Microsoft has been in the media spotlight recently as Windows attackers exploit a no-patch vulnerability, emergency security updates are issued for another ongoing exploit, and the Cybersecurity and Infrastructure Security Agency tells federal agencies to update now as Windows Server attacks confirmed in the wild. It’s not all bad news, though: the National Security Agency has issued a security best practices guide to defending your Microsoft Exchange Servers, with CISA warning the platform remains “at high risk of compromise.”
Microsoft Exchange Server Security Best Practices
This isn’t the first time that U.S. security agencies have warned about the dangers of attacks targeting Microsoft Exchange Servers, and likely will not be the last. It is, however, a long-overdue acceptance of the need for official guidance when it comes to Microsoft Exchange Server security best practices. Not just for government agencies, but all enterprises. Sure, there’s plenty of such advice already out there, not least from Microsoft itself, but the added weight of CISA and the NSA certainly isn’t to be sniffed at.
Thankfully, for such things, the document itself is relatively short and to the point at just 10 pages of Microsoft Exchange Server security guidance. The brevity is noted by the NSA and CISA within the introductory paragraph: “This document outlines several security best practices, but is not an all-inclusive hardening guide. Active monitoring for compromises and planning for potential incidents and recovery, while not discussed in this guidance, are equally important areas for Exchange.”
So, what does the guidance cover then?
While you are, rather obviously, recommended to go and read the entire best practices guidance yourself, here’s the bullet point summary:
- Maintain security updates and patching cadence
- Migrate end-of-life Exchange Servers
- Ensure Emergency Mitigation Service remains enabled
- Apply security baselines
- Enable built-in protections
- Restrict administrative access
- Harden authentication and encryption
- Configure Transport Layer Security
- Configure Extended Protection
- Configure Kerberos and SMB instead of NTLM
- Configure Modern Authentication and multifactor authentication
- Configure certificate-based signing of PowerShell serialization
- Configure Strict Transport Security
- Configure Download Domains
- Use role management and split permissions
- Use P2 FROM header manipulation detection
Look, nobody said that security was easy, OK? But as the NSA concluded, “securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions.” By using the best practices outlined above, you can help reduce the risk to your organization from Microsoft Exchange Server attackers.
- Adenman
-
1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.