Exchange Server Security - CISA and NSA Hardening Guide

Exchange Server security best-practices from CISA and NSA provide a blueprint for reducing risk around on-premises and hybrid Microsoft email deployments that continue to attract attackers. The joint guidance, released alongside international partners, emphasizes minimizing exposed management surfaces, enforcing multi-factor authentication, and using Microsoft's Exchange Emergency Mitigation service to auto-apply critical configuration changes. Administrators are urged to restrict administrative access to dedicated systems, enforce TLS and strict transport security, and maintain hardened baselines that remove legacy protocols and weak cipher suites. The document also stresses lifecycle hygiene, warning that unsupported or end-of-life Exchange versions should be disconnected or migrated, as they cannot reliably receive security fixes. The agencies highlight the persistent targeting of Exchange servers for credential theft, email takeover, and lateral movement, particularly by state-sponsored actors and ransomware crews who prize mailbox data and internal address books. By combining identity controls, patch discipline, and built‑in security features, organizations can shift their Exchange posture from reactive patching to proactive risk reduction. While the guidance does not name specific vulnerabilities, it builds on prior emergency directives that responded to mass exploitation of Exchange flaws and web shell deployments on unpatched systems. For enterprises still operating on-premises Exchange, the recommendations effectively outline a minimum security baseline that boards and regulators may expect to see implemented.