Six commonly overlooked Exchange security vulnerabilities

Six commonly overlooked Exchange security vulnerabilities

Too often administrators treat Exchange as a regular old server -- with no serious efforts put into securing it. Consider how much we rely on email in day-to-day business. Add data and legal discovery complexities to the mix, and you can't deny the importance of keeping your Exchange environment in check.

The following list details common Exchange security vulnerabilities. Make sure you’re not letting threats fly in under your security radar:

  • Gaps in the patching process -- I often find outdated or missing service packs and hotfixes on Exchange servers; some systems may not have been patched in 10 years or more. In these instances, odds are high that malicious insiders who are physically connected to your network can exploit vulnerabilities.

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in May 2011

  • Once exploited, these flaws can provide attackers with full administrative-level remote control of an Exchange system, letting them copy and delete data, add backdoor user accounts and more. The scary thing is that most of this activity goes undetected. Even if you're running Windows Server Update Services (WSUS) or a third-party patch-management system, old patches may still exist.

  • Weak passwords -- Similar to missing patches being an easily avoidable security hole, there’s no excuse for having weak passwords. For some reason though, insufficient passwords still exist in many Exchange environments. All it takes is a single Exchange account with a weak password to give an outsider full access to your messaging environment.

    In various security assessments, I’ve found it easy to hack weak Exchange passwords for users’ Outlook Web Access (OWA) accounts. This creates a slippery slope of security troubles. Accessing one OWA account allows a hacker to glean all company-wide email addresses via the global address list (GAL). Using that information, hackers then can find several other poorly protected user accounts to gain access to users' email and the organization’s public folders.

  • Leaving private data in public folders -- Users often assume that since their co-workers have Exchange/network accounts, they should also have to access sensitive information that is often available in public folders. This is far from the truth. I've seen a great deal of sensitive business information shared in public folders that should be inaccessible to others within the organization.
  • SMTP and POP3 access -- Many Exchange servers have SMTP and POP3 enabled, which isn’t necessarily a bad thing. But there is a problem if SMTP and POP3 are transmitted without secure sockets layer/transport layer security (SSL/TLS) in place. If you don't use SMTPS (TCP port 465) and POP3S (TCP port 995), email messages and login credentials are exposed when sending or receiving email from unsecured wireless networks.

  • Outlook Web Access and Outlook Web App -- I know I certainly couldn’t live without OWA, but it is a risky technology in many situations. I often see OWA servers that are not configured to run over SSL. This can lead to the same security problems you encounter with SMTP and POP3. I've also seen Internet Information Services (IIS) running with SSL version 2 and low-encryption ciphers, both of which can facilitate further attacks. There are known flaws in SSL version 2 and low-encryption ciphers. If a hacker sees you're using either of these, they know they have the ability to decrypt the communication session and view your email traffic in clear text.

    Another common security flaw with OWA is that users are not forced to log off of their OWA accounts after long idle periods. Untrained users or users who aren’t required to lock their desktop screens when they’re unattended only exacerbate the problem.

  • Shared Exchange administrator accounts -- When someone with administrative access is fired or leaves an organization on bad terms, things can turn ugly fast. I’m not saying you should have only one Exchange administrator, but I do believe you should know exactly who has administrative rights. You also need a solid process that involves HR to make sure things go smoothly if and when administrators leave the organization.


Figure 1. The ethical hacking process

To protect the organization now and down the road, make sure that your Exchange environment is included in your vulnerability assessments and penetration tests. This means you should use the ethical hacking methodology (Figure 1, above) to poke around your Exchange system -- inside and outside your network. Doing so will uncover any of these vulnerabilities, if they exist, as well as others.

About the author: Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored nine books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the best-selling Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top