The US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have issued advice on how to harden on-premises Microsoft Exchange Server instances.
The advisory comes amidst a surge in attacks against Exchange Server in recent months, according to Nick Andersen, executive assistant director for the Cybersecurity Division (CSD) at CISA.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems," Andersen said.
"This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.”
Anderson added that CISA recommends organizations also “evaluate the use of cloud-based email services” rather than “managing the complexities” of hosting their own.
Shoring up Microsoft Exchange Server
So what does the advisory recommend? First and foremost, organisations should restrict administrative access, implement multi-factor authentication, enforce strict transport security configurations, and adopt zero trust security model principles.
On top of this, as certain Exchange Server versions have recently become end-of-life (EOL), they strongly encourage organizations to take proactive steps to mitigate risks and prevent malicious activity.
Attackers frequently target these servers, which usually receive less monitoring and security updates than cloud-based alternatives.
Organizations should decommission any remaining end-of-life on-prem or hybrid Exchange servers after transitioning to cloud-based Microsoft 365, the duo said.
Stay up to date with patching
The most effective defense against exploitation, according to the NSA, is ensuring that all Exchange servers are running the latest version and Cumulative Update (CU).
Organizations that are running an unsupported version of Exchange should migrate to Exchange Server SE or an alternative supported email server software or service.
Elsewhere, ensuring that Emergency Mitigation Service remains enabled is vital, and enterprises are also advised to apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines.
As far as administrative access is concerned, this should remain limited, according to CISA, while authentication and encryption should be hardened by configuring Transport Layer Security and Extended Protection.
Similarly, instead of NT LAN Manager (NTLM), Kerberos and Server Message Block (SMB) should be configured; Modern Authentication and multi-factor authentication should be used, along with certificate-based signing of PowerShell serialization, HTTP Strict Transport Security (HSTS), and Download Domains.
Exchange server flaws are heavily targeted
The publication of the guide follows a warning from CISA in August about a high-severity post-authentication vulnerability in Exchange Server.
Tracked as CVE-2025-53786, the vulnerability allowed an attacker to move laterally from on-premises Exchange to the M365 cloud environment.
CISA said that while exploitation of this flaw would require highly specific circumstances, it still represents a serious concern.
"Although exploitation of this vulnerability is only possible after an attacker establishes administrative access on the on-premises Exchange server, CISA is deeply concerned at the ease with which a threat actor could escalate privileges and gain significant control of a victim’s M365 Exchange Online environment," it said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
