Embarking on a journey through the intricacies of Exchange security, we’ve delved into safeguarding your digital realm, offered a comprehensive guide to mastering SPF, DKIM, & DMARC records, and explored the dynamics of updates and client connectivity in our previous Exchange Security Unveiled blogs. Now, in this installment, we shift our focus on how to effectively monitor and manage your entire email environment.


Within the expansive realm of Exchange Online and on-premises security monitoring, numerous components demand attention. These include categories such as user connections, user activities, administrative actions, and safeguarding user data. While Exchange 365 provides a wealth of alerting options, on-premises management often involves the scheduling of scripts to mirror the functionalities found in 365. Despite on-prem alerting capabilities, caution is advised due to the potential unpredictability of patches, as they may not have been tested beforehand.

Users engage with Exchange through various channels, including Outlook, ActiveSync, OWA, IMAP, POP3, SMTP, EWS, ECP, and PowerShell. To navigate the challenges of managing these connection methods, we advocate the use of groups and PowerShell scripts. For example, if a user is a member of an “Allow OWA” group, the script will grant permissions for OWA access.

By strategically employing groups for connection permissions and utilizing scripts for automated permission assignments based on group memberships, the process becomes easily manageable and adaptable to environments of all sizes and types.

Our Journey With WAGS

Refined User Connection Management

In orchestrating user connections to Exchange, Microsoft has incorporated PowerShell as a tool for users to enact specific changes. However, in my experience, I’ve yet to encounter a single user opting for PowerShell to manage their mailbox, prompting the decision to restrict PowerShell access to all users except those privileged administrators who genuinely need it.

However, a note of caution when it comes to administrators … It’s important to tread carefully, as Exchange Management Shell won’t function seamlessly for an administrator without the Remote PowerShell feature enabled on their user account. Should this circumstance arise where administrators find themselves locked out of PowerShell, a contingency method exists to restore access.

By executing the command,

Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.SnapIn

in Windows PowerShell, a connection to Exchange is reestablished, facilitating the execution of the set-user command to activate Remote PowerShell.

It’s crucial to acknowledge that while this workaround effectively resolves immediate challenges, it falls into the realm of “technically unsupported” methods for connecting to Exchange. As a best practice for ongoing script development and execution, we recommend exploring alternative, officially sanctioned avenues in order to ensure the long-term stability and compliance of your Exchange environment.

Our Journey With WAGS

Empowered User Protection

External Disclaimer

To ensure users are aware of external messages, techniques include modifying subject lines, prefixing the body with attention-grabbing messages, or implementing a combination of both.

Exchange Security Unveiled
Exchange Security Unveiled

Blocking Executables

Leverage Exchange and 365 transport rules to block executable content, redirecting potentially harmful files to a quarantine mailbox while alerting administrators.

Block Internal Names At Spam Filter

Blocking external emails posing as internal communications is a vital defense against phishing. By quarantining messages with internal names from external sources—like “John Smith” at JohnSmith@company.com—we prevent deceptive attempts. Admins must consider name commonality and notification thresholds for an effective balance. This proactive strategy empowers administrators to swiftly verify flagged messages, fortifying defenses against potential threats.

Our Journey With WAGS

Vigilance On User Activities

Exchange Admin Audit Logs

Beyond tracking admin changes, these logs unveil user-initiated modifications, with scripts available for real-time alerts on user actions.

Inbox Rule Creation Notifications

Scrutiny here is a MUST, especially when a user account faces compromise. Malicious actors often exploit this by sending deceptive emails to business partners, requesting payment changes. Their initial move is to create inbox rules, concealing replies. They may redirect messages to obscure locations, with the RSS Subscriptions folder being a common choice—remaining inconspicuous and unread. The bad actor will then go and read the replies, deleting them afterwards without the user ever knowing.

Monitoring Forwarding Changes

Forwarding serves as another avenue for bad actors to conceal information even after intervention. Active monitoring of forwarding activities is crucial, acting as a deterrent against intentional information leaks, whether external or towards personal email accounts.

Controlled Automatic Replies

Disgruntled employees may leverage automatic replies to convey negative sentiments about the organization. A prudent response is to disable accounts promptly upon termination, mitigating potential reputational risks and maintaining organizational integrity.

Strategic Mobile Device Quarantine

While often underutilized, the quarantine feature for new ActiveSync devices in Exchange proves highly effective. Admins gain control by requiring approval for all new devices, ensuring a secure and manageable connection environment. Configuring this feature is straightforward, offering an additional layer of protection against unauthorized device access.

Our Journey With WAGS

Admin Oversight & Security

Exchange Admin Audit Logs

Expanding from user audits, these logs capture mailbox creation, permission changes, and more. We recommend having these emailed on a weekly basis for change control and timely alerts.

Mailbox Permission Changes

Stay informed about permission alterations, which are crucial for tracking when a user gains access to another’s mailbox. This proactive monitoring enhances security awareness.

