ค ม อ microsoft exchange server 2010 pdf

This CIS Benchmark is the product of a community consensus process and consists of secure configuration guidelines developed for Microsoft Exchange Server

CIS Benchmarks are freely available in PDF format for non-commercial use:

Download Latest CIS Benchmark

Included in this Benchmark

Free Download

CIS Benchmark

Safeguard IT systems against cyber threats with these CIS Benchmarks. Click to download a PDF from the list of available versions.

Learn more about CIS Benchmark

Microsoft Exchange Server 2019 (1.0.0)

Microsoft Exchange Server 2016 (1.0.0)

Microsoft Exchange Server 2013 (1.1.0)

Microsoft Exchange Server 2010 (1.1.0)

Looking for an older version?

Older versions of the CIS Benchmarks that are no longer supported by CIS and the CIS Benchmarks Community are not lised above. Access a list of archived CIS Benchmarks in Workbench.

Explore CIS Benchmarks Resources

CIS Benchmarks Community

Collaborate with SMEs, implementers, and other cybersecurity practitioners from around the world to help secure Microsoft Exchange Server

Join A Community

Effective Implementation of the CIS Benchmarks

Learn how CIS SecureSuite tools and resources help automate the assessment and implementation of CIS Benchmarks to meet security best practices.

As support for (and, therefore, your use of) Exchange Server 2010 comes to an end this year, you need to take advantage of the time you have left to plan where, how, and what to migrate.

Late last year Microsoft announced support for Exchange Server 2010 ends October 13, 2020. After this date, there won’t be any bug fixes or security patches provided to this version of Exchange. This impacts any organization using Exchange Server 2010 all the way down to those businesses using Windows Small Business Server 2011.

While it will still run just fine on October 14th, there are some very material reasons to be concerned:

1. Productivity – Assuming you’re running Exchange Server 2010 on a supported Windows Server OS, updates to the OS may or may not be compatible with any integrated functionality within Exchange Server. While not entirely probable, it is possible that an update can cause Exchange to cease to function.
2. Security – Vulnerabilities are discovered daily. As an example, in February of this year, two vulnerabilities were discovered that impacted Exchange Server 2016 and 2019. One helped to facilitate remote code execution and the other allowed privilege elevation. While neither applied to Exchange Server 2010, cybercriminals work to both find vulnerabilities in older operating systems and application, as well as test out new vulnerabilities (such as the two mentioned above) against older versions.
3. Compliance – New government regulations around protecting data are getting specific in nature around what kinds of IT controls need to be in place. For example, the Payment Card Industry Data Security Standard (PCI-DSS) requirement 6.1 states “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Deploy critical patches within a month of release.” Without any support, your on-prem Exchange 2010 instance, by definition, is non-compliant, as it cannot be patched.

So, you need to do something about your Exchange Server 2010 implementation. The good news is there’s still time and you have a few options. In short, there are two basic options:

• Remain On-Prem and Update/Migrate to a Supported Version of Exchange – Microsoft have Exchange Server 2013, 2016 and 2019 that are viable choices if you want email services to remain on-prem. Microsoft recommends using a minimum of Exchange Server 2016 (as 2013 has an EOL of April 2023 versus 2016’s EOL date of October 2025) as it has all the same functionality as Office 365 (which allows for a more seamless migration should you want to eventually move to the cloud).
• Migrate to Office 365 – This is the preferred migration path for most organizations. Microsoft offer FastTrack to help organizations that meet eligible licensing requirements deploy solutions in the cloud. Microsoft promote one of three types of migrations – cutover (for smaller orgs where everything is migrated and on-prem services are shut down), minimal hybrid (similar to cutover but when you have so many mailboxes you need a bit of time but without any of the hybrid environment features), and full hybrid (where you have lots of mailboxes and need to be hybrid for an extended period of time while you migrate).

There’s also the option of moving to another email platform entirely. While Microsoft provides a robust offering for both on-premises and cloud-based email, some organizations choose to look for other solutions to meet their specific needs.

These discussions revolve around – and, generally, address – the where and when of your migration plans. But, there’s no real discussion around what should be migrated. This is an important caveat of the migration. Whether you decide to go on-prem or cloud as your final Exchange destination, the question of “Do I need to migrate everything?” should be addressed.

Organizations running on Exchange 2010 can easily have 10+ years of email (the upper end of Exchange 2010’s Keep deleted items for (days) setting was a little over 68 years). And, while you technically can just migrate everything, should you? A viable alternative is to offload some of that data to a searchable archive, rather than simply keep it all and make it the problem of your next chosen email platform.

There are a few reasons why you may want to instead look at archiving some of your mailbox data from your Exchange 2010 environment before migrating:

• Productivity – Ten+ years of email messages are a lot of conversations that are important for historical and reference purposes but aren’t necessarily relevant to the organization’s daily operations today. Exchange (whether on-prem or in the cloud) certainly provides some ability to search email content via the various Outlook clients but given the vast amount of data in both emails and within attachments (something Outlook doesn’t do well), it may serve you better to host older data in a robust searchable archive instead.
• Compliance – Several regulations around the protection of certain data mandate years of email retention. Some examples of U.S.-specific regulations and years of retention include (and forgive the lack of spelling out these regulation names – there are a bunch of them!): GLBA (7), SOX (7), FDIC (5), HIPAA (7), and DoD (3) – just to name a few.
• Legal / HR – either of these two departments within your organization may desire to retain email conversations for liability-related purposes in the future.
• Faster Cloud Migration – By offloading potentially TBs of data, you can speed up the mailbox migration to Office 365 or any other email platform in the cloud.
• Lowered Licensing Costs – There are limits to mailbox size, . So, the simple decision to move “everything” can result in excess costs to match licensing with storage, instead of the other way around.
• Availability – Should you be one of the organizations that decide to move off of any implementation of Exchange for email, you may want to maintain a searchable record of communications while on Exchange Server 2010.

So, then, what’s the right way to approach moving on from Exchange Server 2010?

The plan is simple and effective:

1. Decide on a path – Determine whether to update to a newer version of Exchange Server or move to Office 365 (or, again, another platform, if desired).
2. Assess Mailbox Usage – Run a mailbox size report to see exactly how many mailboxes you have and how much space are they taking up.
3. Look at Your Archive Options – You’ll need to decide if archiving will help with any or all of the reasons I previously mentioned.
4. Archive – If you’ve come to the conclusion that offloading a material portion of your mailboxes to an archive makes sense, do so as soon as possible.
5. Migrate – You can continue to follow Microsoft’s recommendations on how to move to either a newer on-prem version of Exchange or Office 365.

End of Support, Start of Getting Exchange Right

Microsoft’s ending of support of Exchange Server 2010 is your organization’s opportunity to think about what your next implementation of Exchange to look like. And, not just from a “what version?” or “where should email exist?” standpoint, but an opportunity to also think about how to best manage the historical email data you have and whether Exchange is the place to host it.

Most of you (depending on the size of your organization) have plenty of time until October. But it’s important to get started now to best utilize that time to that you can properly plan for and address both archiving and upgrade/migration needs.

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. He has authored, co-authored and contributed to nearly two dozen books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance. Follow Nick on Twitter @nickcavalancia or @Techvangelism.