Secure Your Microsoft Exchange Servers: CISA & NSA Guidance

Protecting Microsoft Exchange servers from cyberattacks requires a proactive and multi-layered security approach, according to a new joint advisory from leading cybersecurity authorities. The guidance, issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) in collaboration with international partners, provides a comprehensive set of best practices for IT administrators.

A central recommendation involves the decommissioning of end-of-life on-premises or hybrid Exchange servers once a transition to Microsoft 365 is complete. Maintaining a single, outdated server can create a critical vulnerability, exposing the entire organization to significant security risks. Beyond migration, the advisory stresses the importance of hardening user authentication, minimizing the application’s attack surface, and ensuring robust network encryption.

The agencies outlined over a dozen critical security measures. These include keeping all servers meticulously updated, migrating away from unsupported Exchange versions, and activating built-in security features like anti-spam and anti-malware filters. Restricting administrative access to specific, authorized workstations is another foundational step to limit an attacker’s reach.

To strengthen authentication, organizations should enable multifactor authentication (MFA) and Modern Authentication, while leveraging protocols like OAuth 2.0. The guidance also advises deploying Kerberos and SMB to replace the less secure NTLM protocol. For protecting data in transit, configuring Transport Layer Security (TLS) and Extended Protection is essential to defend against adversary-in-the-middle and relay attacks.

Additional technical controls are recommended, such as enabling certificate-based signing for the Exchange Management Shell and implementing HTTP Strict Transport Security for browser connections. Implementing role-based access control helps manage permissions effectively, while configuring Download Domains can block Cross-Site Request Forgery attacks. Monitoring for P2 FROM header manipulation is also crucial to prevent sender spoofing attempts.

This advisory builds upon an emergency directive CISA issued in August 2025, which gave federal agencies just four days to patch a high-severity Microsoft Exchange hybrid vulnerability, identified as CVE-2025-53786. Microsoft had warned that this flaw in Exchange Server 2016, 2019, and the Subscription Edition could allow attackers with administrative access to move from on-premises servers into cloud environments, potentially leading to a full domain compromise. Despite the urgent directive, internet monitors later discovered tens of thousands of servers remained vulnerable.

Exchange servers have been a repeated target for cybercriminals. In recent years, both state-sponsored and financially motivated hacking groups have exploited flaws like ProxyShell and ProxyLogon to breach networks. The scale of the problem is global; Germany’s federal CERT recently reported that a staggering 92% of the approximately 33,000 German on-premise Exchange servers exposed online are running unsupported, end-of-life versions, highlighting the persistent challenge of server hygiene.

(Source: Bleeping Computer)