: 5075, 5076, 5077 (TCP)
- Mailbox replication: 808 (TCP)
- HTTP/HTTPS: 80, 443 (TCP)
- Mailbox server: 6001, 6002, 6003, 6004 (TCP)
- Hub transport server: 25, 587 (TCP)
- Unified messaging (UM)
- UM Service: 5060, 5061 (TCP)
- UM Worker Process: 5065, 5066, 5067, 5068 (TCP)
It’s smart to periodically run one port scan from inside
your organization and one from outside. This will ensure that no unnecessary
ports are open. Exchange does not contain a native-port scan tool, but there
are several free tools available for download on the Internet.
5. Review your audit logs
Windows compiles a number of audit logs that are designed to
help you spot security breaches or suspicious activity. Review the audit logs
daily as opposed to using them for forensic purposes after a security breach.
The following are the most important logs to review and are
all accessible through the Event Viewer:
- Windows Logs | Security
- Windows Logs | Application
- Microsoft | MSExchange Management
- Microsoft | Windows PowerShell
6. Review certificate expiration dates
Your client access server (CAS) relies on SSL certificates
to encrypt data. SSL certificates do expire, so it’s a good idea to check the
expiration dates. If a certificate expires, then services like ActiveSync and
OWA will fail unless the certificate gets renewed.
There are many ways to check certificate usage, but the
easiest is to open the Exchange Management Shell (EMS) and enter the following
command:
Get-ExchangeCertificate | FL PsComputerName, IssuerName,
Status, NotAfter
This command will return the name of the computer the
certificate resides on, the certificate authority (CA) that issued the
certificate, the certificate’s status and its expiration date.
7. Review the role based access control delegations
It’s always a good idea to check role based access control
(RBAC) delegations weekly to make certain that no one’s privileges have been
elevated without proper authorization. The most effective way to accomplish
this is to compare existing privileges against a paper list of what the
privileges should be.
8. Check for rogue policies
You should also check periodically for rogue security
policies or policy settings. Specifically, check the following policies:
- Sharing policies
- Retention policies
- Outlook Web App mailbox policies
- Exchange ActiveSync mailbox policies
- UM mailbox policies
0 comments:
Post a Comment