A new cybersecurity blueprint aimed at strengthening Microsoft Exchange Server environments has been released by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and international partners.
The Microsoft Exchange Server Security Best Practices guidance outlines techniques to reduce exposure to cyber-attacks and secure sensitive communications across hybrid and on-premises deployments.
The release builds on CISA’s Emergency Directive 25-02 and outlines measures such as restricting administrator access, using multi-factor authentication (MFA), tightening transport security settings and adopting zero-trust principles. It arrives amid continued concerns over threat actors targeting Exchange servers.
Key Technical Focus Areas
The guidance stresses the importance of limiting unauthorized entry points and strengthening authentication processes, while also enhancing encryption standards.
Additionally, it highlights the importance of support lifecycles, noting that some Exchange versions have reached end-of-life (EOL).
The agencies also strongly recommend minimizing risk by migrating to a supported email software or service, or disconnecting unsupported and EOL systems.
Recommended priorities include:
-
Restricting administrative access to dedicated systems
-
Enabling MFA and modern authentication
-
Applying Microsoft’s Exchange Emergency Mitigation service
-
Enforcing TLS and strict transport security
-
Maintaining software baselines and using built-in security features
Read more on Microsoft Exchange security: Best Practices for Exchange Server Recovery: Minimize Downtime and Data Loss
Collaboration and Ongoing Initiatives
Officials emphasized the importance of steady cooperation across government and allied cybersecurity organizations, despite political friction and a prolonged government shutdown.
“Even amid a prolonged government shutdown riddled with partisan rhetoric, CISA remains dedicated to safeguarding critical infrastructure by providing timely guidance to minimize disruptions and to thwart nation-state threats,” said CISA acting director, Madhu Gottumukkala.
“Under the leadership of President Trump and Secretary Noem, CISA continues to demonstrate the power of operational collaboration.”
Nick Andersen, CISA’s executive assistant director for the Cybersecurity Division (CSD), also commented on the news, calling for continued vigilance amid a persistent threat landscape.
“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” Andersen said.
“This guidance empowers organizations to proactively mitigate threats, protect enterprise assets and ensure the resilience of their operations.”
The agencies also encouraged organizations to evaluate cloud-based email platforms, pointing to secure baselines offered through CISA’s SCuBA program.