The September update for Microsoft Exchange includes a new security feature for on-premises servers – they can now automatically mitigate new vulnerabilities just like the cloud versions used by Office 365.
The last 12 months have not been fun for Exchange administrators with a series of high-profile vulnerabilities affecting on-premise Exchange servers resulting in the need for emergency patching or applying manual mitigations to defend against large scale automated campaigns. With threat actors now taking just minutes to begin scanning for new vulnerabilities after they are published, it is increasingly challenging for server admins to keep on top of what are the latest vulnerabilities and how to schedule applying a patch or mitigation in a timely manner. With the new Exchange Server Emergency Mitigation service, Microsoft is offering an automatic solution.
Emergency Mitigation (EM) is a new Exchange component included in the September Cumulative Update for Exchange. It is enabled by default.
Once an hour the EM service checks with the same Office Config Service used by Office 365 infrastructure servers to look for newly published mitigations. If any are available, they are downloaded and applied to the Exchange Server. These automatic mitigations do not replace the installation of security patches, as Microsoft says:
This new service is not a replacement for installing Exchange Server Security Updates (SUs), but it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers prior to installing applicable SUs.
The EM service is able to apply mitigations by automatically taking actions such as:
- Implementing an IIS rewrite rule to filter malicious HTTPS requests;
- Disabling an Exchange service; and
- Disabling a virtual directory or app pool.
When first installed, the EM service will download and install a test mitigation called PING that doesn’t actually make any changes to the server but does confirm the new system is working and is ready to install a new mitigation when any are published.
Full details of the new service and options available to managing the blocking or removal of specific mitigations are detailed in a new blog post from the Microsoft Exchange team.