The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released guidance to help IT administrators harden Microsoft Exchange servers on their networks against attacks.
They recommended best practices
This include
- hardening user authentication and access,
- minimizing application attack surfaces,
- ensuring strong network encryption.
The agencies also advise network defenders to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365, because keeping one last Exchange server in their environment that isn’t kept up-to-date can expose their organizations to attacks and significantly increase security breach risks.
Additionally, although not addressed by CISA and the NSA’s guide, monitoring for malicious or suspicious activity and planning for potential incidents and recovery are equally crucial for mitigating risks associated with on-prem Exchange servers.
“By restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyberattacks,” said the two agencies on Thursday, joined by the Australian Cyber Security Centre (ACSC) and the Canadian Centre for Cyber Security (Cyber Centre).
“Additionally, as certain Exchange Server versions have recently become end-of-life (EOL), the authoring agencies strongly encourage organizations to take proactive steps to mitigate risks and prevent malicious activity.”
CISA, the NSA, and their partners shared over a dozen key security recommendations for network defenders, including keeping servers up-to-date, migrating from unsupported Exchange versions, enabling emergency mitigation services, activating built-in anti-spam and anti-malware features, restricting administrative access to authorized workstations, and implementing security baselines for both Exchange Server and Windows systems.
The agencies also recommend strengthening authentication by enabling MFA, Modern Auth, and leveraging OAuth 2.0, deploying Kerberos and SMB instead of NTLM to secure authentication processes.
Organizations should also enable certificate-based signing for the Exchange Management Shell and implement HTTP Strict Transport Security to ensure secure browser connections.
Additionally, they should implement role-based access control to manage user and administrator permissions, configure Download Domains to block Cross-Site Request Forgery attacks, and monitor for P2 FROM header manipulation attempts to prevent sender spoofing.
In recent years, state-backed and financially motivated hacking groups have exploited multiple Exchange security vulnerabilities to breach servers, including the ProxyShell and ProxyLogon zero-day bugs. For instance, at least ten hacking groups exploited the ProxyLogon flaws in March 2021, including the notorious Silk Typhoon Chinese-sponsored threat group.
(Sources: Bleeping computers)
