Security News > 2024 > February > Microsoft Exchange update enables Extended Protection by default
Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month's 2024 H1 Cumulative Update.
Extended Protection will automatically be toggled on by default when installing Exchange Server 2019 CU14 to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle attacks.
Microsoft first introduced Exchange Server EP support in August 2022, with cumulative updates released as part of the August 2022 Patch Tuesday when it fixed several critical severity Exchange vulnerabilities, allowing for privilege escalation.
One year later, the company announced that Exchange Extended Protection would be enabled by default on all Exchange servers after deploying CU14.
"If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately. Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled."
Microsoft also urged customers one year ago to always keep their on-premises Exchange servers up-to-date so they're ready to deploy emergency security patches.
News URL
Related news
- Microsoft releases Exchange hotfixes for security update issues (source)
- Microsoft's March Updates Fix 61 Vulnerabilities, Including Critical Hyper-V Flaws (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft fixes Outlook security alerts bug caused by December updates (source)