In recent months, Microsoft Exchange has become a primary target for hackers, who take advantage of vulnerabilities that a business or organization has not recently patched. In response to these attacks, Microsoft has released a new one-click mitigation tool dubbed Microsoft Exchange Emergency Mitigation service (EM) to help users secure their environments and respond to rising threats from the recent Exchange Server on-premises attacks. The new tool is designed to help organizations lagging behind in patching to apply interim mitigations against active threats, specifically from the Microsoft Exchange zero-day vulnerabilities being exploited by state-sponsored hacking groups.
What Is the Microsoft Exchange Emergency Mitigation Service (EM)?
Microsoft Exchange Emergency Mitigation service (EM) builds upon Microsoft’s Exchange On-premises Mitigation Tool (EOMT), released in March to help organizations reduce the attack surfaces exposed by the ProxyLogon bugs. EM is designed to run as a Windows service on Exchange Mailbox servers and will install automatically on servers with Mailbox role once the September 2021 CU on Exchange Server 2016 or Exchange Server 2019 has been implemented.
How Does the EM Service Work?
The service works with the cloud-based Office Config Service (OCS) to detect the exchange server’s vulnerability to one or multiple known threats. It will then automatically provide protection against these threats by applying interim mitigations until the admin or an organization’s IT security team applies a suitable security update. Once installed on an Email server, the EM services will apply three types of mitigation:
- App Pool mitigation: Disables a vulnerable app pool on an Exchange server
- IIS URL Rewrite rule mitigation: This rule blocks patterns of HTTP requests that are risky to an Exchange server
- Exchange service mitigation: Disables a vulnerable service on an Exchange server
If Microsoft discovers a security threat, suitable mitigation is created for that specific issue. Once the mitigation has been created, it will be sent directly to the Exchange Server, and any settings that have already been configured are automatically implemented to resolve a threat.
Ideally, the mitigation package is an XML file that contains all the settings needed to mitigate one or more known security threats. Once the exchange server receives the mitigation, the EM service validates the signature to confirm the XML file has not been tampered with. Notably, the mitigation will only be applied after a successful validation process.
Additionally, Emergency Mitigation has been left optional for businesses and organizations that don’t want to use the service given the freedom to disable the feature and continue leveraging Microsoft’s Exchange On-premises Mitigation Tool to mitigate threats manually. Keep in mind the mitigations applied by the EM service are only temporary fixes, meaning the Security Update that fixes the vulnerability must be installed.
Prerequisites for the EM service
There are specific prerequisites that must already be on the Windows Server where Exchange is installed or to be installed. If these prerequisites are absent, the EM service will not deploy successfully:
- IIS URL Rewrite Module
- Universal C Runtime in Windows (KB2999226) for Windows Server 2012 and Windows Server 2012 R2 PowerShell 3 or later
- Exchange 2013, 2016, or 2019
Additionally, the EM service needs outbound connectivity to the OCS to check for and download mitigation. Where the OCS is not available, you will encounter set-up issues during the readiness check. Besides, the OCS should be reachable from the device where the Exchange Server is installed for the EM service to work optimally.
How do I test the EM Service?
You can leverage the Test-MitigationServiceConnectivity.ps1 script to confirm an Exchange has connectivity to the OCS. If the server has connectivity, you will receive an output with a message:
Message: The Mitigation Service endpoint is accessible from this computer.
If a server lacks connectivity, the output will read:
Message: Unable to connect to the Mitigation Service endpoint from this computer
Can I Disable Automatic Applications of Mitigations?
If your company has put in place alternative methods to mitigate unknown threats, you can opt to disable the automatic mitigation either at the exchange server level or at an organizational level. By default, enabled mitigations are set to “True.” When you set them to “False,” the EM service will still continue checking for the mitigations hourly. However, it won’t automatically apply mitigations to any Exchange server within your organization.
Where Can I Download the EM Service for My Organization?
The EM service is included in the Cumulative Update 21 (CU21) for both the 2019 mailbox servers and the Exchange Server 2016. However, before you obtain the tool, you must meet the prerequisites outlined above. Notably, Microsoft reveals that the EM service can only work with Exchange Servers with internet connectivity, implying organizations using the Exchange Server without internet connectivity will not benefit from this service.
CTI Technology Can Protect your IT Infrastructure from Cyberthreats
In recent times, cyberattacks have escalated across the globe to affect virtually every industry. A recent report by Cybersecurity Ventures reveals the financial damage from cybercrime is expected to hit $10.5 trillion by the end of 2025. Additionally, cybersecurity experts predict that in 2021, there will be a cyberattack incident every 11 seconds, up from every 19 seconds in 2019. Although Microsoft is taking extra steps to secure its products, there is a lot that individual organizations and companies need to do to secure their IT infrastructure.
CTI Technology leverages the best technological tools and vast experience to implement adequate security strategies and solutions for Microsoft platforms and other aspects of your IT infrastructure. Whether you need data backup, virus, malware, and intruder suppression, endpoint protection, DDoS protection service, data breach prevention, or continuous system and network monitoring, CTI Technology has you covered. Our solutions are designed to protect all users, including your remote and in-office workforce, by providing user to user and access to access point protection from cyber actors with malicious intent.
CTI Technology also provides a range of other managed IT solutions, including help desk services, onsite and cloud backup services, cloud and hosted services, monitoring and maintenance, backup and disaster recovery, cloud migrations, and more. Our managed IT services allow you access to the latest technologies and highly specialized engineers at affordable monthly rates. Contact us today to request a quote.