APP.5.2 Microsoft Exchange and Outlook
Microsoft Exchange Server (hereinafter referred to as "Exchange") is a groupware solution for medium to large institutions. It can be used to transmit messages...
Description
Introduction
Microsoft Exchange Server (hereinafter referred to as “Exchange”) is a groupware solution for medium to large institutions. It can be used to transmit messages electronically and provides additional services to support workflows. Messages such as emails can be centrally managed, delivered, filtered, and sent with Exchange. Typical groupware functions such as notes, contact lists, calendars, and task lists can also be offered and managed. To use Exchange’s functions, a client application or a web browser is required in addition to the server service.
Microsoft Outlook (hereinafter referred to as “Outlook”) is a client for Exchange that is provided through the installation of the Microsoft Office package or through integration into the operating systems of mobile devices. In addition, the web application “Outlook on the Web” (formerly “Outlook Web App”) allows access via the browser to, e.g., emails, contacts, and the calendar. This function is already included in Exchange.
The combination of Exchange servers and Outlook clients is referred to in this building block as the Exchange system.
Objective
The objective of this building block is to provide information about typical threats to Exchange and Outlook, and to show how Exchange and Outlook can be used securely in institutions.
Scope and Modeling
The building block must be applied to all Exchange systems in the information domain.
General requirements for the security of email systems are found in the building block APP.5.3 General Email Client and Server. It must be applied additionally to every email system based on Exchange or Outlook.
This building block contains specific threats and requirements for Exchange systems. Specific requirements for server platforms and operating systems are not part of this building block. These are found in the building blocks SYS.1.1 General Server and SYS.2.1 General Client as well as in the respective operating-system-specific building blocks.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to represent the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block APP.5.2 Microsoft Exchange and Outlook.
Missing or Insufficient Regulations for Exchange and Outlook
Comprehensive rules and specifications for Exchange and Outlook are necessary to ensure the security of information processed with Exchange and Outlook. For example, data can be lost, unintentionally modified, or deleted if Exchange is integrated into Active Directory incorrectly and without defined rules. The same applies when mailbox databases are unpublished without defined procedures and Exchange is insufficiently considered in the security policy. The same is true when Outlook clients can access Exchange servers without regulation.
Faulty Migration of Exchange
Exchange systems are more frequently migrated than newly installed in practice. To migrate to a new version of Exchange Server, the operating system must sometimes be updated to a newer version. New versions of operating systems in turn often place requirements on the existing domain concept and existing directory services.
If the migration is not carefully planned and carried out, internal communication via Exchange within the institution can be massively disrupted, which could in turn reduce productivity. During migration, configuration problems can arise — for example, the configuration settings for the different versions or the options for connecting to directory services may have changed. Furthermore, incorrect protocol settings can lead to irregularities in information transmission, authentication, and encryption.
Unauthorized Browser Access to Exchange
With Exchange, users can access their own email account via a browser. For this purpose, the Internet Information Services (IIS), which are part of the Windows operating system, are used. If this function is improperly planned and incorrectly configured, uncontrolled external access to the internal network may occur in some circumstances.
If emails are to be accessed from the internet via a browser, this presents a significant risk. Without direct access to the institution’s network, attackers could gain access to emails and thereby spy on email addresses and content, misuse email functions, send spam, and obtain access to institution-internal information.
Unauthorized Connection of Other Systems to Exchange
Exchange systems are closely integrated with the Windows operating system and work with third-party systems through so-called connectors. Connectors enable other email systems to retrieve emails from Exchange servers via specific protocols (e.g. POP3).
If connectors are not taken into account during installation or migration of Exchange, the existing connectors may be incompatible with the migrated Exchange version. This can cause emails to be lost or unintentionally modified.
Outside the homogeneous Microsoft environment, security settings related to the Exchange system are not applicable.
If different subsystems are administered separately, inconsistencies can always arise. Improperly connected third-party systems can also result in data loss or the Exchange system being blocked.
Incorrect Administration of Access and Permissions under Exchange and Outlook
If access rights to an Outlook client or data stored within Exchange and Outlook are incorrectly created and administered, security vulnerabilities can arise. This is the case, for example, when additional rights beyond those necessary are granted and unauthorized persons can then access confidential information.
Incorrect Configuration of Exchange
A frequent cause of successful attacks against services such as Exchange is incorrectly configured Exchange systems. Since an Exchange system is very complex, numerous security problems can arise from the many possible configuration settings and mutually influencing parameters. Possible misconfigurations range from installing Exchange components on unsuitable IT systems, to missing encryption and insufficient access restrictions on Exchange servers, to incorrect permission assignment during the creation or initialization of an Exchange database.
Incorrect Configuration of Outlook
The Outlook email client is an important part of the Exchange system. For the overall security of the Exchange system, it is important that the clients are correctly configured. Even the chosen communication protocol can give rise to specific security problems. Private keys used to encrypt and sign emails could also be compromised. If encryption is applied at the network level, e.g. via IPSec or TLS, this encryption mechanism can become ineffective with an incorrectly configured client. Misconfigurations can create security problems, e.g. loss of confidentiality through unauthorized access.
