The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and other international cybersecurity partners released the “Microsoft Exchange Server Security Best Practices” guidance this week.
The blueprint for hardening Microsoft Exchange servers builds on CISA’s Emergency Directive 25-20, to mitigate Microsoft Exchange vulnerabilities, and recommends proactive prevention techniques to address cyber threats and protect sensitive information and communications.
“Even amid a prolonged government shutdown riddled with partisan rhetoric, CISA remains dedicated to safeguarding critical infrastructure by providing timely guidance to minimize disruptions and to thwart nation-state threats,” CISA Acting Director Madhu Gottumukkala said. “Under the leadership of President Trump and Secretary Noem, CISA continues to demonstrate the power of operational collaboration by working shoulder to shoulder with our trusted intelligence and law enforcement partners across the globe”
The document will provide organizations that rely on Microsoft Exchange to equip on-premises administrators with essential security measures to prevent cyber-attacks while fortifying their defenses. By restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations and adopting zero trust security model principles, organizations can boost their defenses again cyber threats, officials said. The authoring agencies have also taken steps to encourage organizations to take steps to mitigate risks and prevent malicious activity as some server versions reach their end-of-life cycle.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA, said. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations. Furthermore, CISA recommends that organizations evaluate the use of cloud-based email services instead of managing the complexities associated with hosting their own communication services.”