Embarking on a journey through the intricacies of Exchange security, we’ve delved into safeguarding your digital realm, offered a comprehensive guide to mastering SPF, DKIM, & DMARC records, and explored the dynamics of updates and client connectivity in our previous Exchange Security Unveiled blogs. Now, in this installment, we shift our focus on how to effectively monitor and manage your entire email environment.
Within the expansive realm of Exchange Online and on-premises security monitoring, numerous components demand attention. These include categories such as user connections, user activities, administrative actions, and safeguarding user data. While Exchange 365 provides a wealth of alerting options, on-premises management often involves the scheduling of scripts to mirror the functionalities found in 365. Despite on-prem alerting capabilities, caution is advised due to the potential unpredictability of patches, as they may not have been tested beforehand.
Users engage with Exchange through various channels, including Outlook, ActiveSync, OWA, IMAP, POP3, SMTP, EWS, ECP, and PowerShell. To navigate the challenges of managing these connection methods, we advocate the use of groups and PowerShell scripts. For example, if a user is a member of an “Allow OWA” group, the script will grant permissions for OWA access.
By strategically employing groups for connection permissions and utilizing scripts for automated permission assignments based on group memberships, the process becomes easily manageable and adaptable to environments of all sizes and types.
Refined User Connection Management
In orchestrating user connections to Exchange, Microsoft has incorporated PowerShell as a tool for users to enact specific changes. However, in my experience, I’ve yet to encounter a single user opting for PowerShell to manage their mailbox, prompting the decision to restrict PowerShell access to all users except those privileged administrators who genuinely need it.
However, a note of caution when it comes to administrators … It’s important to tread carefully, as Exchange Management Shell won’t function seamlessly for an administrator without the Remote PowerShell feature enabled on their user account. Should this circumstance arise where administrators find themselves locked out of PowerShell, a contingency method exists to restore access.
By executing the command,
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.SnapIn
in Windows PowerShell, a connection to Exchange is reestablished, facilitating the execution of the set-user command to activate Remote PowerShell.
It’s crucial to acknowledge that while this workaround effectively resolves immediate challenges, it falls into the realm of “technically unsupported” methods for connecting to Exchange. As a best practice for ongoing script development and execution, we recommend exploring alternative, officially sanctioned avenues in order to ensure the long-term stability and compliance of your Exchange environment.
Empowered User Protection
External Disclaimer
To ensure users are aware of external messages, techniques include modifying subject lines, prefixing the body with attention-grabbing messages, or implementing a combination of both.
Blocking Executables
Leverage Exchange and 365 transport rules to block executable content, redirecting potentially harmful files to a quarantine mailbox while alerting administrators.
Block Internal Names At Spam Filter
Blocking external emails posing as internal communications is a vital defense against phishing. By quarantining messages with internal names from external sources—like “John Smith” at JohnSmith@company.com—we prevent deceptive attempts. Admins must consider name commonality and notification thresholds for an effective balance. This proactive strategy empowers administrators to swiftly verify flagged messages, fortifying defenses against potential threats.
Vigilance On User Activities
Exchange Admin Audit Logs
Beyond tracking admin changes, these logs unveil user-initiated modifications, with scripts available for real-time alerts on user actions.
Inbox Rule Creation Notifications
Scrutiny here is a MUST, especially when a user account faces compromise. Malicious actors often exploit this by sending deceptive emails to business partners, requesting payment changes. Their initial move is to create inbox rules, concealing replies. They may redirect messages to obscure locations, with the RSS Subscriptions folder being a common choice—remaining inconspicuous and unread. The bad actor will then go and read the replies, deleting them afterward without the user ever knowing.
Monitoring Forwarding Changes
Forwarding serves as another avenue for bad actors to conceal information even after intervention. Active monitoring of forwarding activities is crucial, acting as a deterrent against intentional information leaks, whether external or personal email accounts.
Controlled Automatic Replies
Disgruntled employees may leverage automatic replies to convey negative sentiments about the organization. A prudent response is to disable accounts promptly upon termination, mitigating potential reputational risks and maintaining organizational integrity.
Strategic Mobile Device Quarantine
While often underutilized, the quarantine feature for new ActiveSync devices in Exchange proves highly effective. Admins gain control by requiring approval for all new devices, ensuring a secure and manageable connection environment. Configuring this feature is straightforward, offering an additional layer of protection against unauthorized device access.
Admin Oversight & Security
Exchange Admin Audit Logs
Expanding from user audits, these logs capture mailbox creation, permission changes, and more. We recommend having these emailed on a weekly basis for change control and timely alerts.
Mailbox Permission Changes
Stay informed about permission alterations, which are crucial for tracking when a user gains access to another’s mailbox. This proactive monitoring enhances security awareness.
Send-As Permission Changes
Maintain awareness of who holds the authority to send emails on behalf of the CEO. Timely detection of such changes ensures transparency and security.
Transport Rule Modifications
Transport rules, while vital, can be manipulated for malicious purposes. It’s not only essential to detect rule modifications, but also to identify when new rules are created. This vigilance safeguards against potential security threats.
