Exchange Server is a popular email server application that runs on the Windows Server operating system. It’s also one of the most vulnerable components of software in a Microsoft environment — especially if it resides on-premises.
As an IT administrator, it’s important to understand how Exchange servers can be attacked and how to secure them.
Exchange Server: A Vulnerable History
Over the years, Exchange servers have been subject to a slew of vulnerabilities. In March 2021, a China-based attacker group called Hafnium targeted over 400,000 unpatched on-premises servers by exploiting multiple zero-day vulnerabilities to access email accounts, and then installed malware to gain long-term access. Microsoft identified the vulnerabilities and released security updates and patches, but the group had already gained access to over 30,000 organizations in the United States.
In August 2021, a collection of vulnerabilities dubbed ProxyShell was discovered in Microsoft Exchange. These Exchange server vulnerabilities enable threat actors to bypass authentication and execute code as a privileged user — and they are relatively easy to exploit. Remote code execution (RCE) vulnerabilities are particularly problematic because they enable a threat actor to perform a variety of tasks on a victim’s environment remotely. ProxyShell was (and still is) widely exploited by threat actors, who deploy web shells to remotely execute code on compromised devices.
In September 2022, two zero-day vulnerabilities were discovered in Microsoft Exchange Server 2013, 2016, and 2019 that closely resembled ProxyShell; one of which, CVE-2022-41040, was a server-side request forgery (SSRF) vulnerability and the other, CVE-2022-41082, was a RCE vulnerability. A threat actor spawns cmd via ProxyShell (e.g., spawned via w3wp.exe) and then uses an environment’s living off the land binaries to execute the attack.
As you can see, vulnerabilities in Exchange are common and almost expected — which is why security teams should prioritize protecting Exchange servers.
Best Practices to Secure Microsoft Exchange Servers
1. Use Windows Firewall
Installing Exchange server will automatically add rules to Windows Firewall, a component of Microsoft that is installed by default in most modern versions of Windows. It may be tempting to disable Windows Firewall when it’s causing problems and assume that your network firewall is enough to rely on.
However, doing this is generally a security risk and should be avoided at all costs — especially for on-premises servers.
2. Enable Multi-factor Authentication for OWA
Outlook Web Access (OWA) is a feature in Exchange that allows users to access their email using a web browser, which can be a more convenient option for end users. By default, it only requires a username and password. However, hackers can use brute-force or steal credentials via phishing attacks to access these mailboxes that are openly running on the internet. Organizations with weak password policies are especially vulnerable to unauthorized access.
To prevent this, admins should require multi-factor authentication (MFA) for users logging into OWA.
3. Keep Exchange Up To Date
The frequency and severity of vulnerabilities that affect Microsoft Exchange Server means that keeping it up to date is extremely important. Microsoft tends to release patches and bug fixes in a timely manner, and it’s crucial to install those updates as soon as they become available.
To be ready to install an emergency update, ensure that your Exchange Servers are running a supported Cumulative Update (CU). You can look for recent security updates in Microsoft’s Security Update Guide, or on their blog.
Twitter is another great resource for in-the-moment updates; following cybersecurity experts like @GossiTheDog, aka Kevin Beaumont, can help you stay updated on recent news and give mitigations for security flaws.
4. Use Microsoft’s Security Utilities
Microsoft has several security utilities that are specific to Exchange that can help to secure your environment:
- Microsoft Exchange On-Premises Mitigation Tool. Microsoft released this one-click tool in the aftermath of the Hafnium attacks. It is “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” according to Microsoft. However, it’s important to note that it’s not a replacement for security updates; it’s simply an interim mitigation solution for customers that haven’t applied them yet.
- Microsoft Safety Scanner. Also known as Support Emergency Response Tool, this utility scans for and removes malware from your Windows environment. It is included in the aforementioned mitigation tool.
- Exchange Best Practices Analyzer (EBPA). This tool gauges the health of your Exchange environment by collecting data from the server, analyzing the results, and offering guidance.
- Microsoft Defender Antivirus. This standard antivirus solution is enabled by default on recent versions of Windows; it also covers Exchange.
- Microsoft Security Compliance Toolkit (SCT). Using this suite of tools, admins can download, test, analyze, edit and store recommended security configuration baselines for Exchange.
- Microsoft Security Configuration Wizard (SCW). Using SCW, admins can more easily change a server’s default security settings, as well as customize audit policies, registry values, and network settings.
- Exchange Analyzer. This PowerShell tool scans the current Exchange environment, and provides reports for configuration issues and gives security recommendations.
- Microsoft Exchange Online Protection (EOP). EOP is a cloud-based email filtering service that protects against spam, malware and other cybersecurity threats. It is now integrated into the Microsoft 365 Defender portal.
- Microsoft Exchange antispam and antimalware. These antispam and antimalware solutions are included in Exchange Server 2016 and 2019 by default.
5. Use Allowlists and Blocklists
Allowlists and blocklists validate each email that comes through and determines whether it is from a trusted user or not. In Exchange Server, you can enable and configure this function via safelist aggregation. You can also find a list of allowed domains in the Safe Senders tab, and blocked domains in the Blocked Senders tab.
6. Enable TLS and SSL For External Services
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are protocols that use security certificates to provide an encrypted and secure communication channel over a network; TLS is considered the upgraded version of SSL. Exchange Online automatically encrypts connections using TLS 1.2 between other Exchange Online users.
You’ll need to enable TLS or SSL in on-premises Exchange environments, though. It’s important to enable these protocols for both incoming and outgoing mail servers for maximum protection.
7. Restrict Admin Access
Generally, regular users should never have remote or administrative access to your Exchange servers. You should limit access to internal users only.
Role-based access control (RBAC) is another good way to use the least privilege principle and ensure that employees’ permissions are based on what they need to access and their role in the organization.
8. Monitor Exchange Server Activity
It’s important to be able to monitor, detect and alert on suspicious behavior in Exchange. If you use Exchange Online, you can take advantage of Azure Monitor, which will scan your entire environment and provide performance reports.
A third-party solution, however, will generally be more comprehensive and include real-time alerting capabilities. Blumira, for example, integrates with Microsoft Server 2012, 2012 R2, 2016, and 2019 to provide automated threat detection and response.
How Blumira Helps To Secure Exchange Servers
Using Blumira, you can detect a range of Microsoft Exchange attacker activity, including web shell activity, Address Resolution Protocol (ARP) poisoning, and other behavior associated with cyberattacks.
Plus, our incident detection engineering (IDE) team is constantly working to identify new threats and create new detection rules that are automatically deployed into Blumira’s product every 2 weeks.
Blumira is dedicated to helping small teams achieve easy-to-use, effective security that meets compliance and protects them against breaches and ransomware. We do things differently by providing more value for better security outcomes, including:
- Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts.
- Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
- Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.
Blumira’s free edition integrates directly with your Microsoft 365 tenant to detect suspicious activity in your environment — at no cost. Get your free account and see the value of Blumira today.