Why it’s time to review your on-premises Microsoft Exchange patch status

We start the patching year of 2023 looking at one of the largest releases of vulnerability fixes in Microsoft history. The January 10 Patch Tuesday update patched one actively exploited zero-day vulnerability and 98 security flaws. The update arrives at a time when short- and long-term technology and budget decisions need to be made.

This is particularly true for organizations using on-premises Microsoft Exchange Servers. Start off 2023 by reviewing the most basic communication tool you have in your business: your mail server. Is it as protected as it could be from the threats that lie ahead of us in the coming months? The attackers know the answer to that question.

Why attackers target on-premises Exchange

For years, Exchange has been the de facto on-premises email platform for many businesses. Then came Azure and the cloud, and Microsoft started to build a similar cloud alternative to its mail server platform. The two platforms were comparable for years with similar features. They also shared security and vulnerability issues.

Less comparable now are the resources Microsoft devotes to on-premises Exchange versus Azure. The company recently added older but still supported versions of on-premises Exchange from its bug bounty program. As a result, attackers and researchers alike started looking more closely at Exchange. Fast-forward to the last few months and we see attackers gaining access to networks and launching ransomware attacks using unpatched or not quite fully patched Exchange vulnerabilities.

Attackers knew that these vulnerabilities were hard to patch and that Microsoft hadn’t fully patched the ProxyShell vulnerability. Even with Microsoft mitigation tools in place, you often were still vulnerable. The CVE-2021-31207 post-authentication vulnerability was patched in May of 2021, but the Cuba ransomware (DEV-0671) is using stolen credentials to exploit it and plant a web shell, often the Chopper web shell, that permits a remote operator to launch malicious code on a compromised Microsoft Exchange Server through providing system-level access to the device. January’s large vulnerability patching release addressed a series of vulnerabilities that could allow the attacker to gain full system privileges.

How to protect on-premises Exchange Server

Have a service or firewall that pre-scans emails before they arrive at your Exchange Server. This can be a device to hold and forward email should a maintenance or security event occur that causes downtime. Ensure your device or solution provides web filtering processes that search for and prevent these types of attacks.

Always use a supported version of Exchange that receives security updates. As Microsoft noted recently, even this servicing model can change depending on timing and other patches expected. The company originally intended to release two cumulative updates (CUs) per year, in H1 and H2 of each calendar year, with general target release dates of March and September. However, in November Microsoft announced that the next CU for Exchange Server will be the H1 2023 CU (Exchange Server 2019 CU13) and there would not be an H2 2022 CU. Exchange 2013 comes to its end of life on April 11, 2023, which is less than 90 days away. If you are still on this version, plan a migration to either a supported version, an online version of Exchange (Microsoft 365), or an alternative platform to receive email depending on your needs.

Make necessary updates and patches to components connected to on-premises Exchange. Patching Exchange often dictates an Active Directory (AD) schema update. As noted in a July Exchange blog post, you often have to be aware of what cumulative update you are on and enter the appropriate AD schema command. If you have a hybrid email setup with an Exchange management server on premises and set up the synchronization with Exchange online, you will need to patch this as well with the latest Exchange updates. The Exchange team has also provided patches to older, unsupported versions on occasion because of an extreme risk introduced by a threat.

Be aware of the additional mitigation tools that Microsoft has introduced to better protect and defend on-premises Exchange Servers. The Emergency Mitigation Service was released in September 2021 to counter emerging threats. As Microsoft notes, “When you install the September 2021 CU (or later) on Exchange Server 2016 or Exchange Server 2019, the EM service will be installed automatically on servers with the Mailbox role. The EM service will not be installed on Edge Transport servers.”

While you can opt out of this service, I recommend that you enable it on your on-premises Exchange Servers. You will be prompted to install the IIS URL Rewrite Module and Universal C Runtime in Windows (KB2999226) for Windows Server 2012 and Windows Server 2012 R2. Verify that an Exchange Server has connectivity to the mitigation service by using the Test-MitigationServiceConnectivity.ps1 script in the V15Scripts folder in the Exchange server directory.

Install security updates released this month and those delivered in 2021 (CVE-2021-31207) on all applications and operating systems. If you have any issues, follow the recommendations and comments posted to the Exchange blog posts especially those that announce security patches for Exchange.

Review your network segmentation and consider using the built-in Windows Firewall or your network firewall to prevent remote procedure call (RPC) and server message block (SMB) communication among endpoints whenever possible. Limit the use of local administrators and deploy the LAPS toolkit to randomize the local administrator password in your network.

Discuss with your team the resources and tools you have to protect on-premises Exchange Servers. While it is never ideal to move from a platform with fixed costs to one based on reoccurring subscription revenue streams, businesses put security resources and investments on products and services that have a potential for growth. There comes a time when older technologies cannot be made secure or keep up with the feature set of the newer platforms.

Attackers are often one step ahead of us. If we focus resources elsewhere, they can easily tell our lack of investment in mail servers by merely reading the version numbers in mail headers. Email is a foundational business tool as well as a foundational attack tool, so place security investments accordingly.