This article contains information on enhancing Mimecast account security, including user access management, 2-step authentication, targeted threat protection, device enrollment, traffic security, TLS, LDAPS, and journaling configurations for secure communication and data protection.
At Mimecast, we treat security with the utmost importance. This guide helps you by providing recommendations to enhance your account's security including:
-
-
- Managing user access, permissions, and restrictions.
- Communication in and out of your environment.
-
Ensure you allow connections to the appropriate ports from the entire Mimecast Data Centers and URLs, and that they're mapped through to the correct destination on your network.
Account Settings
Your Mimecast Account Settings information about your account, including:
| Security Setting | Account Setting Section | Description |
|---|---|---|
| Designated Account Contact | Account Contact | Specify the representative we contact in the event of an emergency. This must be kept up to date at all times.
Details of all other technical contacts must be emailed to Mimecast Support. See the "Managing Super Administrators" section of the Understanding Administrator Roles page for full details. |
| Cloud Password Rules | Password Complexity and Expiration | We provide options to enhance cloud account security, by reducing the risk of a security breach through a brute force attack or of end users setting weak passwords. These settings include defining the password length and complexity (i.e. enforcing numeric, non-alphanumeric characters, and uppercase letters), password expiration period, and account lockout attempts. |
| Restricted Administration Console Access | User Access and Permissions - "Admin IP Ranges (CIDR n.n.n.n/x)" option | You can restrict access to the Administration Console to specific IP addresses and/or ranges. |
| User Permissions | User Access and Permissions | These settings define the default permissions for all users on your account. See the User Access and Permissions section below for details on how to further control user access. |
User Access and Permissions
-
-
-
Individual Users: An internal domain owned by your organization was added when your Mimecast account was set up. You can add other internal domains or subdomains (e.g. for Journaling). See Managing Internal Domain & Subdomains.
- User Groups: Groups of users with the access requirements can be added to a group. The group uses an Application Setting to control access to end user applications and services (e.g. Secure Messaging). Each application setting uses an Authentication Profile to control the method users must use to authenticate with our applications. See the following pages for full information:
- Import Users: You can import multiple authorised users, complete with their access permissions. See Importing Users via a Spreadsheet.
-
-
You can delegate mailbox access to other authorized users. See the Configuring Delegate Mailbox Access page for further details.
Roles
Roles are a set of permissions assigned to administrators that control the depth of access they have, and the tasks they can perform. We provide a set of default roles with your account and you can create your own custom administrative roles. We recommend administrators are assigned a role with the basic level of permissions required to perform their administrative tasks.
See Understanding Administrator Roles and Managing Administrator Roles.
Content View Access
Content view functionality allows you to control who can view the content of messages. Each time a message is viewed, this access is logged in the View Logs. We recommend that you do not share generic accounts, but use the provided Super Administrator account to create personal accounts with the required access.
See Understanding Administrator Roles, Managing Administrator Roles and Protected Content Administrators.
Staff Leaving Your Organization
When someone leaves your company, it's important they no longer have access to their Mimecast account. You should disable or remove their Active Directory account. For an account that is deleted, the status of the email address in Mimecast is changed from Extracted from Directory to Message in Transit. This ensures that if LDAP recipient validation is used, inbound messages to this address are rejected. For enhanced security, if we detect an Active Directory account as deleted or disabled, this account's ability to use a cloud password logon is also disabled.
We can also restrict access when both the:
- UserAccountControl attribute is extracted via the Active Directory synchronization.
- The Active Directory connector has the Acknowledge Disabled Accounts in Active Directory option enabled. This is the default setting.
Two-Step Authentication
Passwords only offer a single layer of protection to a user's identity and can be compromised. Our Two Step Authentication adds an additional layer of protection, by denying access to users with a password. When Two Step Authentication is enabled, a password and a one-time verification code to access our applications. You can choose how Two Step verification codes are received or generated. The following options are available:
-
- Email.
- SMS.
- 3rd party code generator (e.g. Google Authenticator or FortiToken).
See the Two-Step Authentication Overview and Configuring Two-Step Authentication page for full details.
Targeted Threat Protection
Targeted Threat Protection defends against malicious links in email and attachments (where the attachment is not a malicious viral payload itself). Real time scanning and blocking of suspect websites and attachment sandboxing, prevents employees from inadvertently downloading malware or revealing credentials.
For more information, see:
Device Enrollment
Device Enrollment enhances security when accessing attachments and links in messages, by using an authentication service. If the authentication service is enabled, a cookie is stored on the user's device. When the user accesses a Targeted Threat Protection service (e.g. a rewritten or attachment release link), a check is made to see if the cookie is on their device:
-
-
- If there is, the user is allowed to access the service.
