S 5.12 Microsoft Exchange/Outlook
Description
Microsoft Exchange is a management system for electronic messages also offering functions relating to the area of workflow support. Amongst other things, it is intended to allow for internally and externally exchanging messages such as emails in medium-sized to large organisations. Exchange can be used to manage, deliver, filter, and send messages. Furthermore, typical communication applications such as newsgroups, calendar, and task lists, as well as Unified Messaging (standardisation of incoming and outgoing messages) are offered and managed by Exchange.
Microsoft Outlook is an email client that is part of the Microsoft Office package. In addition to the pure email functionality, it also offers a host of additional functions intended to facilitate business processes (e.g. communication, messaging) in companies and government agencies.
This module contains security recommendations normally referring to the functions of Microsoft Exchange 2010 and/or Microsoft Outlook 2010. These recommendations may also be used for previous and successor versions in similar form.
Threat scenario
The following typical threats are assumed for IT-Grundschutz of communication systems on the basis of Microsoft Exchange servers and Microsoft Outlook clients:
Force Majeure
| T 1.1 | Loss of personnel |
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.7 | Unauthorised use of rights |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.55 | Uncontrolled use of Groupware |
| T 2.91 | Poor planning of the migration of Exchange |
| T 2.92 | Poor control of browser access to Exchange |
| T 2.95 | Inadequate concept for linking other systems to Exchange |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.38 | Errors in configuration and operation |
| T 3.60 | Incorrect configuration of Exchange Server |
| T 3.61 | Incorrect configuration of Outlook |
Technical Failure
| T 4.20 | Overloaded information systems |
| T 4.22 | Software vulnerabilities or errors |
| T 4.26 | Failure of a database |
| T 4.28 | Loss of data in a database |
| T 4.32 | Failure to dispatch a message |
| T 4.35 | Insecure cryptographic algorithms |
| T 4.83 | Malfunctions of self-developed macros in Outlook |
Deliberate Acts
| T 5.9 | Unauthorised use of IT systems |
| T 5.19 | Abuse of user rights |
| T 5.22 | Theft of a mobile IT system |
| T 5.23 | Malicious software |
| T 5.77 | Unauthorised monitoring of emails |
| T 5.83 | Compromising cryptographic keys |
| T 5.84 | Forged certificates |
| T 5.135 | SPIT and Vishing |
| T 5.163 | Attacks on Exchange systems |
| T 5.164 | Misuse of programming interfaces in Outlook |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
General IT security aspects of an email system, for example the question of connection to the internet, any underlying encryption mechanisms used, handling of active content, the use of anti-virus software, as well as many other aspects, also apply to the secure operation of a Microsoft Exchange system. Refer to module S 5.3 Groupware for more information on the secure operation of email systems. The threats and safeguards contained therein also apply without any restrictions to an Exchange/Outlook system.
Furthermore, aids specifying the notes and security instructions about Microsoft Exchanger Server 2010 and Microsoft Outlook 2010 are published on the IT-Grundschutz websites for this module. These aids must be understood as detailed references to the safeguards mentioned herein. Corresponding recommendations and security safeguards for the present version of the component considered are described for all safeguards relevant in each case.
The implementation of the aspects in the safeguards below is explained in further detail and supported by security instructions for
- Microsoft Exchange Server 2010 and
- Microsoft Outlook 2010
in the aids for the IT-Grundschutz catalogues.
The security of a Windows operating system plays an important role for the security of Microsoft Exchange systems. This applies to the server as well as the clients of the network under examination. Accordingly, the security of the underlying operating system must also be taken into consideration. However, operating system security is not covered in this module. Therefore, a reference to the corresponding descriptions for secure operation of the operating system used contained in the modules in Layer 3 of the IT-Grundschutz catalogues is made. The security precautions and instructions to be adhered to by the users are of particular importance.