Malfunctions and Misuse of Custom Macros and Programming Interfaces in Outlook
Many software manufacturers provide programming interfaces in their tools and applications, known as Application Programming Interfaces (APIs). These allow certain functions to be used from other programs or to extend the functionality of the application. Such functions in Outlook can be misused to spread malware. Malware variants include, for example, malicious tools and macros that directly exploit Outlook and its email functions to intercept, modify, or delete information. Macros can in turn be used to forward or move messages, appointments, or tasks. Errors in macros can present an elevated risk. Index errors within macros can lead to incorrect results and potentially uneconomical decisions within the institution. Specific consequences can include unnecessary costs or automated data exfiltration.
Requirements
The following are the specific requirements of the building block APP.5.2 Microsoft Exchange and Outlook. The Information Security Officer (ISO) is responsible for ensuring that all requirements are fulfilled and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Further roles are defined in the IT-Grundschutz Compendium. They should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
APP.5.2.A1 Planning the Use of Exchange and Outlook (B)
Before using Exchange and Outlook, the institution MUST carefully plan their deployment. In doing so, it MUST consider at minimum the following points:
- Structure of the email infrastructure,
- clients and/or servers to be connected,
- use of functional extensions, and
- the protocols to be used.
APP.5.2.A2 Selection of an Appropriate Exchange Infrastructure (B)
IT Operations MUST decide, based on the Exchange deployment plan, which IT systems and application components and at which hierarchical level the Exchange infrastructure will be implemented. As part of the selection, it MUST also be decided whether the Exchange systems are to be operated as a cloud or on-premises service.
APP.5.2.A3 Permission Management and Access Rights (B)
In addition to the general authorization concept, the institution MUST create an authorization concept for the systems of the Exchange infrastructure, document it appropriately, and apply it.
IT Operations MUST use server-side user profiles for computer-independent access by users to Exchange data. It MUST adjust the default NTFS permissions for the Exchange directory so that only authorized administrators and system accounts can access the data in this directory.
APP.5.2.A4 DISCONTINUED (B)
This requirement has been discontinued.
APP.5.2.A5 Data Backup of Exchange (B)
Exchange servers MUST be backed up before installations and configuration changes and at regular intervals. In particular, the Exchange server databases MUST be backed up.
Deleted Exchange objects SHOULD only be removed from the database after some time has elapsed.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
APP.5.2.A6 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A7 Migration of Exchange Systems (S)
IT Operations SHOULD thoroughly plan and document all migration steps. IT Operations SHOULD take into account mailboxes, objects, security policies, Active Directory concepts, and connectivity to other email systems. It SHOULD also take into account functional differences between different versions of Exchange. The new Exchange system SHOULD be tested in a separate test network before it is installed.
APP.5.2.A8 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A9 Secure Configuration of Exchange Servers (S)
IT Operations SHOULD install and configure Exchange servers in accordance with the requirements of the security policy. Connectors SHOULD be securely configured. IT Operations SHOULD activate the logging of the Exchange system. For existing user-specific customizations, an appropriate concept SHOULD be created.
When using functional extensions, it SHOULD be ensured that the defined requirements for the protection objectives of confidentiality, integrity, and availability continue to be met.
APP.5.2.A10 Secure Configuration of Outlook (S)
IT Operations SHOULD create an individual Outlook profile with user-specific settings for each user.
IT Operations SHOULD configure Outlook so that only necessary information is transmitted to other users. IT Operations SHOULD inform users about what information is automatically transmitted to other users. Read receipts and information that reveals the internal structure of the institution SHOULD NOT be transmitted externally.
APP.5.2.A11 Securing Communication between Exchange Systems (S)
IT Operations SHOULD make a comprehensible decision about which protection mechanisms are used to secure communication between Exchange systems. In particular, IT Operations SHOULD specify how communication is secured for the following interfaces:
- Administration interfaces,
- client-server communication,
- existing Web-based Distributed Authoring and Versioning (WebDAV) interfaces,
- server-server communication, and
- the public-key infrastructure on which Outlook’s email encryption is based.
APP.5.2.A12 Use of Outlook Anywhere, MAPI over HTTP, and Outlook on the Web (S)
IT Operations SHOULD configure Outlook Anywhere, MAPI over HTTP, and Outlook on the Web in accordance with the institution’s security requirements. Access to Exchange via the internet SHOULD be restricted to the necessary users.
APP.5.2.A13 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A14 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A15 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A16 DISCONTINUED (S)
This requirement has been discontinued.
APP.5.2.A19 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection that corresponds to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the context of an individual risk analysis.
APP.5.2.A17 Encryption of Exchange Database Files (H)
IT Operations SHOULD create a concept for encrypting PST files and information store files. The institution SHOULD inform users about how PST file encryption works and what protection mechanisms it provides. Additional aspects for local PST files that SHOULD be considered when encrypting Exchange system databases include:
- own encryption functions,
- encryption levels, and
- mechanisms for securing data in a PST file.
Mechanisms such as Encrypting File System or Windows BitLocker Drive Encryption SHOULD be used to secure the PST files.
APP.5.2.A18 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
Microsoft provides extensive information on the administration of Microsoft Exchange on its website “Microsoft Technet” (https://technet.microsoft.com/de-de).