EM Service Offers Protection for Vulnerable Microsoft Exchange Servers
The recently released Microsoft Exchange Server (MXS) feature, Exchange Emergency Mitigation (EM), offers interim security protection against high-risk flaws in security. On-premises servers are protected against incoming attacks until admins can access and apply security updates. This ability to buy time while security is updated offers a vital preventive measure for guarding the integrity of sensitive data.
The design of the update provided by EM service was initiated when Microsoft Exchange zero-day vulnerabilities were exploited. The exploit was financially motivated and was conducted by state-sponsored groups. It was intended to impact the servers of users whose admins lacked patch or mitigation capabilities.
Microsoft Exchange Server
For those not yet familiar with its benefits, Microsoft Exchange Server, is an enterprise server application offering collaborative functions. MHX was designed by Microsoft to run on Windows Servers. Exchange Server supports email, contacts and tasks, calendar, web-based and mobile information access, and data storage functions.
The Exchange Administration Center permits admins to manage server permissions and access to enhance job function without enabling complete access to the management interface.
Additional Protection for Vulnerable Exchange Servers
The above noted exploits that affected Microsoft Exchange Servers prompted quick action by the company. In March 2021, a Microsoft Exchange On-premises Mitigation Tool (EOMT) was released. That app was created to minimize the attack surface revealed by the ProxyLogon bugs.
Named, appropriately for its function, Microsoft Exchange Emergency Mitigation (EM) service is a new component that enhances EOMT function. Originally released in September 2021 (later versions may follow), the new Exchange Server component solved a serious security risk by automatically detecting Exchange Servers that are known to be vulnerable to single or multiple known threats.
How is Microsoft Exchange EM Service Implemented?
Offered as a Windows service on Exchange Mailbox servers, the new EM is installed automatically on servers utilized in the Mailbox role following the September 2021 or later CU on Exchange Server 2016 or Exchange Server 2019.
EM service automatically applied mitigations are not permanent repairs. They are temporary measures for fixing security vulnerabilities. They do not take the place of Exchange SUs.
How Does EM Service Actually Work to Prevent Threats?
If threat to security exists and Microsoft learns of it, the company may respond by creating a mitigation and releasing it. If such a situation happened, Microsoft would send the mitigation from the OCS to the EM service. It would be sent as a signed XML file, which would include the configuration settings necessary for applying the mitigation.
Following EM service installation, the system checks the OCS each hour to see if any mitigations are available. The EM service then downloads the XML and verifies that the EML has not been tampered with, by validating the signature, and confirming it with the issuer, the Extended Key Usage, and the certificate chain.
Once the validation is successfully completed, the mitigation is applied by the EM service.
What Types of Mitigations Does EM Service Provide?
After installation on an Exchange email server, three types of mitigations can be applied by EM Service.
1. IIS URL Rewrite
A rule mitigation that blocks certain patterns of HTTP requests, protecting an Exchange server from requests that may be malicious – endangering the Exchange server.
2. Exchange Service Mitigation
A mitigation feature that disables a service determined to be vulnerable on an Exchange server.
3. App Pool Mitigation
This mitigation disables an app pool that’s vulnerable, on an Exchange server.
The Continuing Need for Exchange Server Updates
Even when Microsoft’s EM service is installed, its protective service initiated, Exchange Server Security Updates (SUs) will still be needed.
But activating EM service is the simplest and speediest mitigation factor for preventing the most threatening Internet-connected, on-premises, Exchange server risks – before applicable SUs are installed, according to Microsoft’s Exchange Team.
An EOMT version, EM is built within Exchange Server, which works with Office Config Service (OCS), which is cloud based. EM protects against bugs with known mitigations that pose a high risk to the system.
An Optional Feature That Can Be Disabled
EM Service is an optional feature, even when installed.
If desired, EM service can be disabled by admins, if they prefer that Microsoft not initiate Exchange server mitigations automatically. Admins can also use PowerShell cmdlets and scripts to control mitigation application. These features allow the admins to view and decide whether to block, remove, or reapply the mitigations.
The Microsoft Team noted that applying mitigations could potentially reduce the functionality of servers. Thus, their intention is to only release mitigations that will affect highly serious security issues being actively exploited in the wild. A balance between performance and protection should be achieved through proper evaluation of risk and determination of the need for mitigation.
Initial Microsoft Exchange User Feedback
Following the first month of launch, Microsoft reported mostly positive feedback, overall, for its EM service. The company encourages continued comments from users.
“We want to provide added protections to customers, but we also want to do that in a frictionless way.”
– Microsoft Teams, October 1, 2021, excerpted from the previously linked post covering feedback regarding Microsoft Exchange EM service.
Microsoft Exchange EM service demonstrates Microsoft’s company commitment to supporting their products. They prioritize the security of their products and long-term customer satisfaction.
ARCIS Technology Group Inc. Can Optimize Microsoft EM and Monitor Your IT system
Stellar security protection, IT support, and satisfied customers over the long term, are the goals of our staff at ARCIS Technology Group Inc., also. In addition to the traditional challenges of business operations, today’s Northern Ohio organizations, as well as worldwide businesses, face a new type of crisis.
Malware, ransomware, phishing emails — various types of security breaches threaten to disrupt, even close businesses. Medium and small businesses are particularly at risk.
But implementing updates to infrastructure and cloud services, establishing best practices regarding permissions, automated monitoring for suspicious behavior and programming for automatic mitigation, based on business preferences, limit the risk of disaster resulting from security breaches. For more information about Microsoft Exchange’s, EM Service, how it works and whether it should be modified, contact us. We serve surrounding communities from our base in Massillon, Ohio.