Chapter 19: Security Auditing

Are all of your Exchange servers adequately protected against physical attack, damage, or theft?

What about the infrastructure servers on which they depend?

Are critical machines protected with appropriate physical protective measures (for example, locked cases)?

Do your laptop users have and use locking cables for their laptops?

Are laptops protected with the Encrypting File System (EFS)?

Are your machines up to date on service packs and security patches right now? Are you sure?

Do you regularly use some kind of patch assessment tool (like Systems Management Server or Microsoft Baseline Security Analyzer) to inventory patches on your machines?

Do you have an automated patch distribution system either deployed or planned? If not, why not? (Remember, the Microsoft Software Update Service, or SUS, is free, so cost factors aren t an acceptable excuse .)

What group policies apply to your Exchange and infrastructure servers? Your client machines?

Have you built your Active Directory infrastructure into role-based organizational units (OUs) so you can easily apply security templates?

What security templates have you applied? If they ve been customized, how are you keeping track of the changes?

What password policies are in effect? Do you force regular password changes?

What account was used to install your Exchange organization?

What accounts and groups have Exchange View-Only Admin permissions? Exchange Admin permissions? Exchange Full Admin permissions?

Who has access to modify membership in the Exchange Domain Servers group?

What permissions are granted on the Exchange organization object? Each administrative group? Each routing group? Each server? Make sure that these are recorded on paper somewhere so that you have a baseline to compare against.

What permissions are now in effect on the tracking log shares on your servers?

Do you allow the use of Simple Mail Transfer Protocol (SMTP) authentication for relaying? (If so, check out the description of SMTP AUTH attacks in Chapter 10, Antivirus Protection. )

Are there specific target domains with which you could be using Transport Layer Security (TLS)?

Is your relaying configuration secure against exploitation by spammers?

Are you using a perimeter or server-based antispam product? Do you keep track of its effectiveness so you know when it needs tuning?

Are you using Domain Name System (DNS) block lists? Do you have processes to regularly monitor what they re blocking to ensure that you re not losing legitimate mail?

Are you using sender or recipient filtering? If so, what exactly are the filters configured to block?

Have you deployed antivirus scanners on your perimeter or bridgehead machines?

Do you have Exchange-aware scanners deployed on your Exchange servers?

Are your client machines protected by a good-quality desktop antivirus scanner?

For all of your antivirus products, have you configured them to regularly pull updates? Have you verified that they can get updates on request?

Do you have to encrypt content sent to specified destinations?

Do you have a content filtering solution in place to block bad content? (Remember, your definition of bad might vary.)

Are you required to screen or block incoming or outgoing content based on its use of encryption?

Have you properly configured Secure Sockets Layer (SSL) for your Internet- facing servers?

Do you have any domain member servers located in your perimeter network?

What ports are open from the Internet to your perimeter network? From the perimeter network to your internal network?

Are you using Internet Protocol Security (IPSec) where appropriate?

Do you have a deployed public-key infrastructure (PKI)?

If so, are your PKI certificate authorities (CAs) protected with adequate physical and network security?

Who issues your users certificates? If you use an internal CA, which specific people in your organization have the ability to issue and revoke certificates?

Do you maintain records of issuance and revocation?

Who controls your domain certificate trust list?

Do you have organizational requirements for cross-certification support?

Do you have a process in place to get regular updates for the Microsoft Office Outlook 2003 Junk Mail Filter?

Are you using the Microsoft Office policy templates to apply client-side security policies? If so, what policies are you applying?

Are your client machines running antivirus software?

Do you have a continuing program in place to help teach (or perhaps remind ) users about safe attachment handling processes?

Are you using remote procedure call (RPC) over HTTP Secure (HTTPS)? If so, are you using it in conjunction with Microsoft Internet Security and Acceleration (ISA) Server or another RPC-aware screener?

Are all front-end servers configured to require the use of SSL for Outlook Web Access?

Is form-based authentication in use? If so, are appropriate time-out values in use?

Are end users now using freedocs? If so, should you be restricting access to them?

Have you implemented attachment blocking? If so, are the settings for attachment blocking consistently applied to all of your servers?

Have you customized the list of blocked attachment types for Microsoft Outlook Web Access? (Remember, this list is completely independent of the list that Outlook uses.)

Have you considered using a reverse proxy to make it easier to publish Outlook Web Access securely?

Are you using IPSec to protect communications between front- and back- end servers?

How is authentication configured on your front-end servers? Have you taken appropriate precautions to secure the underlying Microsoft Internet Information Services (IIS) installation?

Have you customized the URLScan configuration on your machines? Do you have printed records of the configuration anywhere ?

How many mobile devices are your users using?

Do you have any system in place for deciding who can and cannot have mobile device access to your Exchange resources?

If you re not using Microsoft Outlook Mobile Access, have you disabled it for your users?

Are your devices adequately protected by personal identification numbers (PINs)? Do you occasionally spot-check devices to ensure this? Are users trained to keep their PINs confidential?

What procedures do you follow in case of a lost or stolen device?

Do you have to load your organizational root certificate onto new devices? Do you have a process for doing so?

Do you allow Post Office Protocol 3 (POP3), Internet Message Access Protocol 4 (IMAP4), or Network News Transfer Protocol (NNTP) traffic to your servers?

If so, do you allow these protocols to be used with or without SSL? If you allow unsecured use of these protocols, remember that an attacker might be able to steal your users credentials.

Does your organization fall under any of the legal, regulatory, or case law requirements discussed in Chapter 17, Discovery, Compliance, Archive, and Retrieval, and Chapter 20, The Law and Your Exchange Environment ?

If so, do you have a discovery, compliance, archiving, and retention plan that meets your requirements?

Do you have processes in place to automatically monitor the event log for unusual events?

Are you currently using an automated tool like the Microsoft Audit Collection System (MACS) to correlate events between event logs on different machines?

Is anyone monitoring the event log for event ID 1016s and ensuring that the only ones that appear are from legitimate sources?