Exchange Security Unveiled: Part 4, Monitoring and Managing Your Email Environment

a person leaving a dark room, walking into a lit up doorway.

Dec 7, 2023 by Greg Turner


Embarking on a journey through the intricacies of Exchange security, we’ve delved into safeguarding your digital realm, offered a comprehensive guide to mastering SPF, DKIM, & DMARC records, and explored the dynamics of updates and client connectivity in our previous Exchange Security Unveiled blogs. Now, in this installment, we shift our focus on how to effectively monitor and manage your entire email environment.

Within the expansive realm of Exchange Online and on-premises security monitoring, numerous components demand attention. These include categories such as user connections, user activities, administrative actions, and safeguarding user data. While Exchange 365 provides a wealth of alerting options, on-premises management often involves the scheduling of scripts to mirror the functionalities found in 365. Despite on-prem alerting capabilities, caution is advised due to the potential unpredictability of patches, as they may not have been tested beforehand.

Users engage with Exchange through various channels, including Outlook, ActiveSync, OWA, IMAP, POP3, SMTP, EWS, ECP, and PowerShell. To navigate the challenges of managing these connection methods, we advocate the use of groups and PowerShell scripts. For example, if a user is a member of an “Allow OWA” group, the script will grant permissions for OWA access.

By strategically employing groups for connection permissions and utilizing scripts for automated permission assignments based on group memberships, the process becomes easily manageable and adaptable to environments of all sizes and types.

Refined User Connection Management

In orchestrating user connections to Exchange, Microsoft has incorporated PowerShell as a tool for users to enact specific changes. However, in my experience, I’ve yet to encounter a single user opting for PowerShell to manage their mailbox, prompting the decision to restrict PowerShell access to all users except those privileged administrators who genuinely need it.

However, a note of caution when it comes to administrators … It’s important to tread carefully, as Exchange Management Shell won’t function seamlessly for an administrator without the Remote PowerShell feature enabled on their user account. Should this circumstance arise where administrators find themselves locked out of PowerShell, a contingency method exists to restore access.

By executing the command,

Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.SnapIn

in Windows PowerShell, a connection to Exchange is reestablished, facilitating the execution of the set-user command to activate Remote PowerShell.

It’s crucial to acknowledge that while this workaround effectively resolves immediate challenges, it falls into the realm of “technically unsupported” methods for connecting to Exchange. As a best practice for ongoing script development and execution, we recommend exploring alternative, officially sanctioned avenues in order to ensure the long-term stability and compliance of your Exchange environment.

Empowered User Protection

External Disclaimer

To ensure users are aware of external messages, techniques include modifying subject lines, prefixing the body with attention-grabbing messages, or implementing a combination of both.

Exchange Security Unveiled
Exchange Security Unveiled

Blocking Executables

Leverage Exchange and 365 transport rules to block executable content, redirecting potentially harmful files to a quarantine mailbox while alerting administrators.

Block Internal Names At Spam Filter

Blocking external emails posing as internal communications is a vital defense against phishing. By quarantining messages with internal names from external sources—like “John Smith” at—we prevent deceptive attempts. Admins must consider name commonality and notification thresholds for an effective balance. This proactive strategy empowers administrators to swiftly verify flagged messages, fortifying defenses against potential threats.

Vigilance On User Activities

Exchange Admin Audit Logs

Beyond tracking admin changes, these logs unveil user-initiated modifications, with scripts available for real-time alerts on user actions.

Inbox Rule Creation Notifications

Scrutiny here is a MUST, especially when a user account faces compromise. Malicious actors often exploit this by sending deceptive emails to business partners, requesting payment changes. Their initial move is to create inbox rules, concealing replies. They may redirect messages to obscure locations, with the RSS Subscriptions folder being a common choice—remaining inconspicuous and unread. The bad actor will then go and read the replies, deleting them afterward without the user ever knowing.

Monitoring Forwarding Changes

Forwarding serves as another avenue for bad actors to conceal information even after intervention. Active monitoring of forwarding activities is crucial, acting as a deterrent against intentional information leaks, whether external or personal email accounts.

Controlled Automatic Replies

Disgruntled employees may leverage automatic replies to convey negative sentiments about the organization. A prudent response is to disable accounts promptly upon termination, mitigating potential reputational risks and maintaining organizational integrity.

Strategic Mobile Device Quarantine

While often underutilized, the quarantine feature for new ActiveSync devices in Exchange proves highly effective. Admins gain control by requiring approval for all new devices, ensuring a secure and manageable connection environment. Configuring this feature is straightforward, offering an additional layer of protection against unauthorized device access.

Admin Oversight & Security

Exchange Admin Audit Logs

Expanding from user audits, these logs capture mailbox creation, permission changes, and more. We recommend having these emailed on a weekly basis for change control and timely alerts.

Mailbox Permission Changes

Stay informed about permission alterations, which are crucial for tracking when a user gains access to another’s mailbox. This proactive monitoring enhances security awareness.

