The Cybersecurity and Infrastructure Security Agency and the National Security Agency, along with global cybersecurity partners, have issued new guidance outlining best practices to secure Microsoft Exchange servers against cyberattacks.
The release is part of an ongoing collaboration between U.S. and allied cybersecurity agencies to counter evolving threats to critical infrastructure and national security, CISA said Thursday.
Cyber defense driven by artificial intelligence will be among the topics for discussion at the Potomac Officers Club’s 2025 Homeland Security Summit on Nov. 12. Book your seat now for this Nov. 12 conference, with top representatives from industry and government agencies set to exchange views on building a resilient homeland security enterprise.
The 15-page document, titled Microsoft Exchange Server Security Best Practices, expands on CISA’s earlier Emergency Directive 25-02 and provides technical recommendations for organizations using on-premises Exchange or hybrid environments.
Table of Contents
What Are the Roadmap’s Suggested Cybersecurity Steps?
The guidance urges organizations to enforce a prevention posture, emphasizing principles such as least privilege, deny-by-default and timely patching. It calls for maintaining regular security updates and enabling Microsoft’s Emergency Mitigation Service to reduce system vulnerabilities.
It also recommends applying security baselines across Exchange servers, operating systems and mail clients to maintain consistent configurations and quickly identify deviations. Agencies, such as the Defense Information Systems Agency, the Center for Internet Security and Microsoft, have published baseline templates that network administrators can follow.
The document further suggests enabling built-in protections, including Microsoft Defender Antivirus, Antimalware Scan Interface, Attack Surface Reduction, AppLocker and Exchange’s own anti-spam and anti-malware tools.
Additional Guardrails Through Zero Trust Principles
Additional measures—such as restricting administrative access, implementing multifactor authentication, enforcing transport security and adopting zero-trust principles—can further strengthen defenses, according to the guidance. CISA and NSA also warned that some Exchange Server versions have reached end-of-life and urged organizations to take proactive steps to mitigate associated risks.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, executive assistant director for CISA’s cybersecurity division. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets and ensure the resilience of their operations,” the agency official stressed.
Related Articles
The Senate on Thursday confirmed Gen. Kenneth Wilsbach as the 24th chief of staff of the U.S. Air Force, Breaking Defense reported. Wilsbach will succeed Gen. David Allvin, who announced plans to retire in August. Secretary of the Air Force Troy Meink welcomed Wilsbach’s confirmation on X, saying, “With his vast experience in the Pacific and as a commander at all levels, he is the right leader for the [U.S. Air Force].” President Donald Trump nominated Wilsbach for the role in September. His nomination was announced despite his prior plans to retire after nearly 40 years of active duty service.
President Donald Trump has directed the Department of Defense to “immediately” begin testing of nuclear weapons, a move the U.S. has not taken since 1992, Reuters reported Thursday. Announcing the decision from South Korea, Trump cited growing global nuclear programs and emphasized that the U.S. has the largest nuclear arsenal, calling Russia second and China a distant third. “Because of other countries testing programs, I have instructed the Department of War to start testing our Nuclear Weapons on an equal basis. That process will begin immediately,” the president said in his post on Truth Social. Which Companies Are Likely to
State, local, tribal and territorial governments can now apply for federal funding to acquire counter-drone technologies under the Department of Homeland Security’s Counter-Unmanned Aircraft Systems Grant Program. Federal and local coordination against emerging aerial threats will take center stage at the 2025 Homeland Security Summit on Nov. 12. Leaders from DHS, CISA and law enforcement agencies will examine how new technologies, funding programs and public-private collaboration are strengthening national resilience. Register now to join homeland security experts shaping the future of counter-drone innovation and public safety strategy. How Can Agencies Apply? Applications must be submitted through the FEMA Grants Outcomes