Microsoft to launch Exchange Server Emergency Mitigation – automated tools

PetitPotam, ProxyShell and the Autodiscover vulnerabilities on the Microsoft Exchange servers have created a need for an automated emergency risk mitigation tools for on-premise Microsoft Exchange servers. The Cloud based Microsoft Exchange is already end-to-end managed by the Microsoft cloud security team.

And, Microsoft announced on 24th September that it will roll out an Exchange Server Emergency Mitigation tool this September. This tool will address the need of keeping the on-premise Microsoft Exchange servers protected against the newly declared vulnerabilities on the Microsoft Exchange servers. The goal is to keep on-premise Exchange servers remain protected against new threats. This move stands to help those teams that do not have permanent Exchange administrators or a proper IT security team to handle external threats.

What is the Exchange Server Emergency Mitigation tool?

The Exchange Server Emergency Mitigation or the EM tool is a new tool, that will be rolled out as part of the Exchange Security update for September 2021 to all the on-premise Exchange servers. You cannot choose to not deploy this security update component. The Emergency Mitigation tool builds upon the functionality already provided by the Exchange On-Premise Mitigation Tool or the EOMT tool that was rolled out to all the on-premise Exchange servers in March 2021. It works by integrating closely with the Office Client Service or the OCS to fetch latest threat mitigation updates from the Microsoft site.

Here are the main features of the EM tool or the Exchange Server Emergency Mitigation Tool

1. The EM will install on top of the Windows operating system as a normal service component. It will run as a Windows service on an on-premise Exchange server. As an administrator, you can manage this service just like any other Windows service. You can choose to disable it or set it up for automatic startup.
2. Before you can install the security update containing the EM tool, you will need to ensure that the on-premise server has a working Internet connection. If your on-premise server does not have Internet exposure, you do not need to install the EM tool.
3. Your on-premise Microsoft Exchange server must have the IIS rewrite module version 2 active. The rewrite module on the IIS helps in re-writing URLs for making them more user-friendly. In some cases, you may want to use the IIS rewrite module services for creating and managing a URL structure that is friendly for the search engine bots. The current version of the IIS rewrite module service is version 2.1, and you could check the latest version by visiting Microsoft’s dedicated page for the IIS rewrite module here.
4. If you are on one of the older Exchange versions i.e. Microsoft Exchange 2016 on the Windows Server 2012 r2, you will need to install the C Runtime environment before this EM tool can be installed on the server. The Universal C runtime environment can be installed on the Windows Server r2 as part of the KB2999226.
5. Your Exchange server should be able to integrate with the OCS or the Office Client Services. The self-hosted Exchange server should be able to access the URL – https://officeclient.microsoft.com/.

How does the EM or the Exchange Emergency Mitigation Service Tool work?

1. The Exchange EM tool will fetch vulnerability and mitigation details using the OCS on an hourly basis. Every hour, the EM tool will seek details of a fix for an exploitable vulnerability, if any.
2. If there is a mitigation available, the EM tool will fetch the mitigation details and apply to the Exchange server automatically.
3. As part of vulnerability management and risk mitigation, the EM tool may take one or more of the following designated actions automatically:
   • Disable an Exchange feature or service, automatically.
   • Implement an IIS rewrite structure to null-route or dead-route the malicious links as part of the vulnerability remediation
   • Disable access to a virtual directory
   • Disable an app or app pool
   • Change authentication settings for an exploitable service or feature or directory

As the administrator of the Exchange server, Microsoft allows you multiple options to manage the EM tool and the mitigations.

1. You can choose to block specific mitigation
2. You can choose to remove a mitigation from the box
3. You can enable to disable automatic application of the mitigation
4. You can, altogether, disable the Exchange Mitigation tool by stopping the service associated with the EM Tool.

Summary

Automatic threat mitigation for the hosted or the on-premise Exchange Servers is a welcome move by Microsoft. By rolling out the EM tool in the September cumulative update for the on-premise or the self-hosted Microsoft Exchange servers, Microsoft has ensured that the on-premise Exchange customers will be able to enjoy the same level of proactive security monitoring (and, potentially, application of security patches) that a hosted Office 365 administrator would get.