S 4.162 Secure configuration of Exchange servers
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
After having installed an Exchange server, the software must be configured securely based on the specifications from the security concept. Before an administrator continues with the configuration steps upon successful installation of Exchange, the general recommendations for administration should be implemented.
During the actual configuration of the Exchange server, the focus should then mainly be on the following:
Administrative information
The access rights for Exchange objects must be restricted to the required scope, see S 4.163 Access rights to Exchange objects. The administrator rights must be defined specifically.
Restriction of the maximum message size
As one of the possible protection safeguards against DoS attacks (denial-of-service), maximum admissible sizes should be defined both for incoming and outgoing messages. The maximum admissible size should be restricted based on the requirements of the organisation. Furthermore, the reactions to be taken when the reference value is reached must be defined. For outgoing emails, the senders should be informed that the reference value was exceeded and the message was not delivered, for example. For incoming emails, the recipients could be informed that a message was not delivered. It is recommended to not to fall below the reference value of 10MB.
Handling special messages
Automatic read and receipt confirmations, as well as automatically generated out-of-office messages may cause denial-of-service attacks or accidental memory capacity issues. If using email confirmations and out-of-office messages is not expressly requested within the company and/or government agency, it is recommended to completely prohibit any use of these special messages in the entire Exchange organisation. All special message types should be disabled in the default settings.
Configuration of the Exchange connectors
In a multi-server environment, the security of message transmission must be guaranteed, which means that the routing connectors must be configured accordingly. The connections between servers and a routing group are configured automatically during installation. However, the settings of the individual connectors must be adapted manually in order to achieve a higher level of security.
It must be observed that the configuration of the Exchange connectors does not only require Exchange administrator rights, but also Windows administrator rights.
Authentication between Exchange servers and SMTP-Relay-Hosts
An SMTP-Relay-Host can be configured in the DMZ of an organisation in order to forward incoming and outgoing messages. Public SMTP connections (from the outside to the SMTP-Relay-Host) cannot be encrypted as a matter of principle if third party SMTP servers communicate with the SMTP-Relay-Host in clear text within the DMZ. The Relay-Host in the DMZ and the servers in the internal network should authenticate each other, however. The SMTP connector must be configured accordingly.
Access to the Exchange server via HTTP (Outlook Web Access, OWA)
Using the OWA function in the Exchange environment is not recommended as a matter of principle. If the users are nevertheless to be allowed to access Exchange servers via HTTP, the recommendations from S 5.129 Secure configuration of HTTP-based services on SAP systems must be implemented. Within the organisation, it must be defined whether or not OWA may be used.
Access of MAPI clients to Exchange servers via the internet
It is recommendable to not allow the users to directly access the Exchange mailboxes and the global catalogue via the internet. If this is to be allowed for different reasons, the security gateway (firewall) of the organisation must be configured accordingly, see S 2.481 Planning the use of Exchange for Outlook Anywhere.
Configuration of the POP3 and IMAP network protocols
An Exchange server can be accessed using the POP3 and IMAP4 protocols, amongst other things. If the organisation decides on using these protocols, authentication and encryption settings should be performed and access restrictions should be defined on the basis of the IP addresses or domain names. This is performed in the respective protocol settings for the POP3 and IMAP services.
Authentication
The integrated Windows authentication should be preferred over the HTTP Basic authentication as authentication mechanism. The HTTP Basic authentication should only be used in connection with TLS encryption.
Encryption
It is recommended to encrypt the connections if sensitive data is to be transmitted using unprotected communication channels or HTTP Basic authentication is to be used.
Message format
HTML format messages may also contain active elements, constituting a security risk for clients. Therefore, it is recommendable to configure the Exchange server in such a way that it delivers HTML messages as simple text messages via SMTP, POP3, and IMAP4.
Secure configuration of the Exchange databases
The database used for storage purposes by a Groupware system contains all Groupware information of this system (generally excluding passwords of local users, system files, and transaction logs). The Groupware system and the database communicate using queries transmitted over the local network, provided that the database and the Groupware system components are not installed on the same computer. If the database is not operated on the same system, the database must be protected specifically.
The following must be taken into account:
- Only the Microsoft Exchange system is allowed to access the information memories, e.g. by means of packet filters.
- Direct database connections of other systems or clients must be blocked by a security gateway (firewall).
Depending on the application scenario, it may be necessary to implement additional safeguards. The list must be expanded accordingly in this case. It is recommended to implement the recommendations provided by Microsoft for securing the Exchange database. Details on these recommendations can be found in S 2.346 Use of the SAP documentation.
Logs
Exchange system operation must be logged, see S 4.270 Logging of Exchange systems.
The following Microsoft Technet documents contain further notes on how the requirements from this safeguard can be implemented specifically, for example for version 2010:
- The restriction of access authorisations is described in "Permissions: Exchange 2010 Help".
- The settings for implementing the message transmission and compliance policies are described in "Messaging Policy and Compliance: Exchange 2010 Help".
- The configuration of the required connectors is described in "Transport Server Post-Deployment Tasks: Exchange 2010 Help".
- The secure configuration of Outlook Web Access is described in "Understanding Security for Outlook Web Access: Exchange 2007 Help" (analogously to Exchange 2007).
- The access control rules for databases of a mailbox server are described in "Permissions to Manage Mailbox Servers: Exchange 2010 Help". The secure configuration of databases of a mailbox server is described in "Securing Mailbox Servers: Exchange 2010 Help".
Review questions:
- Was the Exchange server configured securely in accordance with the specifications from the security concept?
- Were the access rights for administrators of the Exchange installation specified?
- Is there a specification within the organisation as to whether or not accessing email accounts via Outlook Web Access is permissible?
- Is the database of the Microsoft system protected against direct access of third parties using a firewall?