One of the most common challenges in IT is getting good hands-on experience with security. Many IT professionals...
are hesitant to play around with Exchange in production, which makes sense when there's the potential to take down or hinder one of the most critical systems in the business. But if admins want to ensure the resiliency of Exchange environments, they'll have to poke and prod their servers to find vulnerabilities and see how they withstand attacks during routine assessments and penetration tests.
So what's the best approach to gain experience finding Exchange-based vulnerabilities and learning how to lock the systems to minimize business risks? Exchange admins likely won't be able to replicate their exact production environment, but they can set up a test environment -- perhaps even a mirror of their production environment -- on a safe area of the network where they can bang on it to their heart's content without any negative impact. Only admins will know what the best fit is for their environment, but there are six ways to complement their setup and improve their Exchange security skills.
- Use the Microsoft Baseline Security Analyzer either directly on the Exchange Server in the test environment or across the network. Admins could also run a vulnerability scanner, such as Nexpose Community Edition or LanGuard. Admins should scan with authentication where they can because that will help uncover dozens of additional vulnerabilities they won't otherwise see.
- Admins can use a network analyzer to monitor network traffic exchanges between their workstations and their server, or their servers and the outside world. The former option requires running a network analyzer on the local machine, such as the free Wireshark or CommView, a reasonably-priced commercial alternative.
If admins want to capture traffic between two other systems, they'll need to set up a mirror/span port on your managed Ethernet switch. Still, it's a relatively simple endeavor. They'll likely be surprised by what they can uncover with their network analyzer, including unencrypted email, email protocols that violate existing policies such as POP3 and SMTP relaying and direct attacks against Exchange.
- Use Microsoft's Modern.ie, a set of freely available virtual machines (VMs) containing multiple versions of Windows and Internet Explorer for Windows, Mac and Linux platforms; these can be used for manually exploring the security ins and outs of Outlook Web Access (OWA). Used in conjunction with Internet Explorer's F12 Developer Tools (just press F12 in the browser) or a good Web proxy such as Burp Proxy or Zed Attack Proxy (ZAP), Exchange admins can discover a load of behind-the-scenes information about how security works within OWA.
- Taking the previous step to the next level, admins could set up a VirtualBox or similar VM running trial versions of Windows Server and Exchange. This will give admins a direct, hands-on view of just how vulnerable or secure such a system can be using the vulnerability testing and forensics analysis tools in Kali Linux, Elcomsoft's Windows password-cracking tools and other tools.
- Use Microsoft's Security Compliance Manager and accompanying security baselines and guide for Exchange to step through an Exchange configuration or see what an ideal setup might consist of.
- Use a social engineering tool such as SpearPhisher to set up test cases for checking the gullibility of Exchanges users in an organization toward phishing emails. Just be sure to thoroughly plan its use in advance with the right people in management.
Admins can get hands-on experience with Exchange security for little to no cost. The myriad free training resources available online can be invaluable. Taking these steps is a must for any Exchange admin looking to take measures to ensure they run a secure messaging platform.
About the author:
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.comand you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.
Commonly overlooked SharePoint vulnerabilities
Is full email encryption the key to ensuring Exchange security?
Microsoft minimizes Exchange, Internet Explorer vulnerabilities