Microsoft Exchange Server Emergency Mitigation Released
The latest cumulative update to Microsoft's Exchange Server software platform, released in the last week of September 2021, has a new threat mitigation feature.
MS's new Emergency Mitigation (EM) software component automatically mitigates vulnerabilities for Microsoft's customers' Exchange Servers by creating and executing vulnerability mitigations. By using Microsoft's Office Configuration Service, the EM service checks for mitigations hourly.
Table of Contents
If Microsoft finds out about the danger, we can create a mitigation for a security threat and send it directly to the Exchange server to automatically apply the preconfigured settings. This feature was announced in a community blog post by the Exchange Server team.
Administrators can also disable the EM service if they want to manage mitigations independently. As stated previously, "Exchange EM is not a replacement for Exchange SUs." Still, it is the quickest and most effective way to mitigate the highest risks to internet-connected, on-premises Exchange servers before updating.
Microsoft planned to launch a new Emergency Mitigation (EM) component in the September 2021 Cumulative Updates. A Windows service on Exchange Server runs EM alongside other Exchange Server components.
The built-in EOMT protects against security threats that have known mitigations via the cloud-based Office Configuration Service (OCS). Clients of Office users will already be familiar with OCS.
To automatically apply security mitigations to Exchange servers, customers can select to use EM. For organizations that don't wish to use EM, administrators can disable it and manually mitigate threats using EOMT instead.
Identifying the threat and taking action to mitigate it is mitigation.
Microsoft can create mitigation for a security threat and then send it directly to the Exchange server, implementing the preconfigured settings for the issue.
XML files containing configuration settings are included in the mitigation package. Exchange's EM service validates the XML signature to ensure no tampering has occurred and that the issuer and subject are correct, and then applies the mitigation(s) after successful validation.
The EM service provides customers with a temporary and interim mitigation measure until a security update fixing the vulnerability can be applied. We have already stated that EM is not a replacement for Exchange support utilities. Still, it is the fastest and easiest way to mitigate the most significant risks to on-premises Exchange servers connected to the Internet.
When you install the CU for September 2021 (or later) on your Mailbox servers, the EM service will be installed automatically. Edge Transport servers will not receive the service. Administrators can deactivate EM if they wish after it has been installed.
Due to EM's inability to function without Internet connectivity, you should disable Exchange Management without Internet connectivity. To apply mitigation manually in these cases or when automatic comfort isn't desired, use the EOMT. In the case of restrictions that prevent outgoing connectivity to the OCS, you must enable outbound connectivity.
You can apply several mitigations automatically to Exchange servers to identify and block known threats in the wild. EM services (like EOMT services) offer several mitigation options, including:
- Filtering malicious HTTPS requests with an IIS rewrite rule
- Enabling a service in Exchange
- An app pool or virtual directory can be disabled
Actions performed via a mitigation include:
- URL rewriting
- topping/starting app pools and services
- Changing authentication settings
- Modifying other configuration settings
Accordingly, the EM service may automatically disable Exchange server features or functionality to protect your organization and mitigate risk.
You can block any EM mitigation for a known threat if your organization has an alternative means of addressing it.
You will also notice that the License Terms acceptance process has changed once you install the September 2021 (or later) CU. You can now send diagnostic information about mitigation from your Exchange servers. EM service checks for available comforts and sends this information to OCS.
The New License Agreement screen appears when you're using the GUI version of Setup. The following choices are available to you:
"I accept the license agreement and will share diagnostic data with Microsoft":
This option enables Microsoft to receive data and accepts the license agreement by default.
"I accept the license agreement, but I'm not ready to share diagnostic data with Microsoft":
Microsoft data will not be sent to Microsoft when this option is selected.
"I do not accept the license agreement":
The CU cannot be installed if you do not agree to the EULA (like all CUs).
With the inclusion of new Setup switches, these options may also be set up through a scripted or unseen command line setup:
Using this new switch during Setup lets you accept the license terms and send optional data to Microsoft.
You can use the new Setup switch to disable Microsoft's optional data collection and accept the license terms.
The cmdlet can be used to enable or disable sending optional data from any Exchange server to OCS after Setup has been completed. Use the following command:
To disable sending optional data to Microsoft, run:
Set-ExchangeServer -Identity *ServerName> -DataCollectionEnabled $false.
You can enable sending optional data to Microsoft by setting up:
ExchangeServer -Identity *ServerName> -DataCollectionEnabled $true.
Each Exchange server, when checking for mitigations, sends the following information to Microsoft if sending optional data is enabled:
- Exchange Server builds: The CU and SU version numbers of the Exchange server.
- Emergency Mitigation service state: This page provides details about what the EM service is configured to do (for example, sending data and automatically mitigating).
- Immutable Device ID: Server-specific identification.
- Immutable Org ID: Your Exchange environment has a unique identifier for each organization.
- Applied mitigations: An overview of all mitigations, along with their current status.
- Blocked mitigations: Admins can choose to block mitigations.
You will now have additional prerequisites for installing Exchange with the addition of the EM Service. Installing the Update for Universal C Runtime in Windows (KB2999226) is needed first if you use Exchange Server 2016 on Windows Server 2012 R2. If this update is not installed, Exchange Setup will not be able to proceed.
The Exchange server also needs a connection to the OCS. Exchange cannot function properly without this connection.