Why to Perform Audit?
Microsoft Exchange Server Security Audits: Detailed Guide. Cybersecurity audit is aimed to perform the assessment of IT infrastructure and to identify the gaps, vulnerabilities and problems. Exchange Server, as a service that processes the sensitive data, is usually included in the audit scope. Audit helps to:
- Identify Vulnerabilities. Identify weaknesses and vulnerabilities to take proactive measures to address / mitigate potential risks before they are exploited by attackers.
- Assure Compliance. Comply with specific cybersecurity standards and regulations. Conducting regular audits helps to meet these compliance requirements, avoiding legal and financial consequences associated with non-compliance.
- Manage Risks. Identify and assess potential threats and vulnerabilities. Develop a comprehensive risk management strategy. Prioritize and address high-risk areas, minimize the likelihood of security incidents and their potential impact.
- Enhance Security Awareness. The audit process often involves educating employees about security best practices and the importance of adhering to security policies. Create a security-aware culture within the Exchange Server administrators, reducing the risk of human errors.
- Support Continuous Improvement. With regular audits you stay current with the latest cybersecurity trends, technologies, and best practices, facilitating continuous improvement in your security posture.
A dedicated cybersecurity audit of the email system strengthens defences against email-based threats, ensures confidentiality and integrity of communication and protects against risks associated with phishing, malware, and unauthorized access.
Patch Management Audit
During the security audit, it is a good idea to start with patch management audit.
Are Systems Kept Up To Date?
Aim to review the update status of Exchange Server itself, the Window Server it is running on, and third-party systems involved ā such as external email gateway, antivirus software, etc. Exchange Server receives 2 types of updates ā cumulative and security updates. Security updates (SU) are released more often and after some vulnerabilities are detected. It contains the patch that fixes the vulnerability. Install these updates as soon as possible. Cumulative upgrades (CU) are considered as the next build of the Exchange Server software. They contain feature updates and all security updates released since the last CU. Installation of CU is also important, since only the last two CUs are supported by Microsoft. You can only skip one release, if you skip 2, your server stops receiving security updates.
Ā
Besides Exchange Server, you also need to patch the operating system as well. Windows Server receives security updates on the second Tuesday of each month (so-called āPatch Tuesdayā). The patching practices must be aligned with the vendorās recommendations.
Exchange Server built number can be used as evidence of patch installation, to collect it, use the following PowerShell command:
Get-ExchangeServer | ft Name,AdminDisplayVersion
To view the list of installed OS patches, simply run the Get-Hotfix command.
Is There Proper Patch Management Document?
Patching procedures must also be checked during the audit. It should include the following aspects of the patch deployment:
Pre-installation Activities
Review the documentation available in the Internet to check the presence of known issues with the patch. If such issues present, the patching plan is changed accordingly. Additionally, this section must include the testing process description. For example, if there is a test environment in the organization, all the patches must be tested there first. The test must include the health check of all components of Exchange Server, not only the status of services and mail flow. For example, if the patch affected Exchange Web Services virtual directory, mail flow works correctly and all services show status running, but some other functionality (out-of-office notifications, synchronization with Teams, etc.) will not work. If there are no test environment, the patch must be installed on one of the production servers, fully tested and then deployed on all other servers. Additionally, pre-installation activities may include the notification of end-users about possible unavailability of server during the patch deployment.
Patch Installation
The process of the patching must also be documented. Usually, the work instruction contains the process of server preparation (example is here Put Exchange Server in maintenance mode), the order in which servers must be patched (for example, there is a recommendation to install CUs on internet-faced servers first) and the procedure of returning server to the production. Additionally, it should contain the list of tests that should be made after the patch deployment.
Problem Management
The actions to be performed in case there are issues during installation must also be described. Usually it includes notification of stakeholders, roll-back of the changes, raising a support ticket, etc.
Is the Document Regularly Reviewed and Followed?
The patch management documentation has to be kept updated as well. Good practice is to review the document annually or every two years. Additionally, update it in case of deployment of the new systems (e.g. third-party anti-spam solution that also should be regularly patched) in the organization.
