Partager via


Run your own Exchange Server Health Check.... Part 3

Security

There are of lot of different parts to this topic.  A lot of this will be covered in the Operations Section and should include the following:

  • Mailbox Rights - do system administrators have access to mailboxes by default? Which accounts have access to which mailboxes? (There should be some scripts out there on the Internet to dump a list of mailbox rights for every mailbox.)
  • Do you use Windows Group Policies to enforce security?  For example are policies in place for; the security group membership on the Exchange servers, the state of Microsoft Windows and Exchange Server services, Local security policies.
  • How is external access to the Exchange Servers secured?  Do you use ISA or an equivalent to ensure the traffic is encrypted all the way from the client to the front or back end Exchange server?

There might also be potential security risks identified by ExBPA. The following are a few of many rules related to security:

  • A Secure Sockets Layer Certificate Will be Expiring Soon
  • Everyone security group is not denied the right to create top-level public folders
  • SMTP server accepts basic authentication
  • Anonymous access is allowed on internal SMTP virtual servers and dedicated SMTP virtual servers for IMAP and POP clients

I would also run MBSA for this section of the health check.  Install MBSA on your workstation and run it against each Exchange Server in turn.  Each time you run the tool against a computer a new scan report is created for you to review at a later data. The reports will be located in a 'SecurityScans' directory on your workstation. You should see a report similar to the following for each server: (This is just the top part from a sample MBSA report and shows one of the most obvious reasons for running MBSA - that is to determine the security update status for the server.)

mbsa

When you click on the 'Result Details' the tool will display which updates you are missing.

mbsa2

It is also important that review all the information that MBSA is reporting on.  For example in 'Administrative Vulnerabilities' the tool determines if there are any local user accounts on the computer with non-expiring passwords or that have blank or simple passwords.

mbsa3

Ideally in the Operations section of the health check you will have identified whether you have a good solid procedure in place to report on the security update status of your Exchange Servers and install updates as appropriate.  If you don't then use MBSA manually until you do.  For the purposes of this health check run MBSA against each server, list all missing updates, and other security vulnerabilities that MBSA highlights.

 

 

..'Run your own Exchange Server Health Check.... Part 4 - Server Performance' to follow soon...

Comments

  • Anonymous
    June 13, 2007
    PingBack from http://joshmaher.wordpress.com/2007/06/13/exchange-2007-health-checks/

  • Anonymous
    February 11, 2009
    Exchange auditing is a good security practice as well. From my personal experience I can recommend a tool called change auditor for exchange.   The tool can report and alert on all critical changes to exchange  environment like, for example, mailbox policies, administrative groups, distribution list changes, track user and administrator activity for user account and delivery restriction changes. http://www.changeauditorforexchange.com