Microsoft Exchange

Microsoft announced today that Windows Extended Protection will be enabled by default on servers running Exchange Server 2019 starting this fall after installing the 2023 H2 Cumulative Update (CU14).

Extended Protection (EP) is a feature that strengthens Windows Server auth functionality to mitigate authentication relay or “man in the middle” (MitM) attacks.

“Today, we wanted to let you know that starting with the 2023 H2 Cumulative Update (CU) for Exchange Server 2019 (aka CU14), EP will be enabled by default when CU14 (or later) is installed,” the Exchange Team said today.

“Exchange Server 2019 is currently in Mainstream Support and is the only version that still gets CUs.”

While CU14 will enable EP on all Exchange servers after deployment, admins will still be able to opt-out using the command-line CU installer (the GUI version opts in automatically, while unattended installers require customization for opt-out).

Microsoft recommends doing the following, depending on what security update you have installed:

  • Aug 2022 SU or later and EP enabled: Install CU14 (no special steps needed).
  • Aug 2022 SU or later, but EP not yet enabled: Install CU14 with the default of ‘Enable EP’ left on.
  • Exchange Server version earlier than the Aug 2022 SU: “We send you thoughts and prayers, and very strong but gentle guidance to update your servers to the latest SU immediately.”

Redmond added EP support to Exchange Server with last year’s August security updates when it also warned admins that some vulnerabilities would require them to enable the feature on impacted servers to fully block attacks.

Since then, the company has provided a dedicated script to automate turning EP on or off on Exchange servers across an entire organization, a script that will automatically update itself with the latest fixes on systems connected to the Internet.

“We recommend that all customers enable EP in their environment. If your servers are running the August 2022 SU or later SU, then they already support EP,” Microsoft said.

“If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately.

“Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled.”

Microsoft also urged customers in January to keep their on-premises Exchange servers up-to-date by installing the latest supported Cumulative Updates (CU) always to be ready to deploy emergency security patches.

Exchange servers are valuable targets, as shown by financially motivated cybercrime groups like FIN7, which developed an attack platform specifically designed to breach Exchange servers.

According to threat intelligence firm Prodaft, FIN7’s Checkmarks platform has already been used to breach the networks of more than 8,000 companies, primarily from the United States, after scanning over 1.8 million targets.

Source: www.bleepingcomputer.com