The steering
The steering states admins ought to deal with on-prem Trade servers as being “underneath imminent menace,” and itemizes key practices for admins:
- First, it notes, “the best protection towards exploitation is making certain all Trade servers are working the most recent model and Cumulative Replace (CU)”;
- It factors out that Microsoft Trade Server Subscription Version (SE) is the only supported on-premises model of Trade, since Microsoft ended assist for earlier variations on October 14, 2025;
- It urges admins to make sure Microsoft’s Emergency Mitigation Service stays enabled for supply of interim mitigations;
- It urges admins to ascertain a safety baseline for Trade Server, mail shoppers, and Home windows. Sustaining a safety baseline allows directors to establish non-conforming techniques and people with incorrect safety configurations, in addition to permitting them to carry out fast remediation that reduces the assault floor out there to an adversary;
- It advises admins to allow built-in safety like Microsoft Defender Antivirus and different Home windows options in the event that they aren’t utilizing third celebration safety software program. Software Management for Home windows (App Management for Enterprise and AppLocker) is a crucial safety characteristic that strengthens the safety of Trade servers by controlling the execution of executable content material, the recommendation provides;
- It urges admins to verify solely licensed, devoted administrative workstations ought to be permitted to entry Trade administrative environments, together with through distant PowerShell;
- It tells admins to verify to harden authentication and encryption for id verification;
- It advises that Prolonged Safety (EP) be configured with constant TLS settings and NTLM configurations. These make EP function appropriately throughout a number of Trade servers;
- It advises admins to make sure that the default setting for the P2 FROM header is enabled, to detect header manipulation and spoofing;
- It says admins ought to allow HTTP Strict Transport Safety (HSTS) to drive all browser connections to be encrypted with HTTPS.
Given the variety of configuration choices out there, it may be tough for a lot of organizations to pick the optimum safety configuration for his or her explicit group on the time of set up, Beggs admits. That is made extra complicated, he stated, if implementations happen in a shared providers mannequin the place the Trade server is hosted within the cloud, and could also be configured and maintained by a 3rd celebration, and accountability for a safe configuration shouldn’t be clear.
“Just a little-recognized side of securely configuring Trade is that making use of patches and upgrades from the seller might reset or change some safety configuration info,” he famous. Whereas the steering urges admins to ‘apply safety baselines,’ Beggs stated they need to confirm that the proper safety baseline was utilized. And, he added, they need to evaluation configuration settings at the very least quarterly.