Additionally, check if the document is actually followed. Any gaps between documentation and actual used practices should be considered as a non-compliance. Failure to properly update the systems is serious security breach.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free.Ā 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Privileged Access Management Audit
Here the following details should be reviewed.
Is Administrative Role Assignment Correct?
All the groups that have highly privileged access to the Exchange Server must be reviewed in Active Directory. The most important group is Organization Management group. During the audit check the groupās membership and its Last Change timestamp. Justification for all change of this group (or any other privileged groups) must be collected. Additionally, there is a Import/Export permission (it is not assigned to any role by default, but can be assigned manually) that allows getting access to the content of any mailbox. The assignment of this permission must have strong justification and must be reviewed regularly.
Is There Proper Privilege Escalation Process Established?
The process of acquiring of the administrative access to the email systems must be adequate and strictly followed. Engineer that needs to get the privileged access must raise a formal request which includes the strong justification. The request should be reviewed to ensure that the principle of least privilege is followed, the proper timeframe is identified (provision of permanent privileged access must be avoided whenever possible) and justification is sufficient. All privilege escalation request must be saved in the ITSM tool and should be reviewed during the security audit.
Are Administrative Actions Audited?
By default, Exchange Server logs all admin actions and store the records for 90 days. If it is not enough for your organization increase that limit. Have a PowerShell script that collects the logs and stores it in the external storage. For more details about admin audit logging capabilities see How to use administrator audit logging in Exchange Server. The configuration of the admin audit logs can be reviewed using the Get-AdminAuditLogConfig PowerShell command. Additionally, enable mailbox audit ā if some mailbox that contains sensitive information is shared between several users. More details about mailbox audit are here: Mailbox audit logging in Exchange Server.
Mail Flow Security Audit
Following with Microsoft Exchange Server Security Audits: Detailed Guide, the next aspect of Exchange Server security audit is the configuration of mail flow. The following settings should be reviewed:
Smtp Relay
Unauthorized (anonymous) relay of messages should be avoided whenever possible, due to potential security breach. If there is some infected machine in the internal network, it uses relay to send viruses to other computers. All receive connectors must be reviewed, to identify whether anonymous SMTP relay is allowed. The following cmdlet is used to identify the connectors that allow unauthorized email sending:
Get-ReceiveConnector | ?{$_.authmechanism -eq "none"} | ft Identity, Server
In case there are connectors with open smtp relay, you need to ensure the following:
- Anonymous SMTP relay is only used for the legacy systems that doesnāt support authorized relay. For all other systems authorized relay must be used. As an evidence, the screenshots must be collected during the audit ā for example if some application requires anonymous SMTP relay, its email configuration settings must be captured in the screenshot to show that there no option to use authorized relay.
- Connector that allows anonymous relay must be configured to only accept the messages from these specific hosts. For example, if you have 3 servers that need open relay, the connector must be configured to accept messages from these three serversā IP addresses, not from the whole subnet IP range.
- Usage of default SMTP port (TCP 25) should be avoided for open relay connections. Configuration of non-standard ports adds additional security layer to prevent possible exploit.
Even if it was decided to allow some systems to send unauthorized messages, you should understand that this configuration is unsecure and these systems must be replaced as soon as possible.Ā
Email Gateway and Smart Hosts
Besides Exchange Server itself, there may be some third-party systems that participate in the mail flow, such as email gateways that filters the incoming messages (to protect from malicious emails) and smart hosts that used to send external messages (to avoid exposing of internal servers to the Internet). Additionally, there may be some internal systems that process the messages, used for journaling, archiving, data-loss prevention, etc. These systems must also be audited, and the following must be inspected:
- Is connection between third-party system and Exchange Server authorized? All services participating in the mail flow must be authorized.
- Is connection restricted to only allowed IP addresses? If the connection allowed only from certain addresses, it would be harder for the malicious actors to make an illegitimate connection.
- Is traffic encrypted? Traffic encryption is mandatory to prevent man-in-the-middle attacks.
Client Access Security Audit
Another thing to be evaluated during the audit the security of client connections.
