Hardening On-Premise Exchange for the COVID era

In current times when people are working in hybrid or full remote environments hardening your on-premise Exchange should be a top priority.

Microsoft has published extensive articles on patching known exploits.

While Microsoft gets the larger picture, in my experience they miss some key points on features that are widely used.

Below is a list of technologies most organizations will use with an on-premise Exchange

  • 2FA
  • OWA (Outlook Web Access/App)
  • ActiveSync devices

These technologies are widely used, however the default setting for these are not something that anyone would consider safe.

Two Form Authentication

There are a lot of 2 Form Authentication providers. However not all 2FA providers are created equal.

Here are a few things to look for to ensure you have the tools to guarantee the highest level of security:

  • Device trust management
  • Device health visibility
  • Device security visibility
  • Ability to separate corporate owned versus BYOD
  • Application Integration

If we use Cisco DUO as one example of a popular 2FA provider here are some of the policies I would configure first:

  • New User policy – decide if you want users to be able to self-enroll or not
  • User Location – you can geo-lock users
  • Device Health application – enable this to have the device checked and only allow to authenticate after all conditions are met (firewall, antivirus, sideloaded apps in the case of phones)
  • Set the authentication method that works for your company
  • Disable access from tampered devices
  • Full disk encryption

Let’s look at OWA (Outlook Web Access) as an example.

By default the the timeout for OWA is enabled but it’s set for 6 hours.
This means that even if a 2FA solution is implemented the users will not get prompted to re-authenticate for 6 hours, at least since Microsoft doesn’t have a precise definition of what it considers inactivity in OWA.

To check on what the current setting are log into the Exchange Management Shell and type:

Get-OrganizationConfig | fl ActivityBasedAuthenticationTimeout* 

To change that in powershell type:

Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 01:00:00

This will set the timeout for inactivity to 1 hour. Microsoft does not recommend setting a timeout interval of less then 5 minutes.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.