Auditing Exchange Server
Posted on 29 Feb 2016 in security • 4 min read
Recently I performed a MS Exchange configuration review. For the "old" version of exchange we can use the Microsoft Exchange Best Practices Analyzer (link is dead) For the new version of MS Exchange (2013 and 2016) the tools must be download from the office 365 market (link is dead). But most of the MS Exchange server are not directly connected to internet. That is why I used a tool developed by Paul Cunningham: Exchange Analyzer available on github.
Getting and installing the script
The documentation is clear, you just need to download the last zip archive on
the "official website" (link is dead),
extract the files, put files in the Modules folder into
C:\Windows\System32\WindowsPowerShell\V1.0\Modules and launch the script.
Tests
There is actually seven tests implemented:
- EXSRV001: checks that all MS Exchange servers in the organization use MS Exchange 2013 or 2016.
- EXSRV002: checks the build version of each server to determine whether it is running the last build for the MS Exchange version (Internet connection is required).
- CAS001: tests each Exchange site to determine whether more than one CAS URL/namespace exists for each HTTPS service.
- CAS002: tests each CAS URL to determine whether it contains a server FQDN.
- DB001: tests each mailbox database to determine whether the database has been backed up in the last 24 hours.
- AD001: verifies that the Active Directory Domain level is at the correct level.
- AD002: verifies that the Active Directory Forest level is Windows 2008 or greater.
More tests will come in a quite near future as both pull requests and issues are currently open on github.
Results
The result is simple, it is a HTML file with the different tests and a past or fail attribute. The script need an internet connection to check the latest build number. As there where no direct access to the internet from the MS Exchange servers of my client, the test failed with a Warning and output the error message: "Unable to connect to remote server". Moreover my client did not wish to backup its databases so the test DB001 failed.
Below is a sample of this output, I have just anonymize it and reduce the number of server.
Output
Exchange Analyzer Report
Generated: 02/18/2016 11:38:42
Organization: CLIENT
The following guidelines apply to this report:
- This tests included in this report are documented on the Exchange Analyzer Wiki.
- Click the "More Info" link for each test to learn more about that test, what a pass or fail means, and recommendations for how to respond.
- A test can fail if it can't complete successfully, or if a condition was encountered that requires manual assessment.
- For some organizations a failed test may be due to a deliberate design or operational decision.
- Please review the Frequently Asked Questions if you have any further questions.
Summary:
| Passed | Warning | Failed | Info |
|---|---|---|---|
| 4 | 1 | 2 | 0 |
Category: Exchange Servers
| Test ID | Test Category | Test Name | Test Outcome | Passed Objects | Failed Objects | Comments | Reference |
|---|---|---|---|---|---|---|---|
| EXSRV001 | Exchange Servers | Exchange Versions | Passed |
| n/a | All Exchange servers in the organization are Exchange 2013/2016. | More Info |
| EXSRV002 | Exchange Servers | Build Numbers | Warning | n/a | n/a | Errors were encountered. An error occurred. Unable to connect to remote server | More Info |
Category: Client Access
Summary of Client Access URLs/Namespaces:
| Server: WindowsServer1, Site: | ||
|---|---|---|
| Service | Internal URL | External Url |
| Outlook Anywhere | outlook-csh-ge.client.com | Not set |
| MAPI/HTTP | https://windowsserver1.client.local/mapi | Not set |
| Outlook on the web (OWA) | https://mail.client.com/OWA https://mail.client.com/OWA | |
| Exchange Control Panel | https://mail.client.com/ecp https://mail.client.com/ecp | |
| ActiveSync | https://eas.client.com/Microsoft-Server-ActiveSync | Not set |
| Offline Address Book | https://oab-csh-ge.client.com/OAB | Not set |
| Exchange Web Access | https://ews-csh-ge.client.com/EWS/Exchange.asmx | Not set |
| AutoDiscover | https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml | n/a |
| Server: WindowsServer2, Site: | ||
|---|---|---|
| Service | Internal URL | External Url |
| Outlook Anywhere | outlook-csh-ge.client.com | Not set |
| MAPI/HTTP | https://windowsserver2.client.local/mapi | Not set |
| Outlook on the web (OWA) | https://mail.client.com/OWA https://mail.client.com/OWA | |
| Exchange Control Panel | https://mail.client.com/ecp https://mail.client.com/ecp | |
| ActiveSync | https://eas.client.com/Microsoft-Server-ActiveSync | Not set |
| Offline Address Book | https://oab-csh-ge.client.com/OAB | Not set |
| Exchange Web Access | https://ews-csh-ge.client.com/EWS/Exchange.asmx | Not set |
| AutoDiscover | https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml | n/a |
| Server: WindowsServer3, Site: | ||
|---|---|---|
| Service | Internal URL | External Url |
| Outlook Anywhere | outlook-csh-ge.client.com | Not set |
| MAPI/HTTP | https://windowsserver3.client.local/mapi | Not set |
| Outlook on the web (OWA) | https://mail.client.com/OWA https://mail.client.com/OWA | |
| Exchange Control Panel | https://mail.client.com/ecp https://mail.client.com/ecp | |
| ActiveSync | https://eas.client.com/Microsoft-Server-ActiveSync | Not set |
| Offline Address Book | https://oab-csh-ge.client.com/OAB | Not set |
| Exchange Web Access | https://ews-csh-ge.client.com/EWS/Exchange.asmx | Not set |
| AutoDiscover | https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml | n/a |
| Test ID | Test Category | Test Name | Test Outcome | Passed Objects | Failed Objects | Comments | Reference |
|---|---|---|---|---|---|---|---|
| CAS001 | Client Access | Client Access Namespaces | Failed | n/a |
| One or more Exchange sites has more than one namespace per HTTPS protocol. | More Info |
| CAS002 | Client Access | Server FQDNs in URLs | Passed |
| n/a | No Exchange HTTPS services have URLs containing server FQDNs. | More Info |
Category: Databases
| Test ID | Test Category | Test Name | Test Outcome | Passed Objects | Failed Objects | Comments | Reference |
|---|---|---|---|---|---|---|---|
| DB001 | Databases | Database Backups | Failed | n/a |
| One or more Exchange databases has not been backed up within the last 24 hours. | More Info |
Category: Active Directory
| Test ID | Test Category | Test Name | Test Outcome | Passed Objects | Failed Objects | Comments | Reference |
|---|---|---|---|---|---|---|---|
| AD001 | Active Directory | AD Domain Level | Passed |
| n/a | All Active Directory domains meet the required functional level. | More Info |
| AD002 | Active Directory | AD Forest Level | Passed |
| n/a | The Active Directory forest meets the required functional level. | More Info |
Report created by Exchange Analyzer