- If there isn't, the user must complete a two-step authentication process to enroll their device. Once their device is enrolled, a cookie is added to their browser, which is used for future interactions with our Targeted Threat Protection service.
-
For more information, see:
Non-Targeted Threat Protection Customers
Customers without Targeted Threat Protection who want to block all Microsoft Office attachments containing macros at the Gateway without any security analysis can enable the policy options listed below. However, doing so can result in a number of false positives.
-
-
- The Scan for Disallowed Extensions Within Legacy Microsoft Office Files option in either a:
- Suspected Malware policy
- Attachment Management policy
- The Scan for Microsoft Office Macros option in a Suspected Malware policy.
- The Scan for Disallowed Extensions Within Legacy Microsoft Office Files option in either a:
-
Traffic Security
Traffic security certificates can be used to encrypt traffic such as SMTP, POP3, and LDAP. We recommend the use of public certificates.
TLS
Emails can be transmitted securely using TLS. We use Opportunistic TLS by default, but you may want to Enforce TLS for certain senders / recipients. To make use of TLS you must have:
-
-
- A certificate installed and configured on your mail server.
- At least one Secure Receipt and Secure Delivery policy.
-
See Secure Receipt Policy Configuration and Secure Delivery Configuration.
LDAPS
Directory synchronization can be used to synchronize email addresses, groups, and attributes. It can also allow end users to logon to user services using their network credentials. Directory Synchronization can be configured to use LDAP or LDAPS. LDAPS ensures that the traffic is encrypted between Mimecast and your environment. It is required to have the FQDN as a primary or SAN on the certificate.
See LDAP for Active Directory.
POP3 Journaling
If Journaling is configured, we regularly log into the company's internal journal mailbox and extract emails to be archived. This process can be configured to use either POP3 or POP3S. POP3S ensures that communication is encrypted and secure.
See the Journaling Guides for full details.
SMTP Journaling
An SMTP Journal Connector must be configured to only accept connections from your Authorized IP addresses by default. To secure this communication, you can configure SMTP authentication to:
-
-
- Require a password.
- Configure the journal email address as the SMTP-AUTH credentials.
-
SMTP journal traffic can also be encrypted using TLS. This requires the installation and configuration of a certificate.
See Journaling Guides.
Secure Messages
Secure Messaging provides a secure channel for sending and receiving sensitive information via email. Messages are sent via the Mimecast Gateway and accessed using the Mimecast Secure Messaging Portal. This means the messages are not passed through the recipient's email server, and so can only be seen by the recipient.
You can set the lifespan that your users can view and respond to secure messages. Sensitive emails will only be available for a specified period of time (e.g. the intended recipient leaves the organization). This requires a Secure Messaging policy that allows you to specify a duration up to 365 days.
See Configuring Secure Messaging Definitions and Policies.
Secure Messaging Lite users cannot create or maintain Secure Messaging policies.
Stationery
A Phishing Attack is most likely to come from an external email address that has been spoofed to look like an internal email address. This can be done by subtly changing the email domain to look like the company domain. For example, the domain "company.com " could be spoofed as "cornpany.com" (notice the "r" and "n" instead on an "m").
Stationary can be used to add a header to all external messages, alerting recipients that it could be a phishing or spoofing attack. See Using Stationery to Mitigate Phishing Attacks.
Log Review
We capture and log numerous actions taken on your Mimecast account. This acts as an audit of all administrator, user, and automatic activities, thereby providing monitoring and accountability. This includes account logons, and changes (e.g. policy creation, group configuration). Logs are also created when an archive search is performed or a message is viewed.
See Archive View Logs.
Data Leak Prevention (DLP)
A series of Mimecast policies can be used in the prevention of data leakage.See:
Web Security
Mimecast Web Security guards against malicious activity initiated by user action, or by malware at the server level or front line layer of the web. Web Security policies can be configured to regulate access and increase security for end users.
See the following pages for further details:
Geographical Restrictions
A Geographical Restrictions policy allows administrators to permit or block IP addresses listed in our country specific IP database, thereby controlling which countries can connect to the Mimecast Gateway. This provides the ability to apply inbound reputation checks based upon the geographical location of the sender. These checks apply before our auto allow / managed sender policies, and reject inbound messages if the sender's IP address is blocked.
See Configuring Geographical Restrictions.
Comments
Please sign in to leave a comment.