5 Best Practices To Keep Your Microsoft Exchange Server Protected

how to keep microsoft exchange server protected

Microsoft Exchange Server is a popular email exchange server used by many businesses around the globe. It’s popular because it’s a robust solution for anyone looking to set up his/her own email server. However, popularity also means trouble when it comes to security. Almost all popular technologies remain on the target of cyber criminals, and MS Exchange Server is no different. Therefore, if you want to keep your server secured, you should certainly follow the best practices that have been developed to keep MS Exchange protected. Here we’ll take a look at 5 such best practices. Let’s begin:

Choose Your Certificates Carefully

Certificates make up an important part of your Exchange Server’s security, and there’s little doubt in the fact that setting them up can be a tricky affair. That’s mainly because they tend to be expensive, and purchasing just one of them usually doesn’t make up enough security arrangement to protect your Microsoft Exchange Server. For proper security setup you need at least one certificate per hostname. When you add up the renewal costs of each of those certificates, it makes up a major expense. And that’s the trick – finding the ideal balance between security and your budget.

While there’s no hard and fast rule regarding how you should set up your certificates, there’s one thing that you must not do – completely avoiding the use of certificates! That’s one big blunder that you can do. Besides that, there’re a few options that you can choose to set up your Exchange Server certificates in a proper way:

  • One way is to set up separate certificates for every hostname. If you can afford, it can be the most robust set up of security for your Exchange server.
  • Another thing that you can try is using a X.509 UCC SSL certificate for Exchange Server 2016. This certificate will allow you to set up multiple domains and exchange server hostnames (like – owa, autodiscover, mail, etc.) with a single certificate. The only drawback of this option is that setting it up can be a bit more complicated than normal X.509 certificates.
  • And if you want to completely avoid the purchase of an external certificate then what you can do is using self-signed certificates. Microsoft Exchange Server includes the functionality for generating such certificates. This is a low-budget solution, but its limitation is that if you implement this then remote users may have trouble connecting to your server. If you want to use this option, use it internally. For external connections you should implement commercial SSL certificate(s).

Invest In A Decent Exchange Server Security Program

Many antivirus companies have developed mail security programs dedicated solely to Microsoft Exchange Server. Symantec, Kaspersky and ESET are a few big names which have developed the security programs dedicated to this particular purpose. The programs developed by these companies will mainly help you in protecting your Exchange server from viruses, malware and spam. While choosing such a program there’re two things that you should consider:

  • The frequency of virus definition updates, and;
  • The capability of integrating tightly with Exchange server.

Utilize The Power Of Edge Transport Server

The Edge Transport Server acts as a filtering mechanism that sits at network perimeter and protects your Exchange server from spam and viruses before they reach the hub transport. However, that’s not the only benefit of using it. It also offers some side benefits, which makes it a better solution for spam filtering than any other thing.

The thing that differentiates Edge Transport Server from other virus and spam filtering mechanisms is that technically it’s a full-fledged Exchange server. What this means is that it remains aware of recipients who have mailboxes on your server. What difference does it make? A lot, it turns out. This can help not only in filtering spam mails but also in protecting crucial system resources of your hub transport, and also in preventing DoS attacks on your server. How? Let’s try to understand through an example.

Suppose that your Exchange server is located at xyz.com, and it has 3 different mailboxes at abc@xyz.com, cba@xyz.com and def@xyz.com. You’ve set up Edge Transport Server at network perimeter of your server. Now if someone sends a mail to ghi@xyz.com, the Edge Transport Server will return it before it reaches the hub transport of your Exchange server. That’s how it helps not only in filtering viruses and spam but also in preventing DoS attacks and preserving system resources, and that’s why you should set it up.

Keep Administrative Access Internal

You should keep administrative access of your Exchange server an internal affair. Allowing administrative access remotely to users on external networks brings a whole lot of new security loopholes with it, and you should avoid doing it for as long as possible. And if you need to do it for some reason, you should first of all set up multi-factor authentication on your server.

Update Your Exchange Server Regularly

Last, but certainly not least, you should keep the MS Exchange Server software updated to latest version. Microsoft regularly fixes security loopholes as soon as they’re discovered and rolls out updates to make the security improvements available to users of its software, which is good enough of a reason to keep your Exchange Server software updated.


Following these 5 simple best practices will keep majority of security threats away from your MS Exchange server. Viruses, spam, malware and certificate related issues – all can be tackled successfully by following these practices. Try them today to keep your organizations mailboxes free from all unwanted security threats.

Amir H. Nasr Editor-in-Chief @TechGeek365.com Instagram: @amir_nasr Twitter: @AmirNasr