Traditional Exchange security may have taken a backseat to e-discovery and email retention lately, but that doesn't...
mean the risks have disappeared. In any given security assessment I see predictable and serious Exchange Server risks that not only put your organization out of compliance with current regulations but also create some unwanted information security issues.
Regardless of the size of your Exchange organization and the risk tolerance of the powers that be, there are nine basic security risks that you can must watch for to keep your Exchange environment secure.
- Missing patches -- This is the number one culprit I've seen that exposes Exchange systems to unnecessary risks. While it's often assumed that change management processes are being followed and patches are automatically being applied, it's not unusual for systems -- including critical Exchange servers -- to somehow fall outside the scope of patching and patch validation. All it takes is a single missing patch for an external attacker or malicious insider to use Metasploit or a similar tool to expose your entire messaging environment.
- Flaws in additional software -- Many Exchange servers are used for other purposes like file transfer protocol (FTP), network administration and general Web browsing. All of these can introduce weaknesses and broaden an Exchange system's attack surface. Exchange security add-ins can also create their own issues, as can be seen on the National Vulnerability Database site, a government repository of standards-based vulnerability management data.
- OWA weaknesses -- Weak Exchange passwords are easily exploitable via the Web. It only takes one weak password for an attacker to get in, gain access to Exchange public folders and glean other email account names and proceed to crack other users' passwords.
Even with intruder lockout in place, denial of service conditions created by an attacker running a password cracking attack on known accounts can get affect several.
- Poor or nonexistent audit logging and monitoring -- This is the classic case of overworked network administrators who don't have a handle on their Exchange, IIS and Windows logs. Logging and monitoring are necessary evils, but you can tame these beasts if you use the proper tools or managed services.
- Weak or lax security testing -- Often, certain Exchange systems are completely overlooked during in-depth security assessments. Many administrators rely on basic security scans rather than in-depth assessments. But these can create a false sense of security.
Exchange systems are also excluded from internal security assessments. I've found that Exchange servers tend to be sitting ducks on the Internet; you can't overlook the trusted users who have greater access to the Exchange environment via their direct network connections.
- Lack of integration with the organization's contingency plans -- Administrators tend to overlook incident response and disaster recovery plans until a breach occurs. Even when these plans do exist, it's rare that the Exchange messaging system is included. Considering how much we depend on email availability for business, overlooking this issue sets everyone up for failure.
- Minimal content filtering and employee monitoring -- For some reason, I don't see a lot of content filtering rules configured in Exchange, nor do I see many companies using third-party solutions to get inappropriate content and data leakage under control. Often when content filtering or some form of employee monitoring technologies are present, they're often placed in the hands of the network admin for sole judge/jury/executioner control, which is not ideal.
- Underlying OS weaknesses -- As much as we like to focus on specific applications, we often overlook the very foundation upon which they run -- Windows OS. Weak file/share permissions, weak passwords and missing patches are just a few of the ways that the underlying OS can be exploited to gain access to the messaging environment.
- Lack of malware protection -- It's often assumed that malware protection at the desktop or network perimeter is all that's needed. Although anti-virus software can bog down system performance, you still don't want to exclude protection of the Exchange server itself. With malware capable of bringing your network to its knees and the fact that existing solutions are seemingly incapable of catching/preventing everything, it's not a bad idea to have protection at the perimeter, on the Exchange server, and at the desktop level.
It's easy to seek out the technical shortcomings related to managing Exchange risks, but you absolutely need to consider the operational issues as well. Both issues go to back to the fact that messaging and Exchange often fall outside the scope of security policies. Even though email security isn't considered as sexy as other security issues going on these days, a focused approach on managing Exchange risks is still a necessity.
|ABOUT THE AUTHOR:|
| Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.