Microsoft Exchange EM: Services Security Administrators Need to Know

If your business is running on-premises Exchange servers, it’s a good idea to take advantage of the major protections Microsoft provides. Microsoft launched in September Exchange EM (Emergency Mitigation) serviceall. This service is included in the September 2021 Cumulative Update, but does not replace the patch. Exchange EM provides a better way to secure your on-premises Exchange servers.
ⓒ Getty Images Bank

A zero-day attack on Microsoft’s Exchange servers in May revealed that many companies have not applied the latest patches. Upon learning of this, Microsoft started working with Microsoft Defender Antivirus, which includes automatic mitigation, and System Center Endpoint Protection. Exchange On-Premises Mitigation Tool (EOMT)was immediately distributed.

“EOMT is a tool that applies temporary mitigations to Exchange servers to proactively minimize vulnerable attack points until administrators can install security updates,” Microsoft said. We recommend using it when you need to deploy an Internet-accessible Exchange server and quickly mitigate risk while preparing an update.”

What is Microsoft Exchange EM Service?

Microsoft realized the need for further action and released the September update. EM was included. “EM runs like a Windows service on an Exchange server,” Microsoft said. A built-in version of EOMT that works with the cloud-based Office Config Service (OCS), and mitigations protect against known security threats. OCS is the same online configuration service that office clients use.”

EM once every hour Investigate the URLCheck the OCS. When Microsoft becomes aware of a security threat, it creates a mitigation for the problem and applies the mitigation settings to the server. A mitigation package is an XML file that is signed so that the file is not tampered with. EM does not replace security updates, but helps users deploy and test updates. If you install the September cumulative update, the EM service is automatically installed on all mailbox servers. It is not installed on Edge Transport servers and you can disable the EM service in the admin settings.

Prerequisites for EM

To use EM, Internet Information Services (IIS) URL Rewrite Module v2 must be installed on the Exchange Server. If the module does not exist, an error message is displayed during cumulative update. When the September Cumulative Update is installed, you will need the IIS URL Rewrite module with or without EM.

If you are using Windows Server 2012 R2 with Exchange 2016 installed, you must first install KB2999226 (Update for Universal C Runtime) before performing the cumulative update. During installation, you will be notified about the prerequisites. Of course, an internet connection is essential for the EM service to work.

How EM works

When an attack occurs, the EM service performs several optional actions to protect the network. IIS rewrite rules filter out malicious HTTPS requests, disable Exchange Server, and disable virtual directories or app pools. It is similar to the method taken by the U.S. Department of Justice in April for a preemptive response when the patch servers were hacked in January and February. At the time, the FBI, in accordance with a court order, removed the web shell identified by its unique file path from the Exchange server.

As part of the EM service, Microsoft sends a sample mitigation called PING. Users can check if the OCS and the server are properly connected by pinging.

Once the cumulative update is installed, users can use the ‘Get-Mitigations.ps1PowerShell’ script to review what mitigations are available and what options are available. Users can disable mitigations temporarily or permanently if interactions are suspected. If it is temporarily disabled, the EM service can be restarted later.

EM service activity is logged in the Windows event log. If it works normally, new events 1005 and 1006 with the source name ‘MSExchange Mitigation Service’ are recorded. Event 1008 is logged if the EM service is not connected to the Internet or the associated OCS. Find your own logging in the ‘V15LoggingMitigationService’ folder in the Exchange Server installation directory.

Orange Tsai, a security researcher and exchange vulnerability expert, pointed out at a recent Black Hat security conference that there are no vulnerability compensation programs in on-premises Exchange environments. Other security industry insiders were also concerned about the recent lack of interest in on-premises servers. In this regard, it is refreshing to see that Microsoft provides the security solutions it provides for cloud services to on-premises environments as well.

If there are companies that still run on-premises Exchange servers, it is recommended to use the resources and tools provided by Microsoft to prepare for the risk of hacking. Zero-day attacks are a common method used by hackers. Microsoft responded to this risk to its on-premises customers. We strongly recommend that you test and install the EM service on your mail server.

Hackers are not only collecting passwords through an Exchange zero-day attack using the Autodiscover function, but are also looking for various ways to break into the network by all means. With EM services, you will be able to protect your servers with the most up-to-date guidelines and methods without rushing to install security updates. [email protected]

Source: ITWorld Korea by

*The article has been translated based on the content of ITWorld Korea by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!