We have seen instances where Exchange administrators abuse their privileges and read other mailbox accounts, or their accounts have been compromised externally and are being illegitimately accessed. How can we best safeguard against this, and provide management assurance that validates our control?
Most IT people address a problem like this by looking at technology, but as a former mail administrator, I can recommend that the best action is to start with accountability training.
It may be tempting to read a flurry of the CEO’s emails as they pass through the system, but reading any user's mailbox content without a legitimate, documented reason is unethical. It’s important to have a meeting between security personnel and the exchange server administration team to reiterate that viewing messages in the mail queue, except for troubleshooting purposes or specific business issues with management approval, will not be tolerated since this violates the organizational policies around privacy and protection that most companies uphold. If administrators seem reluctant to follow this guidance, it is possible to audit their activities.
In addition, all administrators should be trained on how to protect their privileged user access credentials as well as when it is and is not appropriate to remotely access the enterprise exchange server. For example, public areas, hotel kiosk computers, and similarly sensitive locations should be banned from any unprivileged user access. They should, as privileged users, also be changing their passwords at frequent intervals, typically at most every 30 days, and using complex passwords that are potentially alphanumeric with special characters and 8-15 characters long. Better yet would be to implement two-factor authentication with hard or soft tokens to greatly reduce the risk that accounts will be compromised.
If after these steps it seems as though protection remains insufficient, it’s necessary to provide a technology control. In this case, an enterprise monitoring system is the most appropriate technology. Security professionals can enable syslog on a system and tie in network access system logs. This will allow for use of the monitoring dashboard to provide insight into the exchange activities or, if there’s one available, roll the data into a corporate SIEM tool.
This was first published in December 2011