Management Role Changes
For both Active Directory and Exchange, proactive alerts are imperative. Any addition of a user to critical groups like Organization Management or Domain Admins necessitates immediate notification. This ensures swift action in response to significant changes, fortifying overall security protocols.
Valuable Documentation & Maintenance
PowerShell for Documentation
Unlocking the full spectrum of Exchange documentation is best achieved through PowerShell. Execute a script to export all settings into XML and CSV files. These scripts serve dual purposes, aiding in change control and troubleshooting. They provide a snapshot of the Exchange configuration, enabling easy comparisons between past and present states.
IIS Logs Management
IIS logs can become massive and even jeopardize Exchange disk space, which is why strategic management is crucial. These logs, showcasing user logins, prove invaluable for investigations into login times and methods. A well-crafted script efficiently breaks down user login data, occupying minimal disk space. This not only bolsters security measures but also simplifies responses to inquiries about OWA usage.
Outlook Patching
Prioritizing Outlook patching is paramount—often the key to resolving approximately 90% of Outlook troubleshooting requests. The challenge lies in the default reluctance of Windows Update to patch Office. We recommend confirming proper Office update configurations within your environment for seamless Outlook performance.
Server Updates
Stay ahead in fortifying servers by timely installing updates. While most security updates are included, Cumulative Updates demand manual intervention. By proactively addressing these updates, you ensure the robustness and security of your Exchange environment.
There are other areas not covered in this blog. Below is a checklist of those areas to see where you stand with additional items that can be alerted on.
View Checklist
| Exchange | OWA access enabled | Can be enabled/disabled per user or group with scripts – Most MFA products can do OWA |
| Exchange | ActiveSync access enabled | Can be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA |
| Exchange | ECP access enabled | Can be enabled/disabled per user or group with scripts |
| Exchange | EWS access enabled | Can be enabled/disabled per user or group with scripts |
| Exchange | MAPI access enabled | Can be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA |
| Exchange | IMAP access enabled | Can be enabled/disabled per user or group with scripts |
| Exchange | POP access enabled | Can be enabled/disabled per user or group with scripts |
| Exchange | Remote PowerShell defaults to enabled for all users | Disable users ability to remote PowerShell |
| Exchange | External disclaimer in subject and/or body | Prepend [External] in subject or text in body of message |
| Exchange | Exchange Admin Audit logs | Email Exchange audit logs, recommend weekly |
| Exchange | Inbox rule creation notifications | Report and send email alerts on change |
| Exchange | Changes to forwarding monitored | Report and send email alerts on change |
| Exchange | Mailbox permission changes | Report and send email alerts on change |
| Exchange | Send-as permission changes | Report and send email alerts on change |
| Exchange | Transport Rule modifications | Report and send email alerts on change |
| Exchange | Management role changes | Report and send email alerts on change |
| Exchange | Automatic replies enabled | Report and send email alerts on change |
| Exchange | Mobile devices – quarantine new | Email admin to block or release from quarantine |
| Exchange | Document protocol permissions | Identify who has access to OWA, IMAP, etc |
| Exchange | Export IIS logs | Process logs to identify which user connects and how |
| Exchange | Block executables | Protects internal messages from executables |
| Exchange | Block internal names at spam filter | Stops name spoofing |
| Exchange | Outlook patching | Keep Outlook current on security updates |
| Exchange | Servers patched when needed | Patch monthly, more often when needed |
| M365 | Modern authentication | Should be enabled |
| M365 | Multi-factor authentication | Every user except one admin account should use MFA |
| M365 | Idle session timeout, password policy | Controls idle timeouts |
| M365 | Show company policy, can make conditional access policy | Can require accepted use policy be agreed to |
| M365 | Self service password reset | Reset passwords without admin involvement |
| M365 | Sharing – add guests, a lot is in SharePoint | Configure sharing externally |
| M365 | Populate help desk information | Makes it easier for users to know how to get support |
| M365 Entra | Save audit logs | Send email at least weekly |
| M365 Entra | Sign-in logs | Save logs to storage |
| M365 | Messages have been delayed | Create alerts |
| M365 | Elevation of Exchange admin privilege | Create alerts |
| M365 | A potentially malicious URL click was detected (e5/p2) | Create alerts |
| M365 | Creation of forwarding/redirect rule | Create alerts |
| M365 | eDiscovery started | Create alerts |
| M365 | Email sending limit exceeded | Create alerts |
| M365 | User restricted from sending email | Create alerts |
Our journey covered safeguarding, mastering records, and exploring updates. Now, focusing on email management, key aspects include meticulous security attention, streamlined user connections through groups and scripts, and proactive protection measures. Vigilance over user activities and admin oversight add layers of security. Valuable documentation, powered by PowerShell, enhances security, with strategic log management and Outlook patching as essential components. In conclusion, our focus on vigilance, adaptability, and proactive defense underscores securing the organizational communication hub.
If you’d like to learn more about Exchange security and how to better protect your IT infrastructure, please contact us by calling (502) 240-0404 or emailing info@mirazon.com.