Everything counts in IT and security. It's no different from what we do in our personal lives, including our eating...
habits and activity level. Every decision you make and everything you do either moves you toward or away from your goals as an Exchange administrator.
Each choice determines how resilient your Exchange environment is from attacks, how much downtime you'd experience in the event of an attack, what or how much data would be lost, and more. Here are some daily security steps to take to protect an Exchange setup.
- Learn about security. If security is part of your responsibilities as an Exchange admin, don't try to wing it by learning security as you go. Security is more than passwords and encryption. Subscribe to dedicated online resources. Follow security pros on Twitter. Read a few pages of popular security books each day. You can learn from others and quickly gain an immense amount of the necessary security knowledge.
- Assess Exchange-related risks. Many people go about security the wrong way; they create policies, standards and procedures and then proceed to lock everything down without having an inkling of what threats and vulnerabilities exist. Understanding your risks starts with learning more about security as it relates to your Exchange setup. You can hire someone to perform a formal information risk assessment, or run periodic vulnerability scans yourself. Try to find new risks each day -- they're there.
- Perform proactive system monitoring. Monitoring the system is a great way to understand which threats are exploiting which vulnerabilities. Still, so many IT and security admins, at businesses large and small, are merely being reactive and digging through logs once problems occur. This is not for you. Reviewing Exchange application and server logs is critical for your daily security routine. You may be concerned that you could overlook something if you're not familiar with what to look for. Or, you may be worried that you don't have enough information about the overall network to make informed decisions. Do what I recommend to my clients and outsource this function so you can be done with it.
- Work with the right people to set and enforce the necessary security policies. Once you understand what's needed based on the risks to your specific Exchange setup, write your policies. This security policy template is a good place to start. Develop Exchange-centric security standards because standards are the documents that support your policies. In the context of Exchange in your Active Directory domain, you should have standards around passwords, patching and who uses and manages mobile devices, at a minimum. Most importantly, ensure your policies are being enforced on a daily basis. You can ease policy making by also understanding security, applicable risks and system monitoring -- it all ties together!
- Maintain when necessary. Whether you have an internal Exchange system or you're running in a cloud-based configuration, someone needs to patch Exchange, Windows and any other software running on the involved servers. I routinely find Exchange and Windows patches dating back several years missing from what many consider to be their most critical business system. You may be afraid to patch Exchange systems, just as many database administrators are hesitant to patch SQL Server. But what's the alternative? Consider your backups and whether you'll be able to rely on them when the time comes. You have to be prepared. Ditto for server utilization and, especially, drive space. You'd be surprised at how easily a hacker's actions can fill up your Exchange drive space with emails and log files.
- Share information with others. This includes IT and security staff, your chief information security officer, internal auditors and your compliance officer to ensure everyone is on board with what's taking place. This will help you work better with your peers and management to make more informed decisions about information security as a whole. Do this every day.
Whether you're doing these things consciously or subconsciously, they make a world of difference in how an Exchange system stands up against daily threats. Think about how these steps can enhance Exchange in your overall business. You may already be doing many of them, but perhaps there are ways you can do them better. What about doing them more often? Can you get others involved?
Once you determine where improvements can be made, set reasonable goals for yourself to ensure they come to fruition. This is as simple as determining what you want, outlining the steps required, setting deadlines for accomplishment and then working on each one every single day.
Don't wait for a breach, system outage or data loss to happen. Developing these day-to-day steps into habits could take just two or three weeks. They won't require you to retool the environment, and they don't cost much. But they can certainly make a world of difference in Exchange security.
About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter, watch him on YouTube and connect to him on LinkedIn.
Six Exchange security vulnerabilities you're overlooking
Best practices for ensuring Exchange Server security