Askhat - stock.adobe.com
The Hafnium hacks highlighted a necessary evil for many organizations: the need to keep using on-premises Exchange Server for email.
Even if you install the latest cumulative updates, there is no way to permanently protect Exchange Server from a zero-day. The response to the Hafnium hack gave Exchange administrators a wake-up call that more protections were needed to tighten the security of their systems. Exchange Server can only function in a highly privileged fashion, which makes it an attractive target for hackers who, once they breach the network, run laterally through the infrastructure. While it's not feasible to eliminate all risks associated with Exchange Server, administrators can take several steps to control the damage in a worst-case scenario.
Given that email is the most commonly used communication method for the enterprise, any disruption to the messaging platform can cause significant problems for the business. Email can also hold sensitive information, such as contracts, confidential data and communication among employees, which, if it falls into the wrong hands, can lead to legal and financial trouble. Administrators can avoid downtime and breach attempts when they follow Exchange Server security best practices to protect the business from ongoing cyberattacks and evolving threats.
Protect internet-facing servers
One of the key elements that made the Hafnium hack a success is the attackers found vulnerable servers through remote port scans. Some Exchange installations require some ports to be open to the internet.
To avoid detection and becoming a target, administrators should follow these steps to prevent the server from being discovered by attackers:
- block all inbound traffic from suspected IP addresses or foreign countries;
- implement firewall protections that detect and block port scans from outside IP addresses; and
- detect and block abnormal inbound traffic with the Exchange Server as its destination.
Maintain critical business applications
It's imperative to deploy patches and software updates to all software products as soon as possible. This is especially important for Exchange Server.
Administrators can update Exchange based on a predefined maintenance window, which would allow them to keep up with the latest quarterly cumulative updates from Microsoft. Administrators should stay current with the latest Exchange security updates from Microsoft on websites such as the Security Update Guide and Microsoft's Security blog site. Once a rarity, out-of-band security updates for Exchange have been more commonplace, as Microsoft will release fixes for Exchange zero-days as they become available. It's also important to check those websites for mitigation tools and instructions when a patch is not available for a vulnerability.
Adopt advanced security tools to detect abnormal activities in the system
It is no longer enough to install antivirus applications on servers such as Microsoft Exchange and expect them to provide adequate protection. Antivirus tools should be considered the minimum for protecting systems from known malware, but they add very little protection when the remote attack uses exploits.
To fortify business-critical servers, administrators should investigate endpoint detection and response (EDR) tools from vendors such as SentinelOne, Trend Micro and Sophos. EDR adds another layer of protection by analyzing the different activities on an Exchange Server and using AI to determine if those activities are malicious and should be blocked, as well as whether to notify administrators with any suspicious findings.
Eliminate on-premises Exchange when possible
Another approach to reduce the security risks associated with the spate of Exchange Server attacks in early 2021 is to move into a hybrid configuration or migrate completely to Exchange Online.
One of the reasons a hybrid setup provides additional protections is it does not require the Exchange Server to be internet-facing when all mailboxes are hosted in the Microsoft cloud. When you move all mailboxes to Exchange Online, Microsoft documentation states you still need Exchange Server for hybrid identity management. Microsoft only supports using its tools -- Exchange Management Console, the Exchange admin center or the Exchange Management Shell -- to manage Active Directory attributes in a full directory synchronization scenario.
Given that more organizations are considering Office 365 for email, migrating to Exchange Online is another way to reduce the security risk of an on-premises server that requires continuous monitoring, upgrading and patching.
Monitor audit logs for suspicious activities
While some of the steps highlighted above provide a strong level of protection against Exchange attacks, there are risks with attacks from within or using hijacked credentials. This means IT must be diligent in knowing what type of administrative activities are occurring on their servers. Exchange administrators must periodically monitor their Exchange audit logs and look for any suspicious administrative activities that include:
- configuration changes such as delegations and permission changes;
- mailbox exports;
- changes to user roles;
- deletion of content such as mailboxes or resources;
- changes to Exchange databases; and
- changes to security policies.
Any of these modifications should be investigated if the Exchange administrator did not authorize them. There are many tools that help monitor the system for these types of activities, including products from Lepide, SolarWinds and Netwrix, that send alerts when suspicious activity warrants further investigation.