As a best practice, it is recommend that you don't configure blanket, persistent access for IT administrators to end user Exchange mailboxes.
For POP and IMAP access to Exchange Server mailboxes the best practice is to require secure logins.
The servers running Exchange Server in your environment should have unique, complex local administrator passwords that are unknown.
When you configure journaling in an Exchange organization you should also review the configuration of any databases that will be hosting journal mailboxes.
It is a recommended practice to configure any antivirus software running on Exchange servers to exclude specific paths, processes, and file types.
It is recommended to enable Datacenter Activation Coordination (DAC) mode for Exchange database availability groups that meet the criteria.
Exchange Server and Exchange Online mobile device mailbox policies allow automatic remote wipe of devices after failed sign-in attempts.
The default Exchange and Exchange Online mobile policies do not enforce PIN/passwords for mobile devices, which is not recommended for security reasons.