Microsoft to Enable Extended Protection By Default on Exchange Server

Key takeaways:

• Microsoft is introducing default Extended Protection on Exchange Server, elevating security against cyberattacks.
• Extended Protection strengthens NTLM protocol to counter credential theft and man-in-the-middle attacks.
• Microsoft will let Exchange Server administrators opt out of the default configuration.

Microsoft has announced its plans to enable Exchange Extended Protection by default on Exchange Server later this year. Scheduled to roll out with the 2023 H2 Cumulative Update, the new security feature will help organizations to boost protection against credential theft and man-in-the-middle attacks.

Windows Exchange Extended Protection is a security feature that is designed to secure communication between client and server devices. It strengthens the NTLM (Windows NT LAN Manager) protocol that is used to authenticate users in Windows environments. The Exchange Extended Protection feature helps to protect users against various types of attacks, including credential theft and man-in-the-middle (MiTM) attacks.

Last year, Microsoft introduced Extended Protection support to mitigate specific vulnerabilities in Exchange Online. Currently, IT admins need to manually enable Extended Protection support on Exchange Servers in their tenants. Starting with the 2023 H2 Cumulative Update (CU), Microsoft will enable Exchange Extended Protection by default for Exchange Server 2019.

“EP allows a binding to occur within Windows Authentication in IIS between the auth information passed at the Application layer and the TLS encapsulation at the lower levels of the protocol stack. Auth information is also supplemented by adding the namespace the client is accessing in the connection,” the Exchange team explained.

Microsoft to let Exchange Server admins opt out of the default Exchange Extended Protection setting

Microsoft notes that organizations will be able to use the command-line CU installer to opt out of the default Exchange Extended Protection configuration. However, IT admins who use the unattended Setup/scripts to deploy cumulative updates will need to add the new Setup parameter manually. Microsoft recommends the following course of action:

• Exchange Server customers will need to install CU14 on machines running the Aug 2022 SU (or later) and have enabled Extended Protection.

• Customers will need to install CU14 with the default ‘Enable EP’ on Exchange Server machines running the Aug 2022 SU (or later) but have not yet enabled the Exchange Extended Protection feature.

Microsoft advises all administrators to enable Exchange Extended Protection in their organizations. “If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately. Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled,” the Exchange team added.

It’s important to note that threat actors are increasingly looking to search, discover, and exploit vulnerabilities in Exchange Server. The integration of Exchange Extended Protection support should offer a robust defense against rising threats like MITM attacks.

FAQs

What are the system requirements for implementing Exchange Extended Protection on older Exchange Server versions?

Exchange Extended Protection requires a minimum of Exchange Server 2016 or later versions, with all the latest security updates installed. Organizations must ensure their systems meet specific prerequisites, including running on Windows Server 2016 or newer, and having the latest .NET Framework version installed.

How does Exchange Extended Protection impact performance and resource utilization?

Exchange Extended Protection typically has minimal impact on server performance, with a negligible increase in CPU and memory usage. However, organizations should monitor their systems during initial implementation and may need to adjust their resource allocation accordingly.

Can Exchange Extended Protection be integrated with third-party security tools?

Yes, Exchange Extended Protection is designed to work seamlessly with most third-party security solutions. However, organizations should verify compatibility with their existing security stack and may need to update their security tools to ensure optimal integration.

What backup and recovery options are available when using Exchange Extended Protection?

Exchange Extended Protection maintains compatibility with standard backup solutions and disaster recovery procedures. Organizations should update their backup policies to include new protection settings and ensure their recovery plans account for the Enhanced Protection configuration.

How does Exchange Extended Protection handle multi-site deployments?

Exchange Extended Protection supports multi-site deployments and can be configured across different geographical locations. Organizations need to ensure consistent implementation across all sites and maintain proper synchronization of security settings between different Exchange servers.