Microsoft Exchange Emergency Mitigation Service Coming Sept. 28
Organizations using Exchange Server will get a new automated emergency mitigation tool after installing Microsoft's September cumulative updates (CUs), the Exchange team announced on Friday.
Update 9/28: Microsoft released CUs for Exchange Server 2016 and 2019 today, which includes the new mitigation service. Nuanced instructions are described in this announcement.
This new tool, called the "Microsoft Exchange Emergency Mitigation service," is an automated Exchange Server component that's expected to arrive with the Sept. 28 cumulative updates (CUs) for Exchange Server. The September CUs were delayed from an expected Sept. 21 release to address CU quality issues, but also to deliver this new tool, Microsoft had explained last week.
Microsoft Exchange Emergency Mitigation Service
The Microsoft Exchange Emergency Mitigation service is based on Microsoft's Exchange On-premises Mitigation Tool (EOMT). Microsoft had released the EOMT tool in mid-March to help organizations behind in patching address active threats, particularly from a so-called "Hafnium" advanced persistent threat group involved in widespread attacks leveraging "ProxyLogon" vulnerabilities.
EOMT implements a PowerShell script to configure Exchange Server with "mitigations" against threats, but it's a manually applied ad hoc tool. The Microsoft Exchange Emergency Mitigation service, in contrast, will automate some of this process, and will always apply mitigations when Microsoft releases them.
Mitigations are configuration settings changes and other changes. Microsoft defines an Exchange Server mitigation as "an action or set of actions used to secure an Exchange server from a known threat." Organizations using the Microsoft Exchange Emergency Migration service will be tacitly accepting Microsoft's changes.
"Actions performed via a mitigation include URL rewriting, stopping/starting app pools and services, changing authentication settings, and modifying other configuration settings," the Exchange team explained.
The Microsoft Exchange Emergency Mitigation service isn't a surrogate or a relief from applying security updates (SUs). It's just there to add protection when Exchange Server is subject to vulnerabilities "that are being actively exploited in the wild," the Exchange team explained. Microsoft is not planning to release mitigations through the tool for all Exchange Server issues.
IT Pros Must Remove Mitigations
The Microsoft Exchange Emergency Mitigation service isn't a wholly automated service. IT pros will have to remove the mitigation after an SU patch for a given vulnerability gets applied.
Here's how the Exchange team expressed that notion:
After a mitigation has been successfully applied, the admin still needs to install the appropriate SU for the underlying vulnerability. After the SU is installed, the mitigations are no longer needed, and the admin must remove them (and the EM service will not reapply them).
For organizations wanting the latest security patches, Microsoft's announcement warned that there's a June 2021 CU requirement to get the September security updates for Exchange Server.
Prerequisites for the Emergency Mitigation Service
Microsoft also described a few prerequisites for getting access to the Microsoft Exchange Emergency Mitigation service, namely:
- The IIS URL Rewrite module v2 needs to be installed on the Exchange Server.
- An update for Universal C Runtime in Windows (KB2999226) is needed for users of Exchange Server 2016 on Windows Server 2012 R2.
- Organizations will need an Internet connection to the Office Config Service (OCS).
Microsoft isn't recommending the use of the Microsoft Exchange Emergency Mitigation service for organizations using Exchange Server without Internet connectivity. Here's how that notion was put:
In fact, on Exchange servers without Internet connectivity, you'll want to disable EM because it can't work without Internet connectivity. In those cases, or when you don't want automatic mitigation, we recommend using the EOMT to apply available mitigations manually.
Organizations can let the service send diagnostic data to Microsoft, or they can opt out of sending data. Opting out doesn't disable the service.
Microsoft is planning to test the Microsoft Exchange Emergency Mitigation service with a "sample mitigation called PING" at some point. The PING test makes no changes. It just verifies the health of the service.
Autodiscover Security Issue in Exchange Server
Microsoft's new mitigation service for Exchange Server is arriving at an opportune time. Security researchers at Guardicore Labs recently described a leaked Windows domain credential security issue associated with the Autodiscover feature used with Exchange Server.
The vulnerability is said to have given the Guardicore Labs researchers access to "tens of thousands" of Windows domain credentials.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.