Security Best Practice

Document created by user.oxriBaJeN4 Employee on Sep 23, 2015Last modified by user.oxriBaJeN4 Employee on Mar 27, 2017
Version 8Show Document
  • View in full screen mode

Mimecast treats security with utmost importance, therefore we have provided Administrators with multiple controls to enhance the security of their account. The following recommendations will assist to increase your Mimecast account security and includes managing user access and permissions, and communication in and out of your environment.

It is important to ensure that you allow connections to the appropriate ports from the entire Mimecast regional IP Ranges, and that they are mapped through to the correct destination on your network.

Recommended Reading

General Settings

 

Account Technical Contacts

 

It is important that Mimecast has the details of all authorized contacts registered with your Mimecast account. This includes the Account Contact, which Mimecast uses in the event of an emergency, and as such should be kept up to date at all times. Details for all other technical contacts should be emailed to Mimecast Support in order to be associated with your account.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Scroll down to Account Contact section.

 

Access Control

 

Password Complexity and Expiration

 

Mimecast provides options for Administrators to enforce user account password complexity and expiration settings. This feature enhances Mimecast cloud account security by reducing the risk of a security breach through end users setting weak passwords or brute force attacks. These settings include defining the password length and complexity (i.e. enforcing numeric, non-alphanumeric characters and uppercase letters), the expiration period and the account lockout attempts.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Scroll down to Password Complexity section.

 

Restricting Logins

 

Administrators can restrict access to the Administration Console to specific IP addresses and/or ranges.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Scroll down to User Access and Permissions section.

 

User Permissions

 

Permissions are used to control what access your end users have to Mimecast's User Services. These permissions can be enabled in multiple ways, and the method used is typically dependent on how many users in your environment you want to enable the permission for. To ensure maximum security, only those users who require these services should be provided access. Application Settings can be used to manage user permissions to Mimecast tools.

It is possible to delegate mailbox access to other users.

Global Permissions

 

To set global permissions:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.
  4. Scroll down to User Access and Permissions section.

 

Groups of Users

 

To set groups of users:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Applications menu item.

 

Individual Users

 

To set individual users:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Directories | Internal Directories menu item.
  4. Find the Email Address.

 

Importing Users

 

To import users:

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Directories | Imports menu item.

 

Roles

 

Roles are used to provide access rights for Administrators to manage their Mimecast account and related services.  The Role determines the depth of access, and can be used to control the tasks that can be performed by an Administrator. Mimecast provides default Roles as well as the option to create customized Roles. We recommend that Administrators are assigned a Role with the lowest level of permissions required to perform their administrative tasks.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Roles menu item.

 

Content View Access

 

Content View access allows the Administrator to view the content of emails. Each time an email is viewed, this access is logged in the Message View Logs. Mimecast recommends that Administrators do not share generic accounts, but instead use the provided Super Administrator account to create personal accounts with the required access. If an Administrator requires basic and privileged access, Administrators could have 2 accounts; one with basic access (username@domain.com) and one with the privileged access (username-content@domain.com). Depending on the task to be performed, will determine which account is used.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Roles menu item.

 

Leavers

 

When someone leaves the company, it is important that they no longer have access to Mimecast. Administrators will typically disable or remove their Active Directory account. For an account that is deleted, the status of the email address in Mimecast is changed from Directory Generated to a Message Generated. This ensures that if LDAP recipient validation is used, inbound emails to this address are rejected. For enhanced security, if Mimecast detects an Active Directory account as deleted or disabled, this account's ability to use a Cloud Password login (if present) will also be disabled.

 

Mimecast is able to automatically restrict access when the "UserAccountControl" Attribute has been exposed via the Active Directory Synchronization AND the AD connector has "Acknowledge Disabled Accounts in Active Directory" enabled (which is enabled by default).

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Directories | Internal Directories menu item.
  4. Open the domain and find the email address.

 

Traffic Security

 

Traffic Security Certificates can be used to encrypt traffic such as SMTP, POP3 and LDAP. Although Mimecast accepts both root CA signed and self-signed certificates, we recommend the use of public certificates.

 

TLS

 

Emails can be transmitted securely using TLS. To make use of TLS, a certificate needs to be installed and configured on your mail server, and Secure Receipt and/or Secure Delivery policies must be configured. Mimecast by default uses Opportunistic TLS but you may want to Enforce TLS for certain senders/recipients.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Gateway | Policies menu item.
  4. Scroll down to Secure Delivery and Secure Receipt.

 

LDAPS

 

Directory Sync can be used to synchronize all email address, Groups, Attributes and also allow end users to login to User Services using their network credentials. Directory sync can be configured to use LDAP or LDAPS. LDAPS ensures that the traffic is encrypted between Mimecast and your environment. It is required to have the FQDN as a primary or SAN on the certificate.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Directory Synchronization menu item.

 

POP3S Journaling

 

If POP3 Journaling is configured, Mimecast will regularly log into the company internal journal mailbox and extract emails to be archived. This process can be configured to use either POP3 or POP3S. POP3S will ensure that the communication is encrypted and secure.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Journaling menu item.

 

SMTP Journaling

 

The SMTP Journal connector needs to be configured to only accept connections from your authorized IP addresses by default. To secure this communication Administrators can configure SMTP authentication which enhances security features by requiring a password, along with the journal email address as the SMTP-AUTH credentials. SMTP Journal traffic can also be encrypted using TLS which requires the installation and configuration of a certificate.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Services | Journaling menu item.

 

Secure Messages

 

Administrators can set the lifespan that the secure message can be viewed and responded to. This ensures that sensitive emails will only be available for a certain period of time - which is important especially if the intended recipient leaves the organization.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Account | Account Settings menu item.

 

Log Review

 

Account Logs

 

Mimecast captures and logs events for your Mimecast account. The Event Log acts as an audit of all relevant Administrator, user and automatic activities, providing monitoring and accountability.  This includes account logins and changes, such as Policy and Group creations and amendments. Logs are also created when an Archive search is preformed or message viewed.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Archive | View Logs menu item.

 

Targeted Threats

 

Mimecast Targeted Threat Protection extends traditional gateway security to defend against malicious links in email and weaponized attachments (where the attachment is not a malicious viral payload itself). These are the two most common attack methods. Real time scanning and blocking of suspect websites and attachment sandboxing prevents employees from inadvertently downloading malware or revealing credentials.

 

Customers without Targeted Threat Protection who wish to block all Microsoft Office attachments containing macros at the gateway without any security analysis, can enable the following options in a Suspected Malware policy:

  • Scan for disallowed extensions within legacy Microsoft Office files. Customers with Attachment Management can enable this option in an Attachment Management policy.
  • Scan for Microsoft Office macros.

Enabling these options in Suspected Malware and Attachment Management policies, may generate a high number of false positives.

Mimecast employs a multi-layered approach to phishing detection and prevention, with numerous technologies and techniques forming the Targeted Threat Protection scanning engines and services. We work to provide the most accurate and up-to-date protection for customers, boosted by our global security teams who monitor and fine-tune the service.

 

Due to the highly dynamic nature of these types of attacks we cannot, however, guarantee that all information relied upon is comprehensive and error-free, and that some risky phishing emails, sites or attachments may not be identified, and some safe emails, sites or attachments may be identified in error.

1 person found this helpful

Attachments

    Outcomes