CISA and NSA Outline New Security Best Practices for Microsoft Exchange Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued updated guidance to help organizations strengthen their defenses against rising cyber threats. The advisory comes in response to a surge of targeted attacks exploiting critical vulnerabilities in Microsoft Exchange Server.

According to CISA, organizations should consider moving to cloud-based email services to simplify management and reduce security risks associated with maintaining on-premises infrastructure. To support this transition securely, CISA advises adopting configuration baselines from its SCuBA (Secure Cloud Business Applications) program, which provides validated security settings and practices tailored for cloud environments.

Zero Trust architecture recommended to enhance cyber resilience

Organizations are advised to adopt a Zero Trust (ZT) architecture to strengthen Exchange Server security by enforcing least privilege access, denying default permissions, and continuously verifying user identities and device health. They must also limit access to Exchange Admin Center (EAC) and remote PowerShell.

Additionally, enterprise admins enable multifactor authentication (MFA) for all privileged accounts, enforce TLS and HTTP Strict Transport Security (HSTS), and prevent credential relay and downgrade attacks. CISA has warned that certain Exchange Server versions that have already reached end-of-life (EOL) no longer receive security updates, which makes them highly vulnerable to exploitation. Organizations are strongly encouraged to migrate to Exchange Server SE or secure cloud-based email services.

“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.

NSA recommends regular updates and use of Microsoft security tools

According to the NSA, administrators should ensure that Exchange servers are running the latest Cumulative Updates (CU) and security patches. They should also use tools like Health Checker, SetupAssist, and Microsoft’s Update Guide.

It’s also recommended to ensure that the Emergency Mitigation (EM) service is enabled to automatically apply security fixes to Exchange Servers via Microsoft’s cloud. These mitigations include IIS URL Rewrite rules and disabling vulnerable services to reduce exposure to known threats.

Organizations should enhance both authentication and encryption mechanisms to strengthen the security of Microsoft Exchange Servers. This includes using TLS to secure communications, enabling Extended Protection to block credential relay attacks, and transitioning from outdated protocols like NTLM to more secure options such as Kerberos and SMBv3.

Lastly, it’s highly recommended to implement Modern Authentication with OAuth 2.0 and multi-factor authentication within the organization. Moreover, certificate-based signing for PowerShell and enforcing HTTP Strict Transport Security (HSTS) help protect against tampering and unauthorized access during web interactions.

CISA has recently issued a warning about a critical vulnerability in Microsoft Exchange Server. This flaw (identified as CVE-2025-53786) could allow attackers to move from on-premises systems into the Microsoft 365 cloud environment.