{"id":37012,"date":"2025-02-01T00:01:46","date_gmt":"2025-01-31T23:01:46","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37012"},"modified":"2025-01-30T12:18:29","modified_gmt":"2025-01-30T11:18:29","slug":"exchange-emergency-mitigation-service-for-patched-systems-only","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/02\/01\/exchange-emergency-mitigation-service-for-patched-systems-only\/","title":{"rendered":"Exchange Emergency Mitigation Service for patched systems only"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"\" style=\"margin: 0px 10px 0px 0px; display: inline; float: left; border-width: 0px;\" title=\"Exchange Logo\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2022\/06\/Exchange.jpg\" alt=\"Exchange Logo\" width=\"145\" height=\"127\" align=\"left\" border=\"0\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/01\/27\/exchange-emergency-mitigation-service-nur-fuer-aktuelle-systeme\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Since September 2021, Microsoft has provided the Exchange Emergency Mitigation Service (EEMS) for Exchange Server to improve Exchange protection. However, this service only works on systems that are up to date. Microsoft explicitly pointed this out at the end of last week.<\/p>\n<p><!--more--><\/p>\n<h2>Review:: Exchange Emergency Mitigation Service (EEMS)<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg05.met.vgwort.de\/na\/64ec508174b749d6b71ed88ebb60aaaf\" alt=\"\" width=\"1\" height=\"1\" \/>The Exchange Emergency Mitigation (EM) service is <a href=\"https:\/\/docs.microsoft.com\/en-us\/exchange\/exchange-emergency-mitigation-service?view=exchserver-2019\" target=\"_blank\" rel=\"noopener\">used<\/a> to protect Exchange servers against potential threats by applying remedial measures. If a serious security problem is detected in the Exchange software, this service can initiate the necessary steps to automatically mitigate or eliminate the vulnerabilities on the Microsoft Exchange servers. Microsoft mentions three types of configuration changes as a remedy for eliminating vulnerