- Account Settings
- User Access and Permissions
- 2-Step Authentication
- Targeted Threat Protection
- Traffic Security
- Secure Messages
- Data Leak Prevention (DLP)
- Log Review
- See Also...
At Mimecast, we treat security with the utmost importance. This guide helps you by providing recommendations to enhance your account's security including:
- Managing user access and permissions.
- Communication in and out of your environment.
Your Mimecast Account Settings include information about your account, including:
|Security Setting||Account Setting Section||Description|
|Designated Account Contact||Account Contact||Specify the representative we contact in the event of an emergency. This must be kept up to date at all times.|
Details of all other technical contacts must be emailed to Mimecast Support. See the "Managing Super Administrators" section of the Understanding Administrator Roles page for full details.
|Cloud Password Rules||Password Complexity and Expiration||We provide options to enhance cloud account security, by reducing the risk of a security breach through a brute force attack or of end users setting weak passwords. These settings include defining the password length and complexity (i.e. enforcing numeric, non-alphanumeric characters, and uppercase letters), password expiration period, and account lockout attempts.|
|Restricted Administration Console Access||User Access and Permissions - "Admin IP Ranges (CIDR n.n.n.n/x)" option||You can restrict access to the Administration Console to specific IP addresses and/or ranges.|
|User Permissions||User Access and Permissions|
These settings define the default permissions for all users on your account. See the "User Access and Permissions" section below for details on how to further control user access.
User Access and Permissions
- User Groups: Groups of users with the same access requirements can be added to a group. The group uses an Application Setting to control access to end user applications and services (e.g. Secure Messaging). Each application setting uses an Authentication Profile to control the method users must use to authenticate with our applications. See the following pages for full information:
- Individual Users: At least one internal domain owned by your organization was added when your Mimecast account was set up. You can add other internal domains or subdomains (e.g. for journaling). See the Configuring Internal Domain / Subdomains page for full details.
- Import Users: You can import multiple users, complete with their permissions. See the Importing Users via a Spreadsheet page for full details.
Roles are a set of permissions assigned to administrators that control the depth of access they have, and the tasks they can perform. We provide a set of default roles with your account, but you can create your own custom roles. We recommend administrators are assigned a role with the lowest level of permissions required to perform their administrative tasks.
Content View Access
Content view functionality allows you to control who can view the content of messages. Each time a message is viewed, this access is logged in the Message View Logs. We recommend that you don't share generic accounts, but use the provided Super Administrator account to create personal accounts with the required access. If an administrator requires basic and privileged access, you can have two accounts; one with basic access (email@example.com) and one with the privileged access (firstname.lastname@example.org). The task performed determines which account is used.
Staff Leaving Your Organization
When someone leaves your company, it's important they no longer have access to your Mimecast account. You should disable or remove their Active Directory account. For an account that is deleted, the status of the email address in Mimecast is changed from "Directory Generated" to "Message Generated". This ensures that if LDAP recipient validation is used, inbound messages to this address are rejected. For enhanced security, if we detect an Active Directory account as deleted or disabled, this account's ability to use a cloud password logon is also disabled.
We can also automatically restrict access when both the:
- "UserAccountControl" attribute is exposed via the Active Directory synchronization.
- The Active Directory connector has the "Acknowledge Disabled Accounts in Active Directory" option enabled. This is the default setting.
Targeted Threat Protection
Targeted Threat Protection extends traditional gateway security to defend against malicious links in email and weaponized attachments (where the attachment is not a malicious viral payload itself). These are the two most common attack methods. Real time scanning and blocking of suspect websites and attachment sandboxing, prevents employees from inadvertently downloading malware or revealing credentials.
See the following pages for best practice settings:
- Targeted Threat Protection - URL Protect Best Practice
- Targeted Threat Protection - Attachment Protect Best Practice
- Targeted Threat Protection - Impersonation Protect Best Practice
See the following pages for full details:
- Targeted Threat Protection: Device Enrollment
- Targeted Threat Protection: Managing Device Enrollment
- Targeted Threat Protection: Device Enrollment Best Practice
Non-Targeted Threat Protection Customers
Customers without Targeted Threat Protection who wish to block all Microsoft Office attachments containing macros at the Gateway without any security analysis can enable the policy options listed below. However, doing so can result in a high number of false positives.
- The "Scan for Disallowed Extensions Within Legacy Microsoft Office Files" option in either a:
- The "Scan for Microsoft Office Macros" option in a Suspected Malware policy.
Traffic security certificates can be used to encrypt traffic such as SMTP, POP3, and LDAP. Although we accept both root CA signed and self-signed certificates, we recommend the use of public certificates.
Emails can be transmitted securely using TLS. We use Opportunistic TLS by default, but you may want to Enforce TLS for certain senders / recipients. To make use of TLS you must have:
- A certificate installed and configured on your mail server.
- At least one Secure Receipt and Secure Delivery policy.
See the Configuring Secure Receipt policies and Configuring Secure Delivery definitions and policies pages for full information.
Directory synchronization can be used to synchronize all email address, groups, and attributes. It can also allow end users to logon to user services using their network credentials. Directory synchronization can be configured to use LDAP or LDAPS. LDAPS ensures that the traffic is encrypted between us and your environment. It is required to have the FQDN as a primary or SAN on the certificate.
See the Enabling LDAP Directory Synchronization for Active Directory page for full details.
If journaling is configured, we regularly log into the company's internal journal mailbox and extract emails to be archived. This process can be configured to use either POP3 or POP3S. POP3S ensures that communication is encrypted and secure.
See the Journaling section for full details.
An SMTP journal connector must be configured to only accept connections from your authorized IP addresses by default. To secure this communication, you can configure SMTP authentication to:
- Require a password.
- Configure the journal email address as the SMTP-AUTH credentials.
SMTP journal traffic can also be encrypted using TLS. This requires the installation and configuration of a certificate.
See the Journaling section for full details.
Secure Messaging provides a user friendly, secure channel for sending and receiving sensitive information via email. Messages are sent via the Mimecast Gateway and accessed by the user using the Mimecast Secure Messaging Portal. This means the messages are not passed through the recipient's email server, and so can only be seen by the recipient.
You can set the lifespan that your users can view and respond to secure messages. This ensures that sensitive emails will only be available for a certain period of time (e.g. the intended recipient leaves the organization). This requires a Secure Messaging policy that allows you to specify a duration up to 365 days.
See the Configuring Secure Messaging Definitions and Policies page for full details.
A phishing attack is most likely to come from an external email address that has been spoofed to look like an internal email address. This can be done by subtly changing the email domain to look like the company domain. For example, the domain " could be spoofed as " (notice the "r" and "n" instead on an "m").
With our Stationery add on, you can add a header to all external messages to alert recipients that it could be a phishing or spoofing attack. See the Using Stationery to mitigate phishing attacks page for full details.
Data Leak Prevention (DLP)
Your organization’s value and competitive advantage are inextricably linked to the knowledge you hold. Information such as new product ideas, future business plans, and customer data, represents an invaluable business asset. When stored digitally, it can be shared easily with colleagues and third parties via email. While this flexibility brings great benefit, it also increases the risk of data leakage. Our cloud service protects your organization against data leak, through seamless integration with Microsoft Exchange.
See the following pages for further details:
We capture and log numerous actions taken on your Mimecast account. This acts as an audit of all administrator, user, and automatic activities, thereby providing monitoring and accountability. This includes account logons, and changes (e.g. policy creation, group configuration). Logs are also created when an archive search is performed or a message is viewed.
See the Archive View Logs page for full details.