If you are new to Exchange, let me bring you up to speed with how attacks have increased since 2020 and Exchange servers that are published to the internet are vulnerable if not locked down.
Back in the day, Admins would not patch anything because “it worked” and why fix something that isn’t broken? Well that has all changed and with each new day, the bad actors find something new to exploit.
We have had a number of zeroday exploits and RCE’s discovered and actively exploited in the wild with thousands of exchange servers being exploited.
How do you ensure that your Exchange environment is secure on the internet? This is a broad question but also just a piece of the pie as your entire environment needs to be evaluated.
- Exchange Admin Center lockdown
- User passwords
- No Anti-Virus
- Running other software on Exchange servers
What ports are open?
Let us look in general at exposure to the internet, are you actively publishing the following on your firewalls without realizing how bad it is and you are giving all the bad actors a playground when it comes to your environment, here are some ports that should not be open:
- Port 3389 (remote desktop)
- Port 21 (ftp)
- Port 22 (ssh)
- Port 23 (Telnet)
- Port 445 (smb)
While the list is longer, the above are the most common and also the most common for being exploited. RDP should not be allowed on the internet, in my lab, I had my colleague create an account with a “strong” password and exposed it to the internet. I was able to exploit RDP and brute force it along with getting the credentials of the “strong” account and then was able to get onto the server and get the hashes.
You may be asking, what does the above have to do with Exchange? Its simple, if a bad actor can get onto your server via RDP or any other exposed port, they will eventually be able to get elevated credentials and do damage to your Exchange environment including Active Directory and make any changes they want to.
Let’s take this a step further, closing ports is just one exercise, the next set of things need to be completed is patching.
I cannot stress how important patching is. This includes patches for the underlying operating system but also your applications like Exchange.
With each new month or patch Tuesday as it used to be called, Microsoft release patches that address bugs or vulnerabilities in that month but also include security updates. Exchange has had a number of security updates with each security or cumulative update.
Many organizations don’t just patch as they don’t want to break production environments but you need to make sure that servers that do have internet access are patched as they can be exploited much quicker than patched ones.
Exchange Admin Center Lockdown:
The next thing we need to look at is locking down the Exchange Admin Center (EAC) that is exposed to the internet. If you do have IT helpdesk staff that need access to the Exchange Admin Center, make sure they access it via a VPN connection and then ensure that the URL with /ECP is not allowed on the internet.
User passwords are the weakest link in any security solution. No matter how strong your security is, a user that has a password of “password” or a date etc. will get hacked in a matter of minutes. The companies Security posture should ensure strong passwords with numbers, letters, special characters and a certain key length. If a bad actor can get access to an account, they can then eventually gain access and elevate privileges in your environment.
Remember, high end individuals such as PA’s (Personal Assistants), Execs, CEO, CFO’s are targeted more because they work with sensitive information which is very valuable to bad actors.
Anti-Virus is a big topic that is debated by many. Some say that they don’t need it because it is the vendor that is causing issues to fix them, others say it just creates hassles for end users so they don’t run it or disable it.
Having no kind of protection when surfing the internet is inviting people to access your machine. Having some form of AV is better than having none.
This also includes Exchange servers, some products block emails coming in an quarantine them such as ESET and Symantec that monitor the Transport Service and all traffic.
There are many flavors of AV solutions out there, personally I have witnessed some of them block attempts by bad actors. Some of the solutions provide IDS/IPS as part of it (more enterprise) and these have a good approach to blocking malicious traffic.
Running other software on Exchange servers:
I have come across many admins running multiple sets of software on Exchange servers such as WINRAR, FTP Clients, Apache, OpenSSL to name a few. Each of these have there own known vulnerabilities and exploits and you may just expose your server with this software and become a victim of an attack which will allow them to gain access to your server.
This is high level article but as an IT admin, you will need to evaluate all aspects and start with closing down ports that do not need to be exposed, look at the additional software that should not be installed on an exchange server and consider the other parts.
Hope it helps.