Six commonly overlooked Exchange security vulnerabilities

Think you’re taking the steps needed to fully secure Exchange? Think again.

Too often administrators treat Exchange as a regular old server -- with no serious efforts put into securing it....

Consider how much we rely on email in day-to-day business. Add data and legal discovery complexities to the mix, and you can't deny the importance of keeping your Exchange environment in check.

The following list details common Exchange security vulnerabilities. Make sure you’re not letting threats fly in under your security radar:

  • Gaps in the patching process -- I often find outdated or missing service packs and hotfixes on Exchange servers; some systems may not have been patched in 10 years or more. In these instances, odds are high that malicious insiders who are physically connected to your network can exploit vulnerabilities.

    Once exploited, these flaws can provide attackers with full administrative-level remote control of an Exchange system, letting them copy and delete data, add backdoor user accounts and more. The scary thing is that most of this activity goes undetected. Even if you're running Windows Server Update Services (WSUS) or a third-party patch-management system, old patches may still exist.

  • Weak passwords -- Similar to missing patches being an easily avoidable security hole, there’s no excuse for having weak passwords. For some reason though, insufficient passwords still exist in many Exchange environments. All it takes is a single Exchange account with a weak password to give an outsider full access to your messaging environment.

    In various security assessments, I’ve found it easy to hack weak Exchange passwords for users’ Outlook Web Access (OWA) accounts. This creates a slippery slope of security troubles. Accessing one OWA account allows a hacker to glean all company-wide email addresses via the global address list (GAL). Using that information, hackers then can find several other poorly protected user accounts to gain access to users' email and the organization’s public folders.

  • Leaving private data in public folders -- Users often assume that since their co-workers have Exchange/network accounts, they should also have to access sensitive information that is often available in public folders. This is far from the truth. I've seen a great deal of sensitive business information shared in public folders that should be inaccessible to others within the organization.
  • SMTP and POP3 access -- Many Exchange servers have SMTP and POP3 enabled, which isn’t necessarily a bad thing. But there is a problem if SMTP and POP3 are transmitted without secure sockets layer/transport layer security (SSL/TLS) in place. If you don't use SMTPS (TCP port 465) and POP3S (TCP port 995), email messages and login credentials are exposed when sending or receiving email from unsecured wireless networks.
  • Outlook Web Access and Outlook Web App -- I know I certainly couldn’t live without OWA, but it is a risky technology in many situations. I often see OWA servers that are not configured to run over SSL. This can lead to the same security problems you encounter with SMTP and POP3. I've also seen Internet Information Services (IIS) running with SSL version 2 and low-encryption ciphers, both of which can facilitate further attacks. There are known flaws in SSL version 2 and low-encryption ciphers. If a hacker sees you're using either of these, they know they have the ability to decrypt the communication session and view your email traffic in clear text.

    Another common security flaw with OWA is that users are not forced to log off of their OWA accounts after long idle periods. Untrained users or users who aren’t required to lock their desktop screens when they’re unattended only exacerbate the problem.

  • Shared Exchange administrator accounts -- When someone with administrative access is fired or leaves an organization on bad terms, things can turn ugly fast. I’m not saying you should have only one Exchange administrator, but I do believe you should know exactly who has administrative rights. You also need a solid process that involves HR to make sure things go smoothly if and when administrators leave the organization.

The ethical hacking methodology
Figure 1. The ethical hacking process

To protect the organization now and down the road, make sure that your Exchange environment is included in your vulnerability assessments and penetration tests. This means you should use the ethical hacking methodology (Figure 1, above) to poke around your Exchange system -- inside and outside your network. Doing so will uncover any of these vulnerabilities, if they exist, as well as others.

About the author: Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored nine books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the best-selling Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

Dig Deeper on Exchange Server setup and troubleshooting