Systems powered by Microsoft’s Exchange Server 2019 will soon get an additional layer of protection, the company has announced.
In a short update, Microsoft confirmed the imminent arrival of Windows Extended Protection (EP) on these servers. The feature will be turned on by default after the H2 2023 Cumulative Update (CU14) installs.
H2 2023 Cumulative Update
EP is a tool that looks to strengthens Windows Server auth functionality and thus better prevent man-in-the-middle (MitM) attacks.
“Today, we wanted to let you know that starting with the 2023 H2 Cumulative Update (CU) for Exchange Server 2019 (aka CU14), EP will be enabled by default when CU14 (or later) is installed,” Microsoft added. “Exchange Server 2019 is currently in Mainstream Support and is the only version that still gets CUs.”
IT teams that don’t feel this feature will be beneficial to them can opt out through the command-line CU installer, it was added.
Depending on the security updates already installed on the endpoints, Microsoft’s recommended course of action is as follows:
– For those with Aug 2022 SU or later and EP enabled: Simple CU14 installation
– For those with Aug 2022 SU or later, but EP not yet enabled: CU14 installation with ‘Enable EP’ default feature left on.
Those with Exchange Server versions earlier than the Aug 2022 SU are advised to update their servers to the latest SU as soon as possible.
Extended Protection was added to the Exchange Server in August 2022. Back then, Microsoft told IT teams that for some vulnerabilities, the feature would need to be turned on. It later deployed a script that automatically turns EP on or off, and which worked even on subsequently updated endpoints.
“We recommend that all customers enable EP in their environment. If your servers are running the August 2022 SU or later SU, then they already support EP,” Microsoft said. “If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately.
“Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled.”
Via: BleepingComputer
