Link to home
Start Free TrialLog in
Avatar of WORKS2011
WORKS2011Flag for United States of America

asked on

Critical Security Issues w/On-Premise Exchange Servers - Extended Protection

What experiences are other EErs having with on-premise exchange servers in conjunction with the ongoing security issues reported in the below article (dated Aug 9) that are a continuation of Exchange vulnerabilities (CVE-2022-21980CVE-2022-24477, and CVE-2022-24516) rated as critical severity and allowing for privilege escalation. 


Microsoft: Exchange ‘Extended Protection’ needed to fully patch new bugs 


What are others experiencing with Extended Protection? We ran healthchecker.ps1 which informs us to enable Extended Protection however there are some warnings reported that we can't seem to resolve. Can we enable Extended Protection in this state? 


Has anyone run the ExchangeExtendedProtectionManagement.ps1 script? Was it successful, and did it cause any issues? Does it give the option to back out if there's a prerequisite missing? 


The majority of our clients are on 365 however some like keeping their email on site. Over the years we waited longer to push clients to 365 to witness what may happen after all the hype is over. Sure enough, now it appears there are just as many issues concerning 365 as there are on-premise exchange servers. This is obviously questionable and open to discussion, however, to be more on point would love feedback from both sides. 


ASKER CERTIFIED SOLUTION
Avatar of Philip Elder
Philip Elder
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of WORKS2011
WORKS2011
Flag of United States of America image

ASKER

Take a deep breath. ;)
ha, thanks, I always perform better when I'm grounded- great advice. 

User generated image
From the linked article in your original post.
I skipped right over this. Definitely leaves a different sense of urgency thinking on-premise exchange servers are sitting wide open. Appreciate it.  

The first line of defense is always "Train the Human". 
Can't agree anymore. We've bumped up our end-user training and even our own in-house training quite a bit over the last year. Sometimes all it takes is weekly meetings where we sit around and share experiences with phishing emails that we almost fell for or a news article that had us really worried. This has helped quite a bit when everyone realizes they all are in the same boat, it's a good reminder to be vigilant. 

The second line of defense, and it's a distant one because I have yet to see a foolproof "security" product and/or system that can stop the baddies once a user clicks on something, is the A/V client on user endpoints, Intrusion Protection, Edge/Router security, and so on. 
We start from immutable backups following the 3.2.1 backup model. From here a solid EDR solution that is monitored 24/7and from the attacks we've had so far, all human-initiated, the lateral movement was stopped at the infected device and not allowed to go any further. Reporting tools are critical too to report on and learn about what happened to prevent it from happening again.

As far as Exchange on-premises _all_ of our clients are still on-premises Exchange. SPLA makes that cost minimal and all are in verticals that look at OpEx as anathema plus, "Why would we put our stuff on someone else's computer?" and "One of our client's e-mail is offline _again_!" (Our client's client is in O365).
Completely understand.



Avatar of Philip Elder
Philip Elder
Flag of Canada image
On the immutable backups: Make sure to do a full bare-metal or hypervisor restore of the VMs on at least a quarterly basis to make sure they are viable.

Test via incremental then test via full. Make sure the backup chains are good, consolidate if possible, then test after.