CISA and NSA: Hardening guidance for Microsoft Exchange

October 31, 2025 Faeem BLOGS 0

CISA and NSA (with ACSC and Canada’s Cyber Centre) published consolidated hardening guidance for Microsoft Exchange: patch and migrate from EOL versions, restrict and strengthen admin access, remove dev/debug remnants, enforce strong encryption and modern authentication, and apply Exchange and Windows security baselines. They also recommend decommissioning lone on‑prem/hybrid Exchange servers that aren’t actively maintained and preparing for incident detection and recovery.

Immediate high‑priority actions (first 24–72 hours)

  • Patch: Apply Microsoft updates for Exchange Server 2016, 2019, and Subscription Edition immediately. Treat any unpatched Exchange as high risk.
  • Decommission EOL servers: If you have unsupported on‑prem servers and you’ve completed migration to Microsoft 365, remove the last Exchange server rather than keeping an unpatched fallback.
  • Enforce admin workstation model: Restrict Exchange administrative activities to dedicated, hardened workstations with limited software and no web/email browsing.
  • Enable MFA and Modern Auth: Turn on multifactor authentication and Modern Authentication/OAuth2 for all Exchange admin and user sign‑ins.
  • Emergency mitigations: Enable Microsoft-recommended emergency mitigation features (e.g., built‑in protections, temporary mitigations) until full patches are validated and deployed.

Hardening checklist (recommended configuration items)

  • Authentication and access
    • Enforce MFA and Modern Auth for all admin and mail access.
    • Use Kerberos and SMB where possible; avoid NTLM for authentication.
    • Implement role-based access control for Exchange admin roles.
  • Network and transport security
    • Configure TLS to modern ciphers; enable HSTS on web interfaces.
    • Enable Extended Protection for Authentication to mitigate relay and AitM attacks.
    • Restrict management ports to trusted IP ranges and jump hosts.
  • Exchange and Windows baselines
    • Apply Microsoft security baselines for Exchange and Windows Server.
    • Enable certificate-based signing for the Exchange Management Shell.
    • Activate built‑in anti‑spam and anti‑malware features and keep signatures/definitions current.
  • Application surface and dev artifacts
    • Remove development tools and debug extensions (Xdebug, test harnesses) from production.
    • Disable or remove any web-based management or diagnostic modules not required in production.
  • Secrets and session hygiene
    • Enforce short-lived tokens where possible and rotate service account credentials.
    • Revoke stale OAuth tokens and sessions after remediation.

Detection, monitoring, and hunting recommendations

  • Logs to collect
    • Exchange Admin Audit logs, IIS/OWA access logs, Windows Security/Evtx, Azure AD sign‑in logs for hybrid setups.
  • Detection patterns
    • Unusual admin logins from new locations or non‑administrative machines.
    • Unexpected use of Exchange Management Shell from non‑configured workstations.
    • Signs of mailbox export or mass mailbox access, unusual EWS/Graph API usage.
    • Web requests containing exploit payload patterns or suspicious query strings.
  • Network telemetry
    • Alert on outbound connections from Exchange servers to anomalous hosts or large data uploads.
    • Monitor for SMB/Kerberos anomalies and NTLM fallbacks.
  • Endpoint/forensics
    • Capture process trees for any suspicious msiexec, powershell, wmic, rundll32, or unusual scripts.
    • Preserve memory and disk artifacts if compromise is suspected.
  • Baseline and anomaly
    • Build normal behaviour baselines for admin access and mailbox activity; trigger alerts for deviations.

Incident response and recovery steps

  1. Isolate suspected compromised Exchange servers from management and user traffic where feasible.
  2. Preserve evidence: collect Event Logs, Exchange audit logs, IIS logs, system images, and network captures.
  3. Revoke/rotate: reset all Exchange admin credentials, service account passwords, OAuth tokens, and application secrets.
  4. Patch and validate: apply Microsoft patches, then validate system behavior and log integrity.
  5. Rebuild where necessary: prefer rebuilding Exchange hosts from known‑good images if compromise cannot be fully ruled out.
  6. Post‑incident: reissue certificates and review conditional access policies, MFA coverage, and allowlists.

Business View

  • Executive view
    • CISA/NSA guidance: urgent patching, admin access restriction, MFA enforcement, and decommissioning of unsupported Exchange servers to reduce risk of total domain compromise.
  • Ops/developer view
    • Patch Exchange 2016/2019/Subscription Edition now; restrict admin actions to hardened jump boxes; enable MFA and revoke stale tokens.
  • Customer/partner view
    • We are applying CISA/NSA Exchange hardening recommendations: patching servers, tightening admin access, and enforcing MFA to protect your mail and identity assets.

Low‑effort tactical mitigations to apply now

  • Block Exchange admin ports at the perimeter; allow only from a small list of management IPs or VPNs.
  • Enforce conditional access policies in Azure AD (block legacy auth, require MFA).
  • Enable EDR/AV and increase telemetry for Exchange servers; raise priority for alerts from these systems.
  • Run a quick audit for any leftover on‑prem Exchange servers and produce an inventory with versions and patch status.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.