S 4.166 Secure operation of Exchange systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Upon installation and configuration of the Exchange servers used, measures for secure operation must be taken.

Administrative aspects

The "least privilege" principle should always be taken into consideration during administration and when assigning authorisations. This is first and foremost applicable to the Exchange administrators: Each administrator should only be granted the rights required in order to perform his/her tasks.

It is recommendable to separate administrative activities at the operating system level and the Exchange application level as far as possible. However, it should be taken into consideration that this is only possible to a limited extent: For some tasks, Exchange administrators also require local administrator rights (for example, for starting and stopping services).

Software and system maintenance

All security-relevant service packs, updates, and patches for the software product being installed is an important security prerequisite for secure operation of IT systems. Therefore, the administrators must regularly inform themselves about new weaknesses in the Exchange and operating systems used and promptly implement suitable measures to remedy such weaknesses . Before installing a service pack, update, or patch to the productive system, it should initially be installed to a test environment, however. This way, it can be checked whether undesired side effects are to be expected. Furthermore, the configuration settings of the overall system should be checked at regular intervals as to whether they meet the specifications and the security requirements.

Configuration of the Exchange connectors

In a multi-mail server environment, the security of message transmission must be guaranteed, which means that the routing connectors must be configured accordingly. The connections between servers and a routing group are configured automatically during installation. However, the settings of the individual connectors must be adapted manually in order to achieve a higher level of security.

It must be observed that the configuration of the Exchange connectors does not only require Exchange administrator rights, but also Windows administrator rights.

Data backups

Regular data backups of the Exchange system and the Active Directory must be performed as a basis for quick data recovery, e.g. upon system failure (see S 6.149 Data backup under Exchange).

Reliability and contingency planning

Ultimately, a practicable contingency plan should be present as a precaution. The contingency plan for Microsoft Exchange systems must integrate into the contingency plan of the respective Windows server network (see S 6.76 Creation of a contingency plan for failure of Windows systems). The Global Catalog Server must always be available in order to securely and uninterruptedly operate Microsoft Exchange. In order to mitigate the effects of a Microsoft Exchange system failure, Exchange data can be distributed to several servers by partitioning. In this case, individual server failure only affects a part of the data. Partitioning requires demand-based planning and implementation.

A contingency plan and a restart plan must be drawn up for the currently used Exchange system. The details for the required contingency and restart safeguards to be collected at this point are specific for every Exchange version. For example, Microsoft Exchange Server 2010 offers comprehensive high-availability features that can be used to reduce the damage in emergency situations. These are described in Microsoft Technet in "High Availability and Site Resilience: Exchange 2010 Help". First and foremost the recovery of a server (see "Recover an Exchange Server: Exchange 2010 Help") and the restoration of data using a recovery database (see "Restore Data using a Recovery Database: Exchange 2010 Help") are mentioned as disaster recovery options. Therefore, it is important to test the respective emergency precautions by means of corresponding emergency drills.

Protection against denial-of-service attacks (DoS)

In order to provide protection against DoS attacks, it is recommendable to introduce restrictions for the maximum possible message and/or storage volumes. This is first and foremost applicable to incoming connections.

Message filtering constitutes another mechanism. This mechanism is not designed to repel large-scale spam attacks, but it can be used reasonably for filtering individual senders.

The documents in the Microsoft Technet describe how these requirements are to be implemented specifically; for version 2010 in the following documents, for example:

• Anti-spam and anti-virus features are described in "Managing Anti-Spam and Antivirus Features: Exchange 2010 Help".
• Using of anti-virus solutions, operating system hardening, and software maintenance is described in the security manual ("Exchange 2010 Security Guide: Exchange 2010 Help").
• Relevant details regarding the supported data backup options and reliability can be found in "Understanding Backup, Restore and Disaster Recovery: Exchange 2010 Help".
• Monitoring and logging an Exchange server 2010 are implemented using the Microsoft Operations Framework (see "Monitoring and Operations Management: Exchange 2007 Help") in analogy to Microsoft Exchange 2007. Specific monitoring features are described in "Monitoring Exchange 2010: Exchange 2010 Help".

Review questions:

• Were suitable safeguards for guaranteeing secure operation of the Exchange systems taken?
• Are all security-relevant updates installed promptly?
• Are there up-to-date contingency and restart plans for the Exchange system?