Exchange Server / Microsoft 365

Practical Protection: Security Principles for your Exchange Environment 

Avatar photo
Post author:Written By 2 Comments

Welcome to the first installment of “Practical Protection,” which I hope will become a regular part of your reading here at Practical 365. I wanted to start a regular security-themed column that focuses less on specific security buttons you can push in Microsoft 365, and more on the breadth of security stuff that you need to know to properly secure an M365 tenant. This column will be a mix of “push this button,” “here’s what this button does,” and “why does this button even exist?”

To start with a real-world example, let’s talk about the recent zero-day attacks against Exchange 2013, 2016, and 2019. These attacks look similar in some respects to the ProxyShell attacks that started in 2021, but there are some important differences, which you can read about in Tony Redmond’s article. Rather than talking about the specifics of this attack, or how to mitigate it, I want to try to illustrate four general security principles and talk about how you can practically apply them to your Exchange environment.

The First Principle: Pay Attention.

Although Practical 365 isn’t a “breaking-news” site, we try to be timely in covering major issues like the emergence of a new zero-day vulnerability. For security coverage, though, your best bet is generally going to be to watch security-specific news outlets. This is best done with two tools:

  • a good RSS reader (I like NewsBlur but Pocket is also popular) so you can subscribe to web pages that support the RSS protocol, which is pretty much every important blog and news site.
  • Twitter. Yes, that’s right, I’m actually recommending using Twitter despite the fact that in many ways it’s a hellscape of noise and arguing. Creating a Twitter account just for security-related news, and then using a third-party client that suppresses ads and shows you things in chronological order, makes it easy for you to track breaking news of security threats. Twitter’s where I first heard about the latest run of Exchange on-prem zero-day attacks, in fact.

Equipped with those tools, what should you be looking at or subscribing to? Let’s start with the Microsoft Security Response Center (MSRC). This is the canonical place to learn what Microsoft knows about emerging security threats. Microsoft is, and has to be, very cautious about announcing new threats, though—MSRC is a great place to get in-depth information about a threat, but you won’t see new threats appear there until Microsoft has had enough time to investigate and analyze the threat.

For breaking security news, BleepingComputer.com has consistently been a very good source. I have high hopes for The Record, whose recent track record has been pretty good. Over the last few years, two trends have emerged. First, “cybercrime” coverage has become more popular, which means any news site will have articles about things like cryptocurrency theft mixed in with coverage of security vulnerabilities. Second, most vulnerability researchers try to grab as much press as they can by coming up with clever names for new exploits and then publicizing them as broadly as possible, so most general IT news sites will have roughly equal coverage.

On Twitter, start by following Catalin Cimpanu (@CampusCodi), Kevin Beaumont (@GossiTheDog), and Jake Williams (@malwareJake). Along with coverage of new threats, all 3 of these experts will give you a useful feed of background information (and some pretty darn funny commentary and memes, if that’s your thing). For example, Beaumont has done a good job of highlighting the fact that if you follow Microsoft’s recommendation to auto-exclude w3wp.exe from Defender scans, Defender can’t catch the now-identified Exchange zero-day vulerbilities.

For more general security knowledge, I’m a huge fan of two email newsletters: Risky Business News and Zack Whittaker’s (@zachwhittaker) This Week in Security Both are broad-based surveys of the biggest news items in cybersecurity each week; if you want to broaden your awareness of trends as well as tracking specific threats for the products and services you use, these are indispensable.  

On Demand Migration

Migrate all your workloads and Active Directory with one comprehensive Office 365 tenant-to-tenant migration solution.

Learn More

The Second Principle: Get Your Money’s Worth

It always surprises me when I see statistics showing low adoption of security features that are included in even the least expensive Microsoft 365 subscriptions—multi-factor authentication being one obvious example. If you’re not already using MFA, or if you have E5 licenses and haven’t set up Defender for Office 365, well, go do it! You’re paying for those features and you’re only shortchanging yourself by not using them. By the same token, you should be using the Office client policy service to apply security controls to your Office clients. If you have on-premises Exchange servers, you should know how to use the Exchange Emergency Mitigation service. In general, if Microsoft has a security tool, and you have access to it (either because it’s free or because you have licenses that include it), then you should be using it. Get your money’s worth. 

The Third Principle: Be Proactive

Even baby steps, such as using Secure Score in a predictable cadence and fixing what you find, are better than nothing. In today’s security environment, you absolutely cannot wait until your newsreader alerts you to a new zero-day vulnerability, and only then start thinking about applying patching. If you are keeping abreast of security issues as the first principle above suggests, it will be much easier for you to proactively decide how to divide your time and budget to give you the best protection.

The Last Principle: Be Responsive

I remember being shocked at the number of people who weren’t able to quickly apply Exchange Server cumulative updates after the first set of ProxyShell attacks because they didn’t have in-house knowledge about how to patch Exchange. It’s much easier to point out this principle than it is to make it real because you’ll need to first develop a good understanding of the realistic capabilities of your organization. Do you have security monitoring with a tool like Microsoft Sentinel? Do you have endpoint protection with Defender or an equivalent? Is anyone regularly reviewing and testing your security capabilities? In many cases, the answer to most of these questions is “no,” because building a response capability is expensive and time-consuming… but also critical. The articles here on Practical 365 can help strengthen your response abilities by giving you practical guidance on how to make security changes.

Putting the Principles into Action

The truth is that it’s easier to articulate principles than to follow them rigorously. However, as with exercise, doing something is much better than doing nothing. Whatever you can do to start applying these principles in your organization will be a long-term benefit to you—and the more the better.

Tags: ,

About the Author

Paul Robichaux

Paul Robichaux, an Office Apps and Services MVP since 2002, works as the senior director of product management at Keepit, spending his time helping to make awesome data protection solutions for the multi-cloud world we’re all living in. Paul's unique background includes stints writing Space Shuttle payload software in FORTRAN, developing cryptographic software for the US National Security Agency, helping giant companies deploy Office 365 to their worldwide users, and writing about and presenting on Microsoft’s software and server products. Paul’s an avid (but slow) triathlete, an instrument-rated private pilot, and an occasional blogger (at http://www.paulrobichaux.com) and Tweeter (@paulrobichaux).

Comments

  1. Brandon 9 Jan 2023 Reply

    Thanks Paul for this advises

  2. Prasad Sugunan 19 Oct 2022 Reply

    Thank you, Paul for the great article on the Security Principles!

Leave a Reply