Auditing Exchange Server

Posted on 29 Feb 2016 in security • 4 min read

ExchangeAnalyser

Recently I performed a MS Exchange configuration review. For the "old" version of exchange we can use the Microsoft Exchange Best Practices Analyzer (link is dead) For the new version of MS Exchange (2013 and 2016) the tools must be download from the office 365 market (link is dead). But most of the MS Exchange server are not directly connected to internet. That is why I used a tool developed by Paul Cunningham: Exchange Analyzer available on github.

Getting and installing the script

The documentation is clear, you just need to download the last zip archive on the "official website" (link is dead), extract the files, put files in the Modules folder into C:\Windows\System32\WindowsPowerShell\V1.0\Modules and launch the script.

Tests

There is actually seven tests implemented:

  1. EXSRV001: checks that all MS Exchange servers in the organization use MS Exchange 2013 or 2016.
  2. EXSRV002: checks the build version of each server to determine whether it is running the last build for the MS Exchange version (Internet connection is required).
  3. CAS001: tests each Exchange site to determine whether more than one CAS URL/namespace exists for each HTTPS service.
  4. CAS002: tests each CAS URL to determine whether it contains a server FQDN.
  5. DB001: tests each mailbox database to determine whether the database has been backed up in the last 24 hours.
  6. AD001: verifies that the Active Directory Domain level is at the correct level.
  7. AD002: verifies that the Active Directory Forest level is Windows 2008 or greater.

More tests will come in a quite near future as both pull requests and issues are currently open on github.

Results

The result is simple, it is a HTML file with the different tests and a past or fail attribute. The script need an internet connection to check the latest build number. As there where no direct access to the internet from the MS Exchange servers of my client, the test failed with a Warning and output the error message: "Unable to connect to remote server". Moreover my client did not wish to backup its databases so the test DB001 failed.

Below is a sample of this output, I have just anonymize it and reduce the number of server.

Output

Exchange Analyzer Report

Generated: 02/18/2016 11:38:42

Organization: CLIENT

The following guidelines apply to this report:

  • This tests included in this report are documented on the Exchange Analyzer Wiki.
  • Click the "More Info" link for each test to learn more about that test, what a pass or fail means, and recommendations for how to respond.
  • A test can fail if it can't complete successfully, or if a condition was encountered that requires manual assessment.
  • For some organizations a failed test may be due to a deliberate design or operational decision.
  • Please review the Frequently Asked Questions if you have any further questions.

Summary:

Passed Warning Failed Info
4 1 2 0

Category: Exchange Servers

Test ID Test Category Test Name Test Outcome Passed Objects Failed Objects Comments Reference
EXSRV001Exchange ServersExchange VersionsPassed
  • WindowsServer1
  • WindowsServer2
  • WindowsServer3
n/aAll Exchange servers in the organization are Exchange 2013/2016.More Info
EXSRV002Exchange ServersBuild NumbersWarningn/an/aErrors were encountered. An error occurred. Unable to connect to remote serverMore Info

Category: Client Access

Summary of Client Access URLs/Namespaces:

Server: WindowsServer1, Site:
Service Internal URL External Url
Outlook Anywhere outlook-csh-ge.client.com Not set
MAPI/HTTP https://windowsserver1.client.local/mapi Not set
Outlook on the web (OWA) https://mail.client.com/OWA https://mail.client.com/OWA
Exchange Control Panel https://mail.client.com/ecp https://mail.client.com/ecp
ActiveSync https://eas.client.com/Microsoft-Server-ActiveSync Not set
Offline Address Book https://oab-csh-ge.client.com/OAB Not set
Exchange Web Access https://ews-csh-ge.client.com/EWS/Exchange.asmx Not set
AutoDiscover https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml n/a
Server: WindowsServer2, Site:
Service Internal URL External Url
Outlook Anywhere outlook-csh-ge.client.com Not set
MAPI/HTTP https://windowsserver2.client.local/mapi Not set
Outlook on the web (OWA) https://mail.client.com/OWA https://mail.client.com/OWA
Exchange Control Panel https://mail.client.com/ecp https://mail.client.com/ecp
ActiveSync https://eas.client.com/Microsoft-Server-ActiveSync Not set
Offline Address Book https://oab-csh-ge.client.com/OAB Not set
Exchange Web Access https://ews-csh-ge.client.com/EWS/Exchange.asmx Not set
AutoDiscover https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml n/a
Server: WindowsServer3, Site:
Service Internal URL External Url
Outlook Anywhere outlook-csh-ge.client.com Not set
MAPI/HTTP https://windowsserver3.client.local/mapi Not set
Outlook on the web (OWA) https://mail.client.com/OWA https://mail.client.com/OWA
Exchange Control Panel https://mail.client.com/ecp https://mail.client.com/ecp
ActiveSync https://eas.client.com/Microsoft-Server-ActiveSync Not set
Offline Address Book https://oab-csh-ge.client.com/OAB Not set
Exchange Web Access https://ews-csh-ge.client.com/EWS/Exchange.asmx Not set
AutoDiscover https://autodiscover-csh-ge.client.com/autodiscover/autodiscover.xml n/a

Test ID Test Category Test Name Test Outcome Passed Objects Failed Objects Comments Reference
CAS001Client AccessClient Access NamespacesFailedn/a
  • AAA-BB-PROJET
  • AAA-SUD-PROJET
One or more Exchange sites has more than one namespace per HTTPS protocol.More Info
CAS002Client AccessServer FQDNs in URLsPassed
  • WindowsServer1
  • WindowsServer2
  • WindowsServer3
n/aNo Exchange HTTPS services have URLs containing server FQDNs.More Info

Category: Databases

Test ID Test Category Test Name Test Outcome Passed Objects Failed Objects Comments Reference
DB001DatabasesDatabase BackupsFailedn/a
  • DAG2-DB01 (Never)
  • DAG2-DB13 (Never)
  • DAG1-DB36 (Never)
One or more Exchange databases has not been backed up within the last 24 hours.More Info

Category: Active Directory

Test ID Test Category Test Name Test Outcome Passed Objects Failed Objects Comments Reference
AD001Active DirectoryAD Domain LevelPassed
  • client.local (Windows Server 2008 R2)
n/aAll Active Directory domains meet the required functional level.More Info
AD002Active DirectoryAD Forest LevelPassed
  • client.local (Windows Server 2008 R2)
n/aThe Active Directory forest meets the required functional level.More Info

Report created by Exchange Analyzer