Security News > 2024 > February > Microsoft Exchange update enables Extended Protection by default

Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month's 2024 H1 Cumulative Update.

Extended Protection will automatically be toggled on by default when installing Exchange Server 2019 CU14 to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle attacks.

Microsoft first introduced Exchange Server EP support in August 2022, with cumulative updates released as part of the August 2022 Patch Tuesday when it fixed several critical severity Exchange vulnerabilities, allowing for privilege escalation.

One year later, the company announced that Exchange Extended Protection would be enabled by default on all Exchange servers after deploying CU14.

"If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately. Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled."

Microsoft also urged customers one year ago to always keep their on-premises Exchange servers up-to-date so they're ready to deploy emergency security patches.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-exchange-update-enables-extended-protection-by-default/