S 2.482 Regular security checks of Exchange systems
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Auditor, Administrator, IT Security Officer
The security of a Microsoft Exchange system can only be guaranteed over the long term if the system is checked regularly for misconfigurations and weaknesses.
Security checks should be performed at regular intervals by different people. For example, administrators should conduct brief checks relatively frequently (about once per month). It is recommended to create a checklist for these checks to guarantee that the scope of the checks performed is well defined. Minor problems detected during a check can usually be corrected immediately by the administrators and major problems must be reported according to the process instructions. Security checks should be conducted by other internal roles (e.g. by someone in the IT Security or IT Audit departments) at medium-term intervals (several months). It may make sense to have checks conducted by external auditors at longer intervals.
The following aspects must be taken into account when performing such checks:
Regularly researching security-relevant information
In general, administrators and the persons responsible for information security must inform themselves regularly on new issues and changes affecting the systems they are responsible for. For this, the sources of information provided by Microsoft should be read regularly (see also S 2.480 Use of the Exchange and Outlook documentations).
Authorisations for audit users
The user account used by the external auditor to examine the system configuration should be granted read authorisation only. The audit user must not be allowed to make any changes. If the authorisations of the audit user cannot be restricted to read-only access, access must only be permitted according to the two-person rule.
Regular examination of the authorisations
It is generally impossible to fully examine all authorisations manually because there are simply too many. For this reason, a good authorisation concept is absolutely necessary. However, the authorisations must still be checked regularly to ensure they conform to the authorisation concept. Spot checks may also be performed in this case for important user groups. The authorisation concept must ensure that processes preventing users from accumulating authorisations are implemented.
User authorisations should be checked at regular intervals. The following information is related to security in this case:
- users with critical authorisations
These authorisations should be compared to the authorisation concept. - change documents for users, role assignments, roles, profiles, and authorisations
- check especially for changes to administrative objects.
Checking the currency of the updates
The currency of the updates installed on the SAP system must be checked. The current patch status of the system must then be compared to the status of the patches available. This requires that the auditor is familiar with the patches available from Microsoft. The examination must also check for errors or warnings occurring during updates.
Checking the security of the communication interfaces
The security of the various communication interfaces (see also S 5.100 Protection of communications from and to Exchange systems) should be checked. In particular, it must be determined which users have administrative authorisations and which services and functions are currently available.
For example, in the Microsoft Exchange version 2010, monitoring and logging an Exchange server are implemented using the Microsoft Operations Framework (see Microsoft Technet "Monitoring and Operations Management: Exchange 2007 Help") in analogy to Microsoft Exchange 2007.
Review questions:
- Is each Microsoft Exchange system subjected to a security check at regular intervals?
- Are the Exchange authorisations at least spot-checked regularly?
- Are the most recent patches available also installed on the Microsoft Exchange system?