This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)
Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.
Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!
“The Exchange Emergency Mitigation service (EM service) is to help keep your Exchange Servers secure by applying mitigations to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and to send diagnostic data to Microsoft.
The EM service runs as a Windows service on an Exchange Mailbox server. When you install the September 2021 (or later) CU on Exchange Server 2016 or Exchange Server 2019, the EM service will be installed automatically on servers with the Mailbox role. The EM service will not be installed on Edge Transport servers.
The use of the EM service is optional. If you do not want Microsoft to automatically apply mitigations to your Exchange servers, this feature can be disabled.”
I’ll update this later when the CU drops! The CU is now released for Exchange 2019 and 2016:
To enable this it looks like you need the MSI for the IIS URL REWRITE module:
Also make sure you install the update from an elevated (high process) prompt. MIcrosoft recomend deployment in the lab prior to production deployment, everyone has a test environment right? right?
Also remember to use the Exchange Update Wizard to make sure your on the right path:
I’ll see if I can do some lab installs and post a blog!