- There is a new Microsoft Exchange feature that mitigates high-risk bugs.
- The update follows after multiple vulnerabilities were exploited.
- The new server is an optional feature that can be disabled.
Microsoft has implemented a new Exchange feature to secure servers at high risk from attacks by applying interim mitigations. The new feature aims to buy more time and allow admins to apply security updates before attackers exploit the vulnerability.
Recently, multiple Microsoft Exchange zero-day vulnerabilities were exploited and exposed the servers to risk, with the admins left with no patch and no way of securing the servers.
For customers who are exposed to the ProxyLogon bugs, the Exchange Server offers mitigation by building up on the EOMT and minimizes the attack.
It works by detecting the Exchange Servers exposed to high risk or known threats. It runs on Windows service on Exchange Mailbox servers and will be automatically installed on Mailbox servers.
Although the mitigation technique offers protection, it is only temporary and for a limited time until the security updates to fix the vulnerability are installed.
The Exchange service applies three types of mitigations;
- IIS URL Rewrite rule mitigation: this is a rule blocking known malicious patterns of HTTP requests that pose a danger to the exchange server.
- Exchange service mitigation: detects and disables a vulnerable service on an Exchange server.
- App Pool mitigation: disables any vulnerable app pool on an Exchange server.
Exchange Server can be disabled
As said above, the mitigation is only temporary until the security update can be installed. The server is therefore not a replacement but only offers a rapid method of addressing high-risk vulnerabilities. If admins do not wish automatic mitigations applied on their servers, they can choose to disable the EM service.
There are also other control applied mitigations if they do not wish to use this particular EM service. Mitigations tend to reduce server functionality hence are recommended only for high impact or high-risk issues.
What do you think of such kinds of mitigations? Should they be automatic? Leave a comment down below.