[German]Since September 2021, Microsoft has provided the Exchange Emergency Mitigation Service (EEMS) for Exchange Server to improve Exchange protection. However, this service only works on systems that are up to date. Microsoft explicitly pointed this out at the end of last week.
Advertising
Review:: Exchange Emergency Mitigation Service (EEMS)
The Exchange Emergency Mitigation (EM) service is used to protect Exchange servers against potential threats by applying remedial measures. If a serious security problem is detected in the Exchange software, this service can initiate the necessary steps to automatically mitigate or eliminate the vulnerabilities on the Microsoft Exchange servers. Microsoft mentions three types of configuration changes as a remedy for eliminating vulnerabilities (mitigation):
- IIS URL rewrite rule mitigation: this is a rule that blocks certain patterns of malicious HTTP requests that can compromise an Exchange server.
- Exchange service mitigation: This disables a vulnerable service on an Exchange server.
- App Pool Mitigation: Disables a vulnerable app pool on an Exchange server.
As soon as Microsoft detects a new attack, these temporary mitigations are distributed via EM to all Exchange servers worldwide and work begins on a software patch. The service uses the cloud-based Office Config Service (OCS) to search for and download available mitigations and send diagnostic data to Microsoft.
The EM service runs as a Windows service on an Exchange mail server as soon as the September 2021 (or later) CU is installed on Exchange Server 2016 or Exchange Server 2019. The EM service is automatically installed on Exchange servers with the Mailbox role. The EM service is not installed on Edge Transport servers. However, the use of the EM service is optional and this function can be deactivated.
I reported on the new feature in the article Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service. Details can be found in a Techcommunity article and this Microsoft support article.
EEMS will only work on patched systems in future
Microsoft has now pointed out a certain problem in the Technet article Exchange Emergency Mitigation Service might not work for servers significantly out of date on January 24, 2025.
Advertising
Many Exchange installations are not fully patched. This simply leads to increasing problems for developers. Microsoft is therefore pulling a kind of emergency brake and announcing changes for the future. Microsoft is therefore providing information about future changes.
Certificate types expired
One of the older certificate types in the Office Configuration Service (OCS) has expired. A new certificate has already been provided in OCS. Any Exchange Server that is updated to an Exchange Server Cumulative Update (CU) or Security Update (SU) newer than March 2023 will have the updated certificate. This Exchange Server can continue to check for new EEMS mitigations.
Consequences of a missing certificate
According to Microsoft, EEMS running Exchange versions older than March 2023 will not be able to contact the Office Configuration Service (OCS) to check for and download new mitigation definitions. An event like the following may be logged in the server's application log:
Error, MSExchange Mitigation Service Event ID: 1008 An unexpected exception occurred. Diagnostic information: Exception encountered while fetching mitigations.
In addition, the following will be included in the EEMS protocol:
FetchMitigation,S:LogLevel=Warning;S:Message=Connection attempted against untrusted endpoint
In addition, the execution of the script $exscripts\Get-Mitigations.ps1 fails with the following message:
WARNING: Connection with Mitigation Endpoint was not successful. To enable connectivity please refer: https://aka.ms/HelpConnectivityEEMS
Microsoft therefore asks administrators to update their servers as soon as possible if they are no longer up to date. The Exchange server must then be reactivated in order to check the EEMS rules.
Advertising
