Hardening On-Premise Exchange for the COVID work from home era

In today’s work environment, where many people are working remotely or in a hybrid environment, securing your on-premises Exchange is more crucial than ever. To protect your organization’s sensitive data and guard against cyber attacks, hardening your on-premises Exchange should be a top priority.

While Microsoft has published comprehensive articles on patching known exploits to address vulnerabilities, some critical features widely used by organizations are sometimes not addressed. That’s why we’ve compiled a list of technologies that most organizations use with an on-premises Exchange, along with specific policies to configure these technologies for the highest level of security.

The two essential technologies for securing on-premises Exchange are Two-Factor Authentication (2FA) and Outlook Web Access (OWA). Let’s take a closer look at each of these technologies and explore how to configure policies to ensure the highest level of security.

Two-Factor Authentication

2FA is an essential security feature that enhances security by requiring a second form of authentication in addition to a password. There are several 2FA providers available, each with its unique features and requirements. Choosing the right 2FA provider will depend on your company’s specific needs. However, here are a few considerations to bear in mind:

  • Device trust management
  • Device health visibility
  • Device security visibility
  • Ability to separate corporate-owned versus BYOD devices
  • Application integration

For example, Cisco DUO is a popular 2FA provider that offers several policies to configure. You can set a new user policy to determine whether users can self-enroll, geo-lock users based on their locations, and check the device’s health before allowing authentication. Additionally, it would be best to set the authentication method that will work best for your organization, disable access from tampered devices, and implement full disk encryption.

Outlook Web Access (OWA)

OWA is a webmail service that provides access to an Exchange Server mailbox via a web browser. By default, OWA has a six-hour timeout period, which means users will not be prompted to re-authenticate for six hours, even if you have 2FA configured. Since Microsoft doesn’t provide a precise definition of inactivity in OWA, this may pose possible security risks.

To change the OWA timeout period, you can use PowerShell:

  • Open Exchange Management Shell
  • Type “Get-OrganizationConfig | fl ActivityBasedAuthenticationTimeout*” to check the current timeout setting
  • To change the timeout setting, type “Set-OrganizationConfig -ActivityBasedAuthenticationTimeoutInterval 01:00:00” to set the timeout period to one hour. Note that Microsoft doesn’t recommend setting the timeout period to less than five minutes.

In conclusion, securing your on-premises Exchange is essential, especially when working remotely or in hybrid work environments. By implementing 2FA and properly configuring OWA policies, you can enhance the security of your organization’s sensitive data and ensure a safer browsing experience for everyone involved.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.