The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and international partners have
released best practices guidance for securing Microsoft Exchange servers as a follow-up to an
emergency directive released earlier this year.
CISA warned federal agencies in August of a
high-severity post-authentication flaw affecting hybrid configurations of Microsoft Exchange, tracked as
CVE-2025-53786. The emergency directive issued by the agency required agencies to inventory all Exchange servers, remediate the vulnerability, disconnect end-of-life servers and report their actions to CISA.
The new guidance published Thursday focuses on on-premises Exchange servers and emphasizes the persistent threat to organizations using Exchange.
“Exchange environments are continuously targeted for compromise and should be considered under imminent threat,” warns the document, which is also cosigned by the Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (Cyber Centre).
Strengthening Exchange prevention posture
The first section of the documents outlines steps organizations should take to enhance the prevention posture of their on-premises instances, primarily by maintaining security updates, patching vulnerabilities, migrating end-of-life servers and implementing protective built-in services and configurations.
Organizations are urged to stay up-to-date with Microsoft’s biannual cumulative updates (CU) and monthly security updates (i.e. Patch Tuesday) as well as apply any hotfix updates as quickly as possible as threat actors race to develop exploits for newly disclosed vulnerabilities.
The guidance also noted that Microsoft ended support for versions of Exchange older than the Microsoft Exchange Sever Subscription Edition (SE) earlier this month, and recommends users of all unsupported versions migrate to SE or an alternative supported service.
Microsoft’s Emergency Mitigation (EM) Service, which automatically applies mitigations to block active threats, should remain enabled, according to the document. Mitigations applied by this service include Internet Information Services (IIS) URL rewrite rules that block patterns of malicious HTTP threats and the disabling of vulnerable services and app pools on an Exchange server.
Organizations should also use built-in Windows protections such as Microsoft Defender Antivirus (MDAV), the Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), AppLocker and App Control for Business, Endpoint Detection and Response (EDR) and anti-spam and anti-malware features in Exchange, as well as security baseline configurations for Microsoft services such as those provided by the
Defense Information Systems Agency and the
Center for internet Security, the document states.
Administrative access, including access to the Exchange Admin Center (EAC) and to remote PowerShell capabilities, should be restricted only to dedicated admin workstations; the guidance notes that Client Access Rules should be configured to disable access to EAC and host firewall rules on the Exchange server should restrict access to remote PowerShell and the EAC website.
Key authentication and encryption measures for Exchange
The second half of the guidance covers the hardening of authentication and encryption measures to ensure confidentiality and robust identity verification.
Transport Layer Security (TLS), which encrypts both emails in transit and user connections to the Exchange server, should be configured according to
Microsoft best practices. Organizations should also ensure Extended Protection (EP), which further protects TLS sessions against adversary-in-the-middle (AitM), relay and forwarding attacks, is enabled and configured properly with consistent settings across TLS and New Technology LAN Manager (NTLM).
NTLM should only use NTLMv2, and organizations using NTLMv2 should prepare to switch to Kerberos authentication protocols due to the planned deprecation of NTLM in the near future. Organizations should also switch from Basic Authentication protocol to Modern Authentication, which uses OAuth 2.0 and multifactor authentication (MFA) for more secure logins.
In addition to restricting access to remote PowerShell and disabling it when not needed, organizations should enable certificate signing of serialized data from the Exchange Management Shell to prevent manipulation in transit. They should also enable HTTP Strict Transport Security (HSTS), which enforces HTTPS encryption for all browser connections.
The guidance document also recommends configuring Download Domains to ensure attachment load from a different subdomain than that used for Outlook on the Web, which reduces the threat of cross-site request forgery (CSRF), and splitting admin permissions between Active Directory (AD) and Exchange, reducing the chance that an Exchange compromise will lead to an AD compromise.
Lastly, the guidance emphasizes the importance of Exchange’s built-in P2 FROM header manipulation detection, urging organizations to ensure the default security feature that adds phishing notifications to emails with manipulated P2 FROM headers remains enabled.
The document authors noted that the latest guidance does not cover all the steps necessary to protect Exchange servers. For example, organizations should also utilize active monitoring and establish incident response and recovery plans, which the document does not cover in-depth.
The guidance concludes by encouraging organizations to follow
zero-trust principles in defending Exchange instances against unauthorized access.
