Microsoft Exchange Emergency Mitigation (EM) Service

Microsoft Exchange Server is the top email and messaging platform across the globe, and it has become the foundation of the communications infrastructure for many businesses and organizations. Exchange Server can only function in a highly privileged fashion, which makes it an attractive target for hackers who, once they breach the network, run laterally through the infrastructure, resulting in devastating consequences for the business.

Following a series of attacks that leveraged zero-day exploits against on-premises versions of Microsoft Exchange servers, Microsoft has released a new tool to provide emergency mitigation. The Microsoft Exchange Emergency Mitigation service was released as part of the most recent Cumulative Update (CU) and is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange servers before installing applicable SUs. The Emergency Mitigation service helps reduce the risks associated with Exchange Server, ensuring security patches are installed promptly and guarding against cyberattacks.

Automated Protection for Vulnerable Exchange Servers

The Microsoft Exchange Emergency Mitigation service is based on Microsoft’s Exchange On-premises Mitigation Tool (EOMT). The EOMT is a one-click tool that applies interim mitigations to an Exchange server to proactively minimize vulnerable attack surfaces until the admin can install an available SU. Like other Exchange Server components, the Emergency Mitigation Service EM runs as a Windows service and will automatically be installed on servers with the Mailbox role after deploying the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019.

The Emergency Mitigation service is a built-in version of the EOMT that relies on the cloud-based Office Config Service (OCS) to check for mitigations and protect against known threats. Mitigation is an action or set of actions used to secure an Exchange server from a known threat. Because future updates can be released at any time in response to growing threats, Microsoft set the Emergency Mitigation service to check for mitigations hourly. If Microsoft discovers a security threat, mitigation for the issue is created and sent directly to the Exchange server.

The mitigation package is an XML file containing the settings needed to mitigate known security threats. Once the Exchange server has received the mitigation, the Emergency Mitigation service will validate the signature to verify that the XML was not interfered with. After the validation process has been completed, the mitigations that have already been configured will be automatically implemented.

Actions performed via mitigation include:

  • Changing authentication settings.
  • Stopping/starting app pools and services.
  • URL rewriting.
  • Modifying other configuration settings.

This means that to protect your organization and mitigate risk, the Emergency Mitigation service may automatically disable features or functionality on an Exchange server. You can also control applied mitigations using PowerShell cmdlets and scripts, which allow viewing, reapplying, blocking, or removing mitigations.

Once installed on an Exchange email server, the EM service can apply three types of mitigations:

  • IIS URL Rewrite rule mitigation: a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server.
  • Exchange service mitigation:  disables a vulnerable service on an Exchange server.
  • App Pool mitigation: disables a vulnerable app pool on an Exchange server.

Optional Feature that Can Be Disabled

The Emergency Mitigation service is an optional feature. Organizations can disable it if they don’t want Microsoft to apply mitigations to their Exchange servers automatically and instead continue using the EOMT to mitigate threats manually. Also, Microsoft doesn’t recommend using the Microsoft Exchange Emergency Mitigation service for organizations using Exchange Server without Internet connectivity. In this case, or when you don’t want automatic mitigation, you can use the EOMT to apply available mitigations manually.

Do I Still Need to Install Exchange Server Security Updates?

Yes, Exchange Server Security Updates (SUs) are required. According to Microsoft, this new service isn’t meant to replace Exchange Server Security Updates. The Emergency Mitigation service is intended as a temporary mitigation for organizations until they can apply a security update that fixes the vulnerability.

It will be deployed automatically as an interim fix to address any high-risk bugs with known mitigations, giving companies more time to apply available patches. Because applying mitigations may reduce server functionality, Microsoft plans on releasing mitigations only when the highest impact or severity issues are found. Therefore, every organization that uses the Microsoft Exchange server should prioritize applying security updates and fixes when available, whether the new Exchange Emergency Mitigation service is implemented or not.

Need Emergency IT Services? LAN Infotech Can Help!

Cyberattacks continue to increase in frequency and sophistication, and businesses must secure their IT infrastructure. The best way to reduce the security risks associated with an on-premise Exchange Server that requires continuous monitoring, upgrading, and patching, is to move into a hybrid configuration or migrate entirely to the cloud. A hybrid setup doesn’t need the Exchange Server to be internet-facing when all mailboxes are hosted in the Microsoft cloud.

LAN InfoTech is a Microsoft Cloud Services Provider helping organizations in Fort Lauderdale and South Florida deploy business-grade Microsoft cloud solutions to streamline operations and enhance the functionality of Microsoft Exchange and other Microsoft applications. We can help you move your Exchange Server to the cloud or implement other technologies when you need to deploy an on-premise solution. Our team of Microsoft-certified engineers will evaluate your business needs to develop customized, scalable solutions that meet your business requirements and ensure a seamless migration without downtime.

LAN InfoTech’s cloud systems provide multiple security layers that safeguard your business-critical data from natural or human-made disasters. We can help your organization effectively manage risks, avert threats, and deal with various emergencies such as ransomware. Our efficient emergency IT services are available 24/7 to help restore your network immediately, ensuring your business doesn’t suffer any downtime. No matter the scope of your IT emergency, LAN InfoTech IT support teams have you covered. We can help you diagnose your emergency and get you the help you need to recover from unplanned downtime quickly.

Some of the emergency IT issues we regularly help resolve for our clients include:

  • Emergency data recovery
  • Correcting network failures
  • Reestablishing Internet access
  • Solving security breaches
  • Removing malware and viruses
  • Fixing hardware and software problems

No business is ready for a system failure or hardware crash – when it happens, it’s always unexpected and devastating to employee productivity and your finances. When you or a team member have an issue, a quick phone call to LAN Infotech gets you up and running in no time. Don’t wait for an emergency to have your plan in place. Contact us today to schedule a consultation.