Blog Post

Exchange Team Blog
3 MIN READ

Protect Your Exchange Servers

The_Exchange_Team's avatar
The_Exchange_Team
Icon for Microsoft rankMicrosoft
Jan 26, 2023

We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated. This means installing the latest available Cumulative Update (CU) and Security Update (SU) on all your Exchange servers (and in some cases, your Exchange Management Tools workstations), and occasionally performing manual tasks to harden the environment, such as enabling Extended Protection and enabling certificate signing of PowerShell serialization payloads.

Attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts. First, user mailboxes often contain critical and sensitive data. Second, every Exchange server contains a copy of the company address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact info, and more. And third, Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.

To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU). Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.

After installing an update, there may be manual tasks that an admin needs to perform, so always run Health Checker after installing an update to check for such tasks. Health Checker provides you with links to articles that provide step-by-step guidance.

Prior to releasing an SU, we may release a mitigation for a known vulnerability that can be applied to servers automatically by the Exchange Emergency Mitigation Service or manually using the Exchange On-Premises Mitigation Tool. As previously stated, mitigations are designed to provide temporary protection until an SU is available and can be installed. In some cases, mitigations can become insufficient to protect against all variations of an attack. Thus, installation of an applicable SU is the only way to protect your servers.

Updating your Exchange servers is straightforward:

  • Be sure to always read our blog post announcements, noting known issues and recommended or required manual actions. For CUs, always follow our guidance and best practices, and for SUs, use the Security Update Guide to find relevant information.
  • Be sure to review our update FAQ in the article Why Exchange Server Updates Matter.
  • Use the Exchange Server Health Checker to inventory your servers and see which Exchange servers need updates (CUs or SUs), and if any manual action needs to be taken.
  • Once you know what updates are needed, use the Exchange updates step-by-step guide (aka the Exchange Update Wizard) to choose your currently running CU and your target CU and get directions for updating your environment.
  • If you encounter errors during update installation, the SetupAssist script can help troubleshoot them. And if something does not work properly after updates, have a look at the Update Troubleshooting Guide, which covers the most common issues and how to resolve them.
  • Be sure to install any necessary updates for Windows Server and other software that might be running on your Exchange server(s).
  • Be sure to install any necessary updates on dependency servers, including Active Directory, DNS, and other servers used by Exchange.

We know that keeping your Exchange environment protected is critical, and we know it’s never ending. We’re here to support our customers any way we can. We are constantly looking for ways to improve the Exchange Server update process, and we’ve posted a survey about that topic which we invite you to take at https://forms.office.com/r/kfLyqAe3Q8.
In the meantime, please update your Exchange servers!

The Exchange Team

Updated Jan 26, 2023
Version 1.0
announcements
on premises
security
  • ThorstenK2's avatar
    ThorstenK2
    Brass Contributor
    Jan 27, 2023

    And dont manage your Exchange Servers with Domain Admin accounts!
    have a dom_jdoe for DomainController/ Tier0
    and a adm_jdoe (NOT Domain Admin) for AD-daily buisness and systems like Exchange, Fileserver, etc. / Tier1

    Else compromise of Exchange is automatic Full compromise

  • Nino_Bilic's avatar
    Nino_Bilic
    Icon for Microsoft rankMicrosoft
    Jan 27, 2023

    dgk62 This question is not related to the subject of the blog post where you asked it. Please open a support ticket. Looking quickly, this kind of error usually indicates some sort of certificate problem.

  • Michael_Finney's avatar
    Michael_Finney
    Copper Contributor
    Feb 06, 2023

    You might imagine that if you googled (or Binged -_-) "exchange server hardening guide" at least one of the articles on the first or even the second page would be from MS....but you would be wrong -_-

    All third party articles...and your feedback form isn't accepting responses at this time. I expect better from MS, although I don't know why I still do after repeated demonstrations of the exact opposite.

     

    Does Microsoft have any kind of Exchange server hardening guide that I simply missed? Why would such a document be so hard to find?

     

    Thank you.

  • dgk62's avatar
    dgk62
    Copper Contributor
    Jan 27, 2023

    Hi

    What happens to Mitigation service endpoints?

    I receive a lot of errors like this one "...An unexpected exception occurred. Diagnostic information:     Exception encountered while fetching mitigations : System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel..."

    The events started yesterday.

    King regards,

    Dmitry

  • ScottSchnoll's avatar
    ScottSchnoll
    Icon for Microsoft rankMicrosoft
    Jan 31, 2023

    Bjoern_Lausen, thanks for the question! Yes, for Exchange 2019, the last two CUs are supported, and the Exchange 2019 SUs we deliver can be installed on either CU version.  But as a general rule, we always want you to run with the latest CU, as it contains the most recent code.  This is not a new recommendation...we've been saying this for a while.  We do know that some customers have valid reasons to lag behind in CUs, but our guidance will always be to run the latest version of Exchange.

  • joao_gazzonibanrisul's avatar
    joao_gazzonibanrisul
    Copper Contributor
    Feb 08, 2023

    Hi all,

     

    Protect your admin accounts by setting "log on to" only to EX servers and define a jump server to do rdp sessions for them.

     

    Att

     

  • Bjoern_Lausen's avatar
    Bjoern_Lausen
    Copper Contributor
    Jan 31, 2023

    Hello,

    the blog post explicitly states that the last CU should be installed, but aren't the last two CU supported for Exchange 2019?

    For the CU 11 of Exchange 2019 there is also the January 2023 SU. Is this the new recommendation?

  • Sam_T's avatar
    Sam_T
    Iron Contributor
    Feb 11, 2023

    Michael_Finney 

     

    Good point Michael.  There is a fair bit of hardening information but it is scattered all over microsoft.com and Microsoft aren't going to help us by generating an Exchange hardening guide. Instead they drop the information in an endless series of disjointed web pages and blog posts that is going to take you years to locate and identify as part of a coherent hardening strategy.  Some of these pages are good, some are not good at all, some disappear over time and the information is lost maybe forever.  My favorite is the apparently new strategy of providing articles with no date on them so you don't know if they were written last week, last year or last decade or if the guidance in the article changed since the last time you reviewed the article.

  • AzariasJr's avatar
    AzariasJr
    Copper Contributor
    Apr 04, 2024

    Who still has Exchange Server 2013 already updated to CU23? How can I release it?

  • Fallohide's avatar
    Fallohide
    Copper Contributor
    Sep 06, 2024

    Hi Team,

    I've been tasked (forced) by my customer to implement CIS IIS hardening according to CIS_Microsoft_IIS_10_Benchmark_v1.2.1 on my Exchange Server 2019 with CU 14 and latest SU and hotfix. Health Checker is all good.

     

    I really don't like to follow all settings in the CIS IIS 10 but I would like to hear a second option that this is the right path.

     

    Cheers.