Send-As Permission Changes

Maintain awareness of who holds the authority to send emails on behalf of the CEO. Timely detection of such changes ensures transparency and security.

Transport Rule Modifications

Transport rules, while vital, can be manipulated for malicious purposes. It’s not only essential to detect rule modifications, but also to identify when new rules are created. This vigilance safeguards against potential security threats.

Management Role Changes

For both Active Directory and Exchange, proactive alerts are imperative. Any addition of a user to critical groups like Organization Management or Domain Admins necessitates immediate notification. This ensures swift action in response to significant changes, fortifying overall security protocols.

Our Journey With WAGS

Valuable Documentation & Maintenance

PowerShell for Documentation

Unlocking the full spectrum of Exchange documentation is best achieved through PowerShell. Execute a script to export all settings into XML and CSV files. These scripts serve dual purposes, aiding in change control and troubleshooting. They provide a snapshot of the Exchange configuration, enabling easy comparisons between past and present states.

IIS Logs Management

IIS logs can become massive and even jeopardize Exchange disk space, which is why strategic management is crucial. These logs, showcasing user logins, prove invaluable for investigations into login times and methods. A well-crafted script efficiently breaks down user login data, occupying minimal disk space. This not only bolsters security measures but also simplifies responses to inquiries about OWA usage.

Outlook Patching

Prioritizing Outlook patching is paramount—often the key to resolving approximately 90% of Outlook troubleshooting requests. The challenge lies in the default reluctance of Windows Update to patch Office. We recommend confirming proper Office update configurations within your environment for seamless Outlook performance.

Server Updates

Stay ahead in fortifying servers by timely installing updates. While most security updates are included, Cumulative Updates demand manual intervention. By proactively addressing these updates, you ensure the robustness and security of your Exchange environment.

There are other areas not covered in this blog. Below is a checklist of those areas to see where you stand with additional items that can be alerted on.

Exchange OWA access enabled Can be enabled/disabled per user or group with scripts – Most MFA products can do OWA
Exchange ActiveSync access enabled Can be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA
Exchange ECP access enabled Can be enabled/disabled per user or group with scripts
Exchange EWS access enabled Can be enabled/disabled per user or group with scripts
Exchange MAPI access enabled Can be enabled/disabled per user or group with scripts – DualShield can do on-prem MFA
Exchange IMAP access enabled Can be enabled/disabled per user or group with scripts
Exchange POP access enabled Can be enabled/disabled per user or group with scripts
Exchange Remote PowerShell defaults to enabled for all users Disable users ability to remote PowerShell
Exchange External disclaimer in subject and/or body Prepend [External] in subject or text in body of message
Exchange Exchange Admin Audit logs Email Exchange audit logs, recommend weekly
Exchange Inbox rule creation notifications Report and send email alerts on change
Exchange Changes to forwarding monitored Report and send email alerts on change
Exchange Mailbox permission changes Report and send email alerts on change
Exchange Send-as permission changes Report and send email alerts on change
Exchange Transport Rule modifications Report and send email alerts on change
Exchange Management role changes Report and send email alerts on change
Exchange Automatic replies enabled Report and send email alerts on change
Exchange Mobile devices – quarantine new Email admin to block or release from quarantine
Exchange Document protocol permissions Identify who has access to OWA, IMAP, etc
Exchange Export IIS logs Process logs to identify which user connects and how
Exchange Block executables Protects internal messages from executables
Exchange Block internal names at spam filter Stops name spoofing
Exchange Outlook patching Keep Outlook current on security updates
Exchange Servers patched when needed Patch monthly, more often when needed
M365 Modern authentication Should be enabled
M365 Multi-factor authentication Every user except one admin account should use MFA
M365 Idle session timeout, password policy Controls idle timeouts
M365 Show company policy, can make conditional access policy Can require accepted use policy be agreed to
M365 Self service password reset Reset passwords without admin involvement
M365 Sharing – add guests, a lot is in SharePoint Configure sharing externally
M365 Populate help desk information Makes it easier for users to know how to get support
M365 Entra Save audit logs Send email at least weekly
M365 Entra Sign-in logs Save logs to storage
M365 Messages have been delayed Create alerts
M365 Elevation of Exchange admin privilege Create alerts
M365 A potentially malicious URL click was detected (e5/p2) Create alerts
M365 Creation of forwarding/redirect rule Create alerts
M365 eDiscovery started Create alerts
M365 Email sending limit exceeded Create alerts
M365 User restricted from sending email Create alerts

Our journey covered safeguarding, mastering records, and exploring updates. Now, focusing on email management, key aspects include meticulous security attention, streamlined user connections through groups and scripts, and proactive protection measures. Vigilance over user activities and admin oversight add layers of security. Valuable documentation, powered by PowerShell, enhances security, with strategic log management and Outlook patching as essential components. In conclusion, our focus on vigilance, adaptability, and proactive defense underscores securing the organizational communication hub.

If you’d like to learn more about Exchange security and how to better protect your IT infrastructure, please contact us by calling (502) 240-0404 or emailing info@mirazon.com