In a timely response to escalating threats against email infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and Canadian Centre for Cyber Security, released a comprehensive guide on October 2025 outlining best practices for securing on-premises Microsoft Exchange Servers.
Titled “Microsoft Exchange Server Security Best Practices,” the document emphasizes proactive hardening measures amid persistent attacks on these critical systems, which handle sensitive organizational communications.
This joint effort arrives just weeks after Microsoft ended support for older Exchange versions on October 14, 2025, heightening risks for unpatched environments.
The guide underscores the urgency of adopting a prevention-focused posture, starting with rigorous maintenance of security updates and patching.
Administrators are urged to apply the latest Cumulative Updates (CUs) biannually and monthly security/hotfix patches to counter rapid exploit development by threat actors.
Tools like Microsoft’s Exchange Health Checker and SetupAssist are recommended to verify readiness and facilitate updates, reducing vulnerability exposure over time.
For end-of-life (EOL) servers, immediate migration to Exchange Server Subscription Edition (SE) the only supported on-premises version is critical, with interim isolation from the internet advised if full upgrades are delayed.
Ensuring the Exchange Emergency Mitigation (EM) Service remains enabled is also vital, as it deploys automatic protections like URL Rewrite rules against malicious HTTP requests.
Microsoft Exchange Server Hardening Guide
Beyond patching, the guidance advocates applying established security baselines from providers like DISA, CIS, and Microsoft to standardize configurations across Exchange, Windows, and mail clients.
Enabling built-in defenses such as Microsoft Defender Antivirus, Attack Surface Reduction rules, and application controls like AppLocker fortifies servers against malware and unauthorized executions.
Endpoint Detection and Response (EDR) tools are highlighted for advanced threat visibility, while Exchange’s anti-spam and anti-malware features should be activated to filter malicious emails.
To enhance email authentication, organizations must manually implement the DMARC, SPF, and DKIM standards, potentially via third-party add-ons or gateways.
Authentication and encryption hardening form the core of the recommendations. Configuring Transport Layer Security (TLS) consistently across servers prevents data tampering and impersonation, with Extended Protection (EP) added to thwart adversary-in-the-middle attacks through channel binding.
Shifting from deprecated NTLM to Kerberos and SMB protocols is essential, including auditing legacy usage and preparing for NTLM’s phase-out.
Modern Authentication with multifactor authentication (MFA) via Active Directory Federation Services replaces vulnerable Basic Authentication, while certificate-based signing secures PowerShell serialization.
Additional measures include HTTP Strict Transport Security (HSTS) to enforce HTTPS, Download Domains to mitigate cross-site request forgery, and role-based access control (RBAC) with split permissions to enforce least privilege, limiting admin access to dedicated workstations. Detecting P2 FROM header manipulations adds a layer against email spoofing.
This guide aligns with Zero Trust principles, promoting deny-by-default access, minimizing attack surfaces, and continuous evaluation to safeguard email integrity. While not exhaustive, it complements incident response planning and hybrid-specific directives like CISA’s Emergency Directive 25-02.
As Exchange remains a prime target, evidenced by past exploits like HAFNIUM and recent zero-days, organizations, especially in critical sectors, must prioritize these steps to avert breaches.
The authoring agencies stress that unhardened servers pose imminent risks, urging swift implementation to protect against data extortion, ransomware, and espionage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
