Cyber agencies produce ‘long overdue’ best practices for securing Microsoft Exchange Server

Cyber agencies produce ‘long overdue’ best practices for securing Microsoft Exchange Server

5gDedicated
Yanac

Cyber agencies from three countries including the US have issued a list of security best practices for protecting Microsoft Exchange Server, a venerable on-premises email server that many IT departments still cling to.

The advisory, also endorsed by Australia and Canada, comes at a good time: Threat actors are still poking at holes in Exchange Server, and many attacks have succeeded because of old or misconfigured installations. For example, Germany’s Office for Information Security believes nine out of 10 Exchange servers in that country are still running outdated versions of the software.

Even hybrid Exchange environments aren’t vulnerability-free. In August, Microsoft released guidance on a high-severity hole (CVE-2025-53786) in mixed on-prem and Exchange Online deployments. It allows a threat actor with admin access to the local server to escalate privileges. This advisory was an update to a hot fix released in April.

Also in August, researchers at Positive Technologies warned of finding keyloggers that are being injected into Exchange authentication pages. Around 65 victims were identified in 26 countries.

Readers may also recall that one of the biggest rounds of Exchange Server attacks happened in January 2021, after four zero-day exploits were exploited, mainly by a gang dubbed Hafnium. By one estimate, about 30,000 customers in the United States were affected, and 250,000 globally.

On-prem Exchange still prevails in some environments

Although many IT departments are shifting to cloud-based email providers, some firms and government departments still hold onto their on-prem Exchange servers, either because they don’t have the budgets to move away from legacy infrastructure, or because they believe hands-on control gives them better security.

However, organizations with unprotected or misconfigured Exchange servers remain at high risk of compromise as threat activity persists, targeting vulnerable Exchange servers including versions that have reached end-of-life, says the US Cybersecurity and Infrastructure Security Agency (CISA) in its introduction to the guidance.

Best practices include a focus on hardening user authentication and access, ensuring strong network encryption, and minimizing application attack surfaces. Organizations that implement these well can significantly reduce their risk from cyber threats, CISA says. 

The document is not an all-inclusive hardening guide; active monitoring for compromises and planning for potential incidents and recovery are equally important areas for Exchange admins to concentrate on, says CISA.

Robert Beggs, head of Canadian incident response firm DigitalDefence, called the best practices guidance “long overdue.”

Despite the fact that Exchange is a “particularly juicy target,” with stored emails that contain sensitive corporate and personal information, and sometimes even passwords, his firm has found “significant misconfigurations with every implementation of Exchange server that we have tested.” 

Beggs added that often Exchange servers lack infrastructure security controls and monitoring/logging, endpoint security solutions, or even antivirus software, because users believe that this interferes with mail serving operations.

The guidance

The guidance states admins should treat on-prem Exchange servers as being “under imminent threat,” and itemizes key practices for admins:

First, it notes, “the most effective defense against exploitation is ensuring all Exchange servers are running the latest version and Cumulative Update (CU)”;

It points out that Microsoft Exchange Server Subscription Edition (SE) is the sole supported on-premises version of Exchange, since Microsoft ended support for previous versions on October 14, 2025;

It urges admins to ensure Microsoft’s Emergency Mitigation Service remains enabled for delivery of interim mitigations;

It urges admins to establish a security baseline for Exchange Server, mail clients, and Windows. Maintaining a security baseline enables administrators to identify non-conforming systems and those with incorrect security configurations, as well as allowing them to perform rapid remediation that reduces the attack surface available to an adversary;

It advises admins to enable built-in protection like Microsoft Defender Antivirus and other Windows features if they aren’t using third party security software. Application Control for Windows (App Control for Business and AppLocker) is an important security feature that strengthens the security of Exchange servers by controlling the execution of executable content, the advice adds;

It urges admins to make sure only authorized, dedicated administrative workstations should be permitted to access Exchange administrative environments, including via remote PowerShell;

It tells admins to make sure to harden authentication and encryption for identity verification;

It advises that Extended Protection (EP) be configured with consistent TLS settings and NTLM configurations. These make EP operate correctly across multiple Exchange servers;

It advises admins to ensure that the default setting for the P2 FROM header is enabled, to detect header manipulation and spoofing;

It says admins should enable HTTP Strict Transport Security (HSTS) to force all browser connections to be encrypted with HTTPS.

Given the number of configuration options available, it can be difficult for many organizations to select the optimal security configuration for their particular organization at the time of installation, Beggs admits. This is made more complex, he said, if implementations occur in a shared services model where the Exchange server is hosted in the cloud, and may be configured and maintained by a third party, and responsibility for a secure configuration is not clear. 

“A little-recognized aspect of securely configuring Exchange is that applying patches and upgrades from the vendor may reset or change some security configuration information,” he noted. While the guidance urges admins to ‘apply security baselines,’ Beggs said they should verify that the correct security baseline was applied. And, he added, they should review configuration settings at least quarterly.

Beggs added that the guidance is a document that reminds admins that Exchange is a server, and it must be considered to suffer from the same risks, and have the same requirements for security, as any other server on the network. “Security must be consistently applied to all data, especially when considering the data that is typically present on a mail server,” he said. 

This article first appeared on CSO Online.Cyber agencies produce ‘long overdue’ best practices for securing Microsoft Exchange Server – ComputerworldRead More