Problem solve Get help with specific problems with your technologies, process and projects.

Solidify your Exchange Server security incident response plan

One of your duties as an Exchange administrator is to create and follow an incident response plan. Here's why it's important to prepare for a security breach in your Exchange Server organization.

Do you ever feel like you're wearing too many hats in your job as an IT professional? Even if you're a dedicated...

Exchange Server administrator, you probably have a lot of other responsibilities. However, you may not have thought about security incident response.

Incident response is the science of responding to security breaches. In the context of Exchange management, it's the process of detecting security incidents within your messaging environment and responding to them in a methodical fashion to minimize damage.

Exchange Server-related security incidents might include:

  • Malware outbreaks
  • Denial of service
  • Exploitation of patches by a rogue insider
  • Account enumeration/user harvesting
  • Data leakage
  • Password cracking
  • Spam relaying
  • Data leakage

With each of these incidents, there are specific steps you'll need to take in order to recover from the attack. From penetration analysis to forensics investigation, incident response requires hands-on technical knowledge as well as higher-level business process expertise.

Some steps you'll need to take will be technical, such as creating an Exchange and Windows server log review, running network protocol analysis and administering system patches. Others steps will be more operational in nature -- creating and instating documentation and policy tweaks.

The reality is that you need to have solid incident response procedures in place. If not, you're more likely to react rather than respond, which ultimately leads to increased business risks.

Figure 1 outlines the necessary components for correctly handling Exchange Server breaches:

Essential elements of a good Exchange incident response plan
Figure 1. Essential elements of a good Exchange incident response plan

Although many Exchange Server-related security incidents can be prevented in the first place, you'll still need some documented guidance to refer to when you do need it. Remember, a breach can snowball and affect your Exchange incident response, encompassing your entire network -- from applications to databases to mobile devices.

If your Exchange Server organization is developing an incident response plan, it's helpful to start small, base it around your Exchange environment and build out from there. This will keep you ahead of the pack and prepared for the worst.


Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.