New security feature in September 2021 Cumulative Update for Exchange Server

Agreed PatchesOhoulihan14 , here's a good semi-recent example.

During Hafnium back in March, interim mitigations included:

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019:

• Implement an IIS Re-Write Rule to filter malicious https requests
• Disable Unified Messaging (UM)
• Disable Exchange Control Panel (ECP) VDir
• Disable Offline Address Book (OAB) VDir

(https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/)

For example, let's assume the EM service would have implemented the mitigation "Disable Unified Messaging (UM)":

Unified Messaging Mitigation

Applies To: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857

Description: This mitigation will disable the Unified Message services in Exchange. Microsoft Exchange Managed Availability services are also disabled to prevent mitigation regression.

Impact: Unified Messaging/Voicemail outage when these services are disabled. The advanced monitoring capabilities of Exchange are also disabled, due to disabling Microsoft Exchange Managed Availability services.

This would cause a complete outage of Unified Messaging/Voicemail...

So either:

1. Unified Messaging/Voicemail services definitely go offline and are unavailable to legitimate users
   OR
2. A malicious actor might gain unauthorized access

Without discussing the merits of option 1 or 2 above (I have my own opinion), the fact is that this new EM service basically gives Microsoft the keys to the castle to modify Exchange configuration however it chooses (presumably in the best interest of its customers, again, however well intentioned).

I'm wary of my organization handing over that control.  Thank you.