Send-As Permission Changes

Maintain awareness of who holds the authority to send emails on behalf of the CEO. Timely detection of such changes ensures transparency and security.

Transport Rule Modifications

Transport rules, while vital, can be manipulated for malicious purposes. It’s not only essential to detect rule modifications, but also to identify when new rules are created. This vigilance safeguards against potential security threats.

Management Role Changes

For both Active Directory and Exchange, proactive alerts are imperative. Any addition of a user to critical groups like Organization Management or Domain Admins necessitates immediate notification. This ensures swift action in response to significant changes, fortifying overall security protocols.

Valuable Documentation & Maintenance

PowerShell for Documentation

Unlocking the full spectrum of Exchange documentation is best achieved through PowerShell. Execute a script to export all settings into XML and CSV files. These scripts serve dual purposes, aiding in change control and troubleshooting. They provide a snapshot of the Exchange configuration, enabling easy comparisons between past and present states.

IIS Logs Management

IIS logs can become massive and even jeopardize Exchange disk space, which is why strategic management is crucial. These logs, showcasing user logins, prove invaluable for investigations into login times and methods. A well-crafted script efficiently breaks down user login data, occupying minimal disk space. This not only bolsters security measures but also simplifies responses to inquiries about OWA usage.

Outlook Patching

Prioritizing Outlook patching is paramount—often the key to resolving approximately 90% of Outlook troubleshooting requests. The challenge lies in the default reluctance of Windows Update to patch Office. We recommend confirming proper Office update configurations within your environment for seamless Outlook performance.

Server Updates

Stay ahead in fortifying servers by timely installing updates. While most security updates are included, Cumulative Updates demand manual intervention. By proactively addressing these updates, you ensure the robustness and security of your Exchange environment.

There are other areas not covered in this blog. Below is a checklist of those areas to see where you stand with additional items that can be alerted on.

View Checklist

ExchangeOWA access enabledCan be enabled/disabled per user or group with scripts – Most MFA products can do OWA
ExchangeActiveSync access enabledCan be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA
ExchangeECP access enabledCan be enabled/disabled per user or group with scripts
ExchangeEWS access enabledCan be enabled/disabled per user or group with scripts
ExchangeMAPI access enabledCan be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA
ExchangeIMAP access enabledCan be enabled/disabled per user or group with scripts
ExchangePOP access enabledCan be enabled/disabled per user or group with scripts
ExchangeRemote PowerShell defaults to enabled for all usersDisable users ability to remote PowerShell
ExchangeExternal disclaimer in subject and/or bodyPrepend [External] in subject or text in body of message
ExchangeExchange Admin Audit logsEmail Exchange audit logs, recommend weekly
ExchangeInbox rule creation notificationsReport and send email alerts on change
ExchangeChanges to forwarding monitoredReport and send email alerts on change
ExchangeMailbox permission changesReport and send email alerts on change
ExchangeSend-as permission changesReport and send email alerts on change
ExchangeTransport Rule modificationsReport and send email alerts on change
ExchangeManagement role changesReport and send email alerts on change
ExchangeAutomatic replies enabledReport and send email alerts on change
ExchangeMobile devices – quarantine newEmail admin to block or release from quarantine
ExchangeDocument protocol permissionsIdentify who has access to OWA, IMAP, etc
ExchangeExport IIS logsProcess logs to identify which user connects and how
ExchangeBlock executablesProtects internal messages from executables
ExchangeBlock internal names at spam filterStops name spoofing
ExchangeOutlook patchingKeep Outlook current on security updates
ExchangeServers patched when neededPatch monthly, more often when needed
M365Modern authenticationShould be enabled
M365Multi-factor authenticationEvery user except one admin account should use MFA
M365Idle session timeout, password policyControls idle timeouts
M365Show company policy, can make conditional access policyCan require accepted use policy be agreed to
M365Self service password resetReset passwords without admin involvement
M365Sharing – add guests, a lot is in SharePointConfigure sharing externally
M365Populate help desk informationMakes it easier for users to know how to get support
M365 EntraSave audit logsSend email at least weekly
M365 EntraSign-in logsSave logs to storage
M365Messages have been delayedCreate alerts
M365Elevation of Exchange admin privilegeCreate alerts
M365A potentially malicious URL click was detected (e5/p2)Create alerts
M365Creation of forwarding/redirect ruleCreate alerts
M365eDiscovery startedCreate alerts
M365Email sending limit exceededCreate alerts
M365User restricted from sending emailCreate alerts

Our journey covered safeguarding, mastering records, and exploring updates. Now, focusing on email management, key aspects include meticulous security attention, streamlined user connections through groups and scripts, and proactive protection measures. Vigilance over user activities and admin oversight add layers of security. Valuable documentation, powered by PowerShell, enhances security, with strategic log management and Outlook patching as essential components. In conclusion, our focus on vigilance, adaptability, and proactive defense underscores securing the organizational communication hub.

If you’d like to learn more about Exchange security and how to better protect your IT infrastructure, please contact us by calling (502) 240-0404 or emailing

Press enter to search