CISA releases security best practices guide for on-site Microsoft Exchange Servers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a 15-page best practices guide – all so that organizations still using the now-outdated Microsoft Exchange Servers can properly harden their systems against known threats.

Microsoft officially killed off its support for Exchange Servers 2016 and 2019 on October 14th, leaving tens of thousands of organizations worldwide vulnerable to exploitation by malicious actors.

The new Microsoft Exchange Server Best Practices guide focuses on hardening user authentication and access, ensuring strong network encryption, and minimizing application attack surfaces, CISA said.

Cybersecurity guiding principles, such as deny-by-default, least privilege, timely updates, and minimizing the attack surface, are the central tenets of the paper, as well as incorporating principles for “Embracing a Zero Trust Security Model.”

Furthermore, the guide recommends steps organizations should take to “decommission any remaining end-of-life on-premises or hybrid Exchange servers” after transitioning to cloud-based Microsoft 365, to avoid ongoing exploitation activity.

🔒 Microsoft Exchange #cybersecurity threats continue to persist. In collaboration with @NSAGov & global partners, we’ve released security best practices for admins of on-premises Exchange servers. See our guide to reduce your risk. 👉 https://t.co/pOIxKbtOP7 pic.twitter.com/F53alloVwm

undefined CISA Cyber (@CISACyber) October 30, 2025

Although there was no official comment, Microsoft noted to Cybernews that a significant amount of Microsoft's previously published guidance has been incorporated into the document.

“Threat activity targeting Exchange continues to persist, and organizations with unprotected or misconfigured Exchange servers remain at high risk of compromise,“ the agency bulletin states.

And even before the October support kill switch, CISA was actively warning of imminent security risks for many of these unpatched, end-of-life (EOL) servers.

Critical threats overwhelm on-site Exchange servers

In August, CISA issued an emergency directive for federal agencies to immediately patch a Microsoft Exchange hybrid-joined configuration vulnerability (CVE-2025-53786) to prevent hackers from “gaining significant control of a victim’s M365 Exchange Online environment.”

The August warning was based on a previous HotFix released by Microsoft in April to prevent malicious actors from gaining administrative access to on-site Exchange servers.

With access, the hackers could easily escalate privileges, jump to the cloud, and compromise related Microsoft 365 infrastructure, including taking control of emails, user accounts, and other services.

In fact, only three days ago, the German Federal Office for Information Security (BSI) issued a dire warning that 92% of on-premises Microsoft Exchange servers in the nation are running outdated software.

As of August 2025, roughly 45,000 companies, mainly in the US, are running what are now considered legacy Microsoft Exchange Servers, according to the site Landbase GTM Intelligence.

Besides the US and Germany, most of the world’s Microsoft Exchange Servers can be found in France, Japan, and the United Kingdom, the stats showed.

Besides CISA, the newly released guide was authored in conjunction with the National Security Agency (NSA), Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), and the Canadian Centre for Cyber Security (Cyber Center).