An Exchange system is generally used in an environment together with other systems controlling access to the internal network from the outside. Such systems include, in particular, security gateways and systems for remote maintenance Microsoft Exchange must collaborate with. For this reason, it is always necessary to take into consideration the corresponding recommendations from the respective modules for the other systems affected when implementing the safeguards specific for Microsoft Exchange and/or Outlook. Along with the modules of Layer 3, the following modules must also be taken into consideration, amongst other things:
- S 3.1 Security gateway (firewall), provided that the Exchange systems are used in DMZ environments.
- S 4.4 VPN, if the Exchange system is accessed using VPN
The steps to take into consideration in the respective phase are listed in the following.
Planning and design phase
If the decision to use an Exchange system has been made, the secure use of the system must be planned and designed. The aspects to take into account during the planning and design phases can be found in S 2.247 Planning the use of Exchange and Outlook. It is possible to already significantly influence the security of an Exchange system during the planning and design phases by taking into consideration security-related aspects in these phases.
Special attention must be paid to planning the security in those scenarios where Microsoft Exchange systems are used in typical internet scenarios. S 2.481 Planning the use of Exchange for Outlook Anywhere must be implemented at this point.
Implementation
Once the preparatory organisational tasks have been completed, the Microsoft Exchange system can be installed. Safeguard S 4.161 Secure installation of Exchange systems must be taken into consideration for the installation.
Users and administrators of Exchange systems must receive sufficient training.
However, the actual installation of the Microsoft Exchange system represents only a small portion of the work needed to be done during the implementation phase. Most of the work involves setting up the initial configuration of the Microsoft Exchange system after installation. The initial configuration defines the basic security when starting operation and the boundary conditions for the future security of the Microsoft Exchange system.
The core of every Microsoft Exchange system is the database, its tables, and the data these tables contain. For this reason, security problems in the database environment will always have an effect on the overall security of the system. The recommendations regarding the configuration of Exchange servers and database can be found in S 4.162 Secure configuration of Exchange servers.
Microsoft Exchange systems are designed as distributed systems and therefore communicate with each other or with other external client or server systems over a variety of interfaces. Therefore, securing the communication is an important task (S 5.100 Protection of communications from and to Exchange systems).
A Microsoft Exchange system must be adapted to the local functional requirements (e.g. business processes) of the company or government agency. This is performed by so-called customising (adaptation to the customer), see S 2.483 Security aspects relating to the customisation of Exchange systems.
Operation
After the initial installation and a test operation phase, regular operations can be initiated. In order to detect security violations, the Microsoft Exchange system must be monitored accordingly (S 4.166 Secure operation of Exchange systems and S 2.482 Regular security checks of Exchange systems).
Since a Microsoft Exchange system is subject to constant changes, usually due to new or changed requirements or modified application scenarios, it must be ensured that the desired level of security is also maintained (see also S 1.14 Patch and change management). This particularly applies to proprietary developments (see S 2.379 Software development by end users).
Contingency Planning
Recommendations for contingency planning for Microsoft Exchange systems can be found in safeguard S 4.166 Secure operation of Exchange systems.
Planning and design
| S 2.247 | (A) | Planning the use of Exchange and Outlook |
| S 2.249 | (B) | Planning the migration of Exchange systems |
| S 2.480 | (W) | Use of the Exchange and Outlook documentations |
| S 2.481 | (B) | Planning the use of Exchange for Outlook Anywhere |
| S 3.84 | (W) | Introduction to Exchange systems |
| S 4.381 | (Z) | Encryption of Exchange system databases |
Implementation
| S 2.483 | (C) | Security aspects relating to the customisation of Exchange systems |
| S 3.31 | (A) | Administrator training on Exchange system architecture and security |
| S 3.32 | (A) | User training on Outlook security mechanisms |
| S 4.161 | (A) | Secure installation of Exchange systems |
| S 4.162 | (A) | Secure configuration of Exchange servers |
| S 4.163 | (A) | Access rights to Exchange objects |
| S 4.165 | (A) | Secure configuration of Outlook |
| S 5.100 | (B) | Protection of communications from and to Exchange systems |
Operation
| S 2.482 | (B) | Regular security checks of Exchange systems |
| S 4.166 | (A) | Secure operation of Exchange systems |
Contingency Planning
| S 6.149 | (A) | Data backup under Exchange |