Exchange Server Security Best Practices for 2025: How to Protect Your Organisation

Summary

Microsoft Exchange remains at the core of many organisations’ communication systems, but its widespread use makes it a top target for cyber attackers. In October 2025, the NSA, CISA, ASD’s Australian Cyber Security Centre (ACSC), and the Canadian Cyber Centre released updated Microsoft Exchange Server Security Best Practices guidance. This joint publication provides a clear roadmap for hardening on-premises Exchange environments against compromise.

This article summarises the most important Exchange Server security best practices, translating global recommendations into actionable steps for Australian organisations aligned with the ACSC Essential Eight framework.

1. Enforce a Prevention-First Posture

The first principle of Exchange Server security best practices is adopting a prevention-first mindset. Administrators should apply “deny-by-default” and “least privilege” configurations. Only authorised administrators using dedicated, secured workstations should access Exchange administrative tools. Limit the attack surface through network segmentation and strict firewall rules. Maintain configuration baselines and use automated checks to detect drift early.

Most Exchange breaches exploit unpatched vulnerabilities or overly permissive access rights. A prevention posture helps reduce exposure before incidents occur.

2. Maintain a Reliable Patching Cadence

Keeping Exchange updated is one of the most effective defences against exploitation. Microsoft issues two cumulative updates (CUs) annually, along with monthly security and hotfix updates. Attackers frequently develop exploits within days of patch releases. Administrators should subscribe to Microsoft’s Exchange Team Blog and deploy updates using tools such as the Exchange Health Checker and SetupAssist. Consistent patching ensures servers are resilient to known vulnerabilities and maintains compliance with ACSC Essential Eight “Patch Applications” controls.

3. Migrate End-of-Life Versions Immediately

As of October 2025, Exchange Server Subscription Edition (SE) is the only supported on-premises version. Running unsupported versions like Exchange 2016 or 2019 significantly increases risk. Organisations still relying on older releases should migrate as soon as possible or isolate those systems from the internet. If legacy Exchange servers must remain temporarily, restrict their use to internal communication only and employ an email security gateway for external mail flow.

4. Keep the Emergency Mitigation Service Enabled

The Exchange Emergency Mitigation (EM) Service automatically applies temporary mitigations between patch cycles via Microsoft’s cloud-based Office Config Service. It blocks malicious HTTP requests and disables vulnerable Exchange services. Administrators must ensure EM remains active and connected, as it delivers the fastest interim protection before patches are installed.

5. Apply Security Baselines and Built-In Protections

Applying consistent software and operating system baselines is essential for Exchange Server security. Recommended benchmarks include DISA STIGs, CIS Benchmarks, and Microsoft 365 Security Baselines. Built-in defences such as Microsoft Defender Antivirus, AMSI, Attack Surface Reduction (ASR), AppLocker, App Control for Business, and Exchange anti-spam/anti-malware features should be enabled and properly configured. For deeper visibility, integrate Endpoint Detection and Response (EDR) solutions to identify and contain sophisticated attacks.

6. Harden Authentication and Encryption

Authentication and encryption are critical to Exchange Server security best practices. Organisations should:

• Configure Transport Layer Security (TLS) consistently across all Exchange servers.
• Enable Extended Protection (EP) to defend against relay and adversary-in-the-middle attacks.
• Transition from NTLM to Kerberos authentication, as NTLM is being deprecated.
• Deploy Modern Authentication (OAuth 2.0 + MFA) and disable legacy Basic Authentication.
• Enable certificate-based signing for PowerShell serialisation payloads to prevent tampering.
• Enforce HTTP Strict Transport Security (HSTS) to ensure all web connections are encrypted.
  These steps collectively support the ACSC Essential Eight controls on access management and MFA.

7. Restrict Administrative Access

Limit access to the Exchange Admin Center (EAC) and remote PowerShell to authorised workstations only. Apply host firewall rules to control management traffic and use Exchange Client Access Rules to restrict EAC access. This reduces attack surface and limits potential lateral movement if one account is compromised.

8. Use Role Management and Split Permissions

Exchange Server includes Role-Based Access Control (RBAC) to enforce least privilege principles. Split permissions allow administrators to separate domain and Exchange responsibilities, minimising the blast radius of any compromise. Avoid using Domain Admin credentials for Exchange management. Instead, assign narrowly scoped administrative roles.

9. Activate Anti-Spoofing and Message Integrity Controls

Modern Exchange Server builds include P2 FROM header manipulation detection, which flags spoofed sender addresses and adds phishing notifications automatically. Keep this feature enabled. Enhance message integrity by implementing DMARC, DKIM, and SPF for all outbound email. Configure Download Domains to isolate attachments and prevent cookie theft through cross-site request forgery (CSRF) techniques.

10. Embrace Zero Trust Principles

The final element of Exchange Server security best practices is adopting a Zero Trust approach. Organisations should continuously verify identities, enforce MFA, and restrict lateral movement within Exchange environments. Regularly test configurations, audit user privileges, and ensure that encryption and authentication policies are applied consistently. Continuous validation helps align Exchange security with the Zero Trust principles recommended by the NSA and ACSC.

Useful Links

• Full Microsoft Exchange Server Security Best Practices PDF (NSA/CISA/ACSC, Oct 2025)
• NSA – Defend Privileges and Accounts
• CyberPulse Services

About This Guidance

This article summarises the official Microsoft Exchange Server Security Best Practices (NSA, CISA, ASD/ACSC, and the Canadian Cyber Centre, October 2025, TLP:CLEAR). The original document is freely shareable and should be referenced by all administrators managing Exchange infrastructure.

Following the latest Exchange Server security best practices is critical to protecting enterprise email systems from compromise. By combining proactive patching, strong authentication, encryption, and access control, administrators can significantly reduce risk and enhance cyber resilience. For Australian organisations, implementing these measures in alignment with the ACSC Essential Eight ensures a robust and compliant email infrastructure that is ready to withstand evolving cyber threats.