Security Advisory Summary
Microsoft Exchange Security Best Practices
A visual guide to hardening on-premises Exchange environments against persistent threats based on official cybersecurity agency recommendations.
Infrastructure Maintenance
-
Patching CadenceApply CUs twice yearly and monthly security updates immediately.
-
Migrate EOL ServersMove to Exchange Server SE; support for 2016/2019 ended Oct 2025.
-
Emergency MitigationEnsure EM Service remains enabled for interim cloud-based mitigations.
Threat Prevention
-
AMSI IntegrationMonitor content in HTTP requests for malicious patterns.
-
ASR RulesBlock Webshell creation to prevent script execution on compromised servers.
-
Email StandardsConfigure HSTS, SPF, DMARC, and DKIM to prevent masquerades.
Auth & Encryption
-
Extended Protection (EP)Enable CBT and Service Binding to link authentication to TLS sessions.
-
Modern Auth & MFADisable Basic Auth and leverage OAuth 2.0 with ADFS for MFA support.
-
Kerberos MigrationAudit for NTLM dependencies and migrate to Kerberos for mail flow.
Administrative Hardening
-
Restricted AccessLimit EAC and remote PowerShell to dedicated admin workstations.
-
Split PermissionsSeparate AD Domain Admin and Exchange responsibilities via RBAC.
-
Download DomainsLoad attachments from subdomains to prevent cookie theft via CSRF.
The Prevention Posture
Embrace Zero Trust: deny-by-default, least privilege, and timely updates. Exchange environments must be considered under imminent threat.
No EOL Software
MFA Required
RBAC Split