Authentication Protocols
Exchange Server supports legacy protocols ( IMAP and POP3)to access the user mailbox. These protocols are considered insecure and must be disabled on all servers. It is recommended to stop all IMAP and POP3-related services on all Exchange Servers.
To ensure email security, IT administrators must implement up to date authentication. It includes modern authentication (for more details see Enabling Modern Auth in Exchange on-premises) and multi-factor authentication (MFA) solution. If MFA is not possible for some reason, prevent users from accessing mailbox from external networks. Remote workers should connect to the internal network using VPN first, and only after that they open their mailbox.
TLS Protection
For all the HTTP connections, TLS must be enabled and enforced. No connection over TCP port 80 to be allowed, only HTTPS (over TCP port 443) to be used. This configuration requires presence of a trusted certificate installed in Internet Information Services (IIS) of Exchange Servers. TLS configuration can be checked during the audit by reviewing the IIS and virtual directories configuration of each server. Additionally, configure Exchange Servers to only use TLS 1.2, while excluding older versions TLS 1.1 and 1.0. More details about TLS are in: Exchange Server TLS configuration best practices.
Email Client Software Reliability
Use only secure client software that supports the latest security features. It includes Outlook for Windows, Outlook for Mac, Outlook for mobile and Outlook on the Web. Third-party software usually has some restrictions and doesnāt support advanced features, such as MFA. Additionally, all the devices that are used to access mailboxes must meet the security requirements (supported OS version, presence of antivirus software, etc.). To control it, administrator can use Microsoft Intune ( use restrict access to mailbox for unsecure devices using Intune compliance policies) or some third-party alternative.
Audit of Other Security Aspects
Backup Security
Check that the following information have been collected:
- Are backup components regularly updated?Ā
- Does backup system encrypt the copies? Encryption at rest is as important as encryption in transit. All reserve copies must be encrypted to ensure no data-loss in case physical theft of the data storage.
- Who has the permission to restore data? The restore process must require high privilege access escalation, and provision of such access must be strongly justified. Any data restore activity must be logged and approved by the service owner and cybersecurity team.
Data Loss Prevention Tools
Depending on the industry and the applied compliance requirements, some data loss prevention (DLP) measures must be implemented in Exchange Server infrastructure. Built-in or third-party DLP systems, usage of end-user encryption tools (such S/MIME), etc. In case such requirements are in-place their compliance should be examined during the audit.
Exchange Server Monitoring
In some scenarios, Exchange Server monitoring is also a subject for cybersecurity audit. Organizations may have some requirements to monitor events that help to identify an attempt for an attack. For example, event 1102 in Windows Server is logged when the Security log was cleared. Additionally, stopping of some service, such as antivirus or firewall, may affect the security, therefore monitoring of these services may be included in the audit scope.
Thank you for reading Microsoft Exchange Server Security Audits: Detailed Guide. Let’s summarize below.
Microsoft Exchange Server Security Audits: Detailed Guide Conclusion
In conclusion, the performance of a cybersecurity audit, with a specific focus on the Exchange Server and its related components, is important for ensuring the overall security of email infrastructure. Through a careful examination of patch management procedures, the audit ensures that all systems, including Exchange Server, Windows Server, and third-party components, are regularly updated to address vulnerabilities promptly. The evaluation of patch management documentation, its regular review, and adherence to adopted procedures further fortify the organization’s defense against potential threats.
Privileged access management is scrutinized to confirm the correctness of administrative role assignments, the existence of a proper privilege escalation process, and the auditing of administrative actions. This aids in maintaining a secure and controlled environment, minimizing the risk associated with elevated access. Mail flow security assessment delves into the configuration of various aspects of SMTP transport, ensuring authorized and secure communication. Client access security evaluation focuses on the availability of legacy protocols, TLS protection of HTTP traffic, usage of secure authentication technologies and the reliability of email client software.
In essence, the cybersecurity audit acts as a proactive measure, providing organizations with valuable insights into their security posture, identifying potential weaknesses, and enabling the implementation of appropriate security measures.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
