3 Basic Steps to Exchange Server Security

If communication is the lifeblood of an organization, it could be fair to assume that Exchange functions is its heart. An Exchange server, especially one that hosts the mailbox server role, stores messages – both external and internal. An attacker that gains administrative access to Exchange deployment can also gain access to all stored communication and to every user’s mailbox. Having access to email messages stored on an Exchange mailbox server, the attacker would be able to learn almost everything about the organization, from its most important secrets through to mundane trivia.

Messages stored in individual mailboxes often include attachments; many organizations use Exchange public folders to store important documents. When considering Exchange security, remember that attacks won’t just come from people outside the organization: internal threats, even from Exchange administrators, are to be kept in mind. Securing Exchange involves more than hardening it against an outside attack. It means making sure that the number of trusted insiders is limited so they only have access to the information and components required to perform their jobs, and tracked so that each of their actions can be reconstructed, should an investigation be necessary.

There are several steps an organization can take to make Exchange more secure. These three seem to be a must.

1. Limit the number of people who have access to accounts with administrative privileges and ensure that those accounts are protected with strong authentication technologies, such as smart cards or a two-factor authentication.

2. Configure a built-in Role Based Access Control (RBAC) functionality. RBAC allows organizations to limit the actions an administrator can perform and the scope across which those actions can be performed. For example, rather than giving the permission to perform a mailbox search to all Exchange administrators, it is possible to grant this permission only to some trusted members from the organization’s HR department: they are the people who would ultimately be required to check the contents of mailboxes when performing investigations into employee’s actions. RBAC allows any ability to be limited to a specific scope. This means that when granting someone from the HR the ability to scan mailboxes, this ability will be limited to a specific set of mailboxes, rather than all mailboxes in the organization.

3. The third step is to configure extensive auditing. Having a record of each action taken by an Exchange administrator allows an organization to reconstruct what has happened when a breach occurs or something goes wrong. Additionally, when privileged users know that their actions are being saved to a tamper proof log, they are less likely to perform actions that they might later have to explain to a superior.


Orin is an MVP, an MCT and has a string of Microsoft MCSE and MCITP certifications. He has written more than 30 books for Microsoft Press on topics including Windows Server, Windows Client, System Center, Exchange Server, Security, and SQL Server. He is an author at PluralSight and is a contributing editor at Windows IT Pro magazine. He has been working in IT since the early 1990's and regularly speaks at conferences in Australia and around the world. Orin founded and runs the Melbourne System Center, Security, and Infrastructure Group.