WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), in collaboration with international cybersecurity partners, have released the “Microsoft Exchange Server Security Best Practices” guidance. This blueprint builds upon CISA’s “Emergency Directive 25-02: Mitigate Microsoft Exchange Vulnerability” and recommends proactive prevention techniques to address cyber threats head-on and to protect sensitive information and communications within on-premises Exchange Servers as part of hybrid Exchange environments.
In an era of escalating cyber threats, this comprehensive document is a critical resource for organizations relying on Microsoft Exchange, designed to equip on-premises administrators with essential security measures to enhance prevention and fortify defenses. By restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyberattacks. Additionally, as certain Exchange Server versions have recently become end-of-life (EOL), the authoring agencies strongly encourage organizations to take proactive steps to mitigate risks and prevent malicious activity
“Even amid a prolonged government shutdown riddled with partisan rhetoric, CISA remains dedicated to safeguarding critical infrastructure by providing timely guidance to minimize disruptions and to thwart nation-state threats,” said CISA Acting Director Madhu Gottumukkala. “Under the leadership of President Trump and Secretary Noem, CISA continues to demonstrate the power of operational collaboration by working shoulder to shoulder with our trusted intelligence and law enforcement partners across the globe”
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations. Furthermore, CISA recommends that organizations evaluate the use of cloud-based email services instead of managing the complexities associated with hosting their own communication services. CISA provides secure baselines for these through our Secure Cloud Business Applications (SCuBA) program.”
The publication of this guidance marks a significant step in the ongoing efforts to enhance cybersecurity across various sectors. By following these best practices, organizations can better protect themselves from potential threats and ensure the integrity of their communication infrastructure. Under the Trump Administration, CISA has issued 20 joint cybersecurity advisories and threat intelligence guidance with our Five Eyes allies – the United Kingdom, Canada, Australia, and New Zealand – as well as with our trusted international partners. Together, we have exposed nation-state-sponsored intrusions, AI-enabled ransomware operations, and ever-evolving threats to critical infrastructure.
For more information, please visit: CISA’s Microsoft Exchange Server Security Resource Page.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.