When it comes to Exchange Server security, I am hardly a set-it-and-forget-it kind of guy. To maintain optimal security, it’s imperative to periodically review your configurations and make adjustments where and when it is necessary. There are several aspects you need to regularly check so keep this list within reach and make sure nothing slips through the cracks.
1. Verify security patches
The most important thing you can do to keep Exchange Server 2010 secure is keep both Exchange and Windows Server current with the latest security patches. You can use Windows Update, Windows Server Update Services (WSUS) and other third-party products to automate patch management, but it’s still smart to take the time to make sure the patches you’ve approved have actually been deployed.
2. Verify antivirus software updates
Every antivirus product I know of is designed to update itself automatically, so it’s easy to forget that the functionality of your antivirus software should also be verified periodically.
There are three important factors you need to check regarding to your antivirus software:
- Make sure that updates download.
- Double-check the date that your antivirus update subscription expires; you don’t want to be left without protection.
- Make sure that your antivirus software is still running, because many viruses shut software down.
- Run the Exchange Best Practices Analyzer
The Microsoft Exchange Best Practices Analyzer (ExBPA) helps admins ensure that their Exchange Server deployment adheres to Microsoft’s recommended best practices. You should run it at least once a month for two reasons:
Microsoft’s recommended best practices evolve over time. Running ExBPA regularly makes sure that you’re up-to-date on all updated best practices.
If something has unexpectedly changed in your Exchange organization, ExBPA will help you to spot it.
Most patch management software contains a reporting feature to help keep tabs on patch deployment. If you’re relying on Windows Update however, there is no centralized reporting mechanism. Your only option is to open the Windows Control Panel, navigate to Programs section and click View Installed Updates.
4. Perform a port scan
Several firewall ports must be open for Exchange to function correctly. The exact port requirements vary depending on the server roles that are installed, but some of the most notable port requirements include:
- Client access server
- IMAP4: 143, 993 (TCP)
- POP3: 110, 995 (TCP)
- Outlook Web App: 5075, 5076, 5077 (TCP)
- Mailbox replication: 808 (TCP)
- HTTP/HTTPS: 80, 443 (TCP)
- Mailbox server: 6001, 6002, 6003, 6004 (TCP)
- Hub transport server: 25, 587 (TCP)
- Unified messaging (UM)
- UM Service: 5060, 5061 (TCP)
- UM Worker Process: 5065, 5066, 5067, 5068 (TCP)
It’s smart to periodically run one port scan from inside your organization and one from outside. This will ensure that no unnecessary ports are open. Exchange does not contain a native-port scan tool, but there are several free tools available for download on the Internet.
5. Review your audit logs
Windows compiles a number of audit logs that are designed to help you spot security breaches or suspicious activity. Review the audit logs daily as opposed to using them for forensic purposes after a security breach.
The following are the most important logs to review and are all accessible through the Event Viewer:
- Windows Logs | Security
- Windows Logs | Application
- Microsoft | MSExchange Management
- Microsoft | Windows PowerShell
6. Review certificate expiration dates
Your client access server (CAS) relies on SSL certificates to encrypt data. SSL certificates do expire, so it’s a good idea to check the expiration dates. If a certificate expires, then services like ActiveSync and OWA will fail unless the certificate gets renewed.
There are many ways to check certificate usage, but the easiest is to open the Exchange Management Shell (EMS) and enter the following command:
Get-ExchangeCertificate | FL PsComputerName, IssuerName, Status, NotAfter
This command will return the name of the computer the certificate resides on, the certificate authority (CA) that issued the certificate, the certificate’s status and its expiration date.
7. Review the role based access control delegations
It’s always a good idea to check role based access control (RBAC) delegations weekly to make certain that no one’s privileges have been elevated without proper authorization. The most effective way to accomplish this is to compare existing privileges against a paper list of what the privileges should be.
8. Check for rogue policies
You should also check periodically for rogue security policies or policy settings. Specifically, check the following policies:
- Sharing policies
- Retention policies
- Outlook Web App mailbox policies
- Exchange ActiveSync mailbox policies
- UM mailbox policies