Skip to main content

Hardening Your Email Exchange Environment – Strengthen Email Security

 

Hardening Your Email Exchange Environment

It should come as no surprise that cybercriminals use email as one of the primary ways to launch attacks against your company. This article explores some of the many options organizations should consider when working to strengthen email security.

First, when reviewing email security, it is essential to leverage newer technologies that help prevent harmful messages from being delivered to users within your organization. While prevention is important, I also ask companies to consider the possibility of reducing risk by reducing user access.

  1. Do all employees need the ability to send and receive email to the open internet?
  2. From where can your mailboxes by accessed?
  3. Which access methods are available to your users?

Each of these questions centers around carefully considering if, when, and where your users need to access mailboxes.

Open internet email access

When asked if all employees need to send and receive email to the open internet, many people will instantly say yes. However, after further considering the issue, they are often able to find specific roles that don’t need this access.

Some roles don’t require communication with external parties to perform their jobs, and providing this access unnecessarily exposes the organization. Of course, the answer to this question varies, and some companies need all employees to be able to send and receive email to anyone.

Banks and credit unions are good examples of organizations where all employees may not need full external access. They may have some user types like tellers who don’t need to interact with external parties via email. I’ve worked with many companies to create rules that prohibit certain users from sending and receiving emails outside of their organization, a measure that is quite effective at limiting employee exposure to threats, scams, and malicious email.

There also may be use cases where employees need to send and receive from specific email addresses—settings that are possible within any most email filtering solutions. This approach allows them to communicate with a few domains like health benefits, payroll, or other trusted entities, but not the entire internet.

Where mailboxes are accessed

Cloud email solutions are now used by a majority of companies allowing email users to access their accounts from anywhere. Allowing your employees to access email from anywhere can significantly enhance productivity. However, bad guys can also attempt to access that mailbox from anywhere on the internet.

An attacker only needs to know the user’s credentials, which may not be that hard to come by. Easily guessed passwords, lax password change policies, and cybercriminals favorite, credential phishing, are just a few of the various ways someone might gain access. So while we know that threat exists, you need to think of ways to limit your exposure starting by thinking about the access users truly need. Some employees do require the capability to access their email from anywhere on both computers and mobile devices. However, some employees likely don’t need and won’t even utilize this access creating exposure risk for the organization and no productivity benefits.

How email boxes are accessed

Next, consider the types of access your users will need. Do they need access from Outlook, from mobile devices, or a web browser? Every kind of access comes with its own risks and rewards:

  • Outlook Access: if you allow your users to access their mailbox using Outlook, be aware that if their mailbox can be accessed from any internet connection, there is nothing preventing users from configuring Outlook on their home computer. If they do this and it is simple thanks to Exchange Autodiscover, then a copy of that person’s entire mailbox, including whatever confidential information they might have included within sent messages will be downloaded to that home machine’s local hard drive. For users who require Outlook, ensure that you have a policy, and the user is aware that configuring their mailbox on a non-company owned device is strictly prohibited. As an alternative to allowing access to email outside of the office, consider having users use Outlook on the web (OWA).
  • Outlook Web App (OWA): when you access your account using OWA, you are essentially opening a window displaying what’s stored on the server for that mailbox. With OWA, you are not downloading a copy of your messages, and when you close the session, nothing is stored on that machine. OWA can be a great way to allow external access to email, while preventing the users from storing messages outside the company’s control.
  • Mobile Access (Active Sync): for users who need access from mobile devices, enabling ActiveSync on their mailbox is a great way to provide mobile access. However, just enabling ActiveSync without additional controls can be dangerous. This is similar to the problem with Outlook in that once you enable that access, it can be used on any device and with any program that uses ActiveSync (like free dodgy mail clients available on most app stores). I highly suggest that anyone considering mobile access to email should consider using a Mobile Device Management (MDM) solution as an added layer of protection. With an MDM solution, you can control which actual device or devices a user is allowed to connect with. With MDM, you also can enforce a password on the device, force encryption of the mailbox data, and much more. Another key capability is the option to remotely wipe all company information from the device if it is lost, stolen, or if that employee is no longer with the company.
  • POP, IMAP, EWS: Unless you have a particular reason for having these access methods available, I strongly suggest organizations disable them within default settings. Then, only enable them on a per-mailbox basis if you have a specific need. EWS is a handy API to manipulate a user’s mailbox, but it’s also a convenient tool for the bad guys. For example, I recently saw an attacker’s tool that would remotely connect to a mailbox. Within seconds the attacker was able to pull out all of the email addresses listed on every single email in that entire mailbox, download the company address book and retrieve the user’s autocomplete file. That same EWS connection was then used to send thousands of emails sent as that user’s email address. And since it was coming from that person’s actual mailbox, the messages looked legitimate.

These are my few suggestions when looking to lock down further and secure mailboxes. If you would like to explore any of these options or would like to see how SilverSky can help, please contact SilverSky.