The Cybersecurity and Infrastructure Security Agency and the National Security Agency, along with global cybersecurity partners, have issued new guidance outlining best practices to secure Microsoft Exchange servers against cyberattacks.
The release is part of an ongoing collaboration between U.S. and allied cybersecurity agencies to counter evolving threats to critical infrastructure and national security, CISA said Thursday.
Cyber defense driven by artificial intelligence will be among the topics for discussion at the Potomac Officers Club’s 2025 Homeland Security Summit on Nov. 12. Book your seat now for this Nov. 12 conference, with top representatives from industry and government agencies set to exchange views on building a resilient homeland security enterprise.
The 15-page document, titled Microsoft Exchange Server Security Best Practices, expands on CISA’s earlier Emergency Directive 25-02 and provides technical recommendations for organizations using on-premises Exchange or hybrid environments.
What Are the Roadmap’s Suggested Cybersecurity Steps?
The guidance urges organizations to enforce a prevention posture, emphasizing principles such as least privilege, deny-by-default and timely patching. It calls for maintaining regular security updates and enabling Microsoft’s Emergency Mitigation Service to reduce system vulnerabilities.
It also recommends applying security baselines across Exchange servers, operating systems and mail clients to maintain consistent configurations and quickly identify deviations. Agencies, such as the Defense Information Systems Agency, the Center for Internet Security and Microsoft, have published baseline templates that network administrators can follow.
The document further suggests enabling built-in protections, including Microsoft Defender Antivirus, Antimalware Scan Interface, Attack Surface Reduction, AppLocker and Exchange’s own anti-spam and anti-malware tools.
Additional Guardrails Through Zero Trust Principles
Additional measures—such as restricting administrative access, implementing multifactor authentication, enforcing transport security and adopting zero-trust principles—can further strengthen defenses, according to the guidance. CISA and NSA also warned that some Exchange Server versions have reached end-of-life and urged organizations to take proactive steps to mitigate associated risks.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, executive assistant director for CISA’s cybersecurity division. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets and ensure the resilience of their operations,” the agency official stressed.
