Dealing with vulnerabilitiesEvery cyber security breach is a result of particular vulnerability. As mentioned above, it’s impossible to weed out all of them, but nevertheless, we should do what we can. A great way to limit the number of vulnerabilities is to actively follow the best cyber security practices for email server setup and maintenance. This will allow you to avoid the most common issues and make sure there are no obvious holes in your defenses.
- Store the minimum amount of data – Any unnecessary data stored on the server simply widens potential attack surface and contributes to damage costs in case of an attack. Make sure that you aren’t using any unnecessary software and that all opened ports are in use and thoroughly protected (for example, via authorization requirements).
- Make sure that your server is up to date – Software always contains vulnerabilities, and when one is discovered, vendors usually issue a patch. You need to make sure that all the components of the server are always up-to-date with all the latest security patches and fixes.
- Employ a strong authentication procedure – Set complex password requirements for any account used to access the server. This will prevent a brute-force attack, which is one the easiest ways to crack a password. Other security measures depend on your specific hardware and software configurations, such as type of the server and OS in use, etc.
- Incoming spam messages – Spam messages from the outside that are sent to the server’s own clients
- Outgoing spam messages – Spam sent from clients to other parties, where the server acts as an Open Relay.
Server stability and performanceAnother concern with regards to email servers is their stability and server performance. And when we think about performance, the first thing that comes to mind is load balancing. With this regard, Denial of Service (or DoS) attacks can prove extremely damaging, as they can render the whole service out-of-commission for long periods of time. This can have double costs in remediation as well as lost reputation and customer loyalty. To prevent DoS attacks, you need to limit the amount of both general overtime and simultaneous connections to the SMTP server. Another type of DoS attack is sending high number of Send requests. To protect from it, you may want to enable SMTP authentication. When enabled, each time someone wants to send an email to the server, a set of credentials is required. Other ways to protect the server from large quantities of Send messages include Mail Relay and Reverse DNS. While the former allows you to specify IP addresses from which the server can send mail, the latter allows to compare IP addresses with domain and host names. Also, as a general rule of thumb, if your server doesn’t work, regardless of the reason, you need to have a reserve server ready. You can do this by having two MX records for each domain.
Security assessmentFirst, you need to make sure that you have a way to assess server security. Often times, the best thing to do is to take to solutions that are already there, such as cyber security audit services. However, if this is not an option, then you need to design your own process, choosing yourself how formal and flexible it should be.
Initial preparationsFirst things first, you need to determine the scope of your audit. To do this, you need to answer three simple questions:
- "What do I need to check?": List every piece of data (e.g., user names, attachments, contacts, etc.) and every parameter (e.g., uptime, performance, etc.) that you consider important. Subdivide it into a separate checklists within each area of responsibility (such as operating system, server, network). Weigh each entry on your lists according to the potential impact that a problem with this entry could cause.
- "How do I need to check it?": There are two approaches to this question:
- Find the tools necessary to check whether the components on your list are vulnerable or not. Each entry on the list should correspond to a specific way of checking its vulnerability.
- Derive additional controls from your list of potential vulnerabilities and add them to the list of monitored objects. Repeated entries are market rather than deleted.
- "Why do I need to check it?": Target priority is derived from its weight and from the effectiveness and scope of the check. We assign priorities for every entry and remove repeated ones only when they are fully covered by another control or a combination of controls.
Checking for vulnerabilitiesNow all you need to do is to conduct all the necessary checks. When a strict time limit is involved, you should get high priority items out of the way first. However, if there is no time limit, it may often be best to group checks out of convenience based on their scope – this approach can help you save both time and money. Sometimes, executing a check can take more time than was initially designated. In this case, it is often better to skip a check and move it into a separate group while trying to find a way to optimize the process. Any incident regarding data and server settings should be logged. In this early stages you don’t need to investigate each and every detail but instead make sure that your checks cover as much as possible in the designated time.
Final tipsThe field of cyber security is constantly evolving, and email server security is no exception. However, as a conclusion we wanted to list a set of basic tips that should definitely be followed by everyone who wants to secure an email server. First, you need to make sure that security is on the table as early as possible. Many problems can be solved by setting up a server initially with security in mind, not to mention that this is probably the most cost-effective way to do things. The things you need to consider include:
- The type of data that will go through the server and the type of services it will support
- What level of security is required for the server
- Who will use the server and what level of privilege will they have
- What method of authentication are you planning to employ
- How the server will integrate into existing network infrastructure
- What other software needs to be installed
- How the server will be maintained and managed
- Make sure that attack surface of your server is as small as possible. The best way to do this is to establish a network perimeter that will protect your corporate network. A proxy application within the perimeter (for Exchange Server it can be Edge Transport server) can be linked to an email server and used to transfer emails from and within your corporate network.
- Always apply encryption on any stage of data transfer. Never use self-written certificates and instead carefully select an SSL certificate for each component of the server.
- Don’t forget about the basics – The fact that the email server has built-in anti-malware capabilities is not a reason to drop third-party anti-viruses and anti-malware solutions. Using them will only help to reinforce your protection.
- Don’t forget about updates. Microsoft, for example, issues Security Bulletins with all the latest patches.
- And last but not least, set two MX DNS records, and don’t forget to back up your data.