We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated. This means installing the latest available Cumulative Update (CU) and Security Update (SU) on all your Exchange servers (and in some cases, your Exchange Management Tools workstations), and occasionally performing manual tasks to harden the environment, such as enabling Extended Protection and enabling certificate signing of PowerShell serialization payloads.
Attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts. First, user mailboxes often contain critical and sensitive data. Second, every Exchange server contains a copy of the company address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact info, and more. And third, Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.
To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU). Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.
After installing an update, there may be manual tasks that an admin needs to perform, so always run Health Checker after installing an update to check for such tasks. Health Checker provides you with links to articles that provide step-by-step guidance.
Prior to releasing an SU, we may release a mitigation for a known vulnerability that can be applied to servers automatically by the Exchange Emergency Mitigation Service or manually using the Exchange On-Premises Mitigation Tool. As previously stated, mitigations are designed to provide temporary protection until an SU is available and can be installed. In some cases, mitigations can become insufficient to protect against all variations of an attack. Thus, installation of an applicable SU is the only way to protect your servers.
Updating your Exchange servers is straightforward:
We know that keeping your Exchange environment protected is critical, and we know it’s never ending. We’re here to support our customers any way we can. We are constantly looking for ways to improve the Exchange Server update process, and we’ve posted a survey about that topic which we invite you to take at https://forms.office.com/r/kfLyqAe3Q8.
In the meantime, please update your Exchange servers!
The Exchange Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.