The guidance
The guidance states admins should treat on-prem Exchange servers as being “under imminent threat,” and itemizes key practices for admins:
- First, it notes, “the most effective defense against exploitation is ensuring all Exchange servers are running the latest version and Cumulative Update (CU)”;
- It points out that Microsoft Exchange Server Subscription Edition (SE) is the sole supported on-premises version of Exchange, since Microsoft ended support for previous versions on October 14, 2025;
- It urges admins to ensure Microsoft’s Emergency Mitigation Service remains enabled for delivery of interim mitigations;
- It urges admins to establish a security baseline for Exchange Server, mail clients, and Windows. Maintaining a security baseline enables administrators to identify non-conforming systems and those with incorrect security configurations, as well as allowing them to perform rapid remediation that reduces the attack surface available to an adversary;
- It advises admins to enable built-in protection like Microsoft Defender Antivirus and other Windows features if they aren’t using third party security software. Application Control for Windows (App Control for Business and AppLocker) is an important security feature that strengthens the security of Exchange servers by controlling the execution of executable content, the advice adds;
- It urges admins to make sure only authorized, dedicated administrative workstations should be permitted to access Exchange administrative environments, including via remote PowerShell;
- It tells admins to make sure to harden authentication and encryption for identity verification;
- It advises that Extended Protection (EP) be configured with consistent TLS settings and NTLM configurations. These make EP operate correctly across multiple Exchange servers;
- It advises admins to ensure that the default setting for the P2 FROM header is enabled, to detect header manipulation and spoofing;
- It says admins should enable HTTP Strict Transport Security (HSTS) to force all browser connections to be encrypted with HTTPS.
Given the number of configuration options available, it can be difficult for many organizations to select the optimal security configuration for their particular organization at the time of installation, Beggs admits. This is made more complex, he said, if implementations occur in a shared services model where the Exchange server is hosted in the cloud, and may be configured and maintained by a third party, and responsibility for a secure configuration is not clear.
“A little-recognized aspect of securely configuring Exchange is that applying patches and upgrades from the vendor may reset or change some security configuration information,” he noted. While the guidance urges admins to ‘apply security baselines,’ Beggs said they should verify that the correct security baseline was applied. And, he added, they should review configuration settings at least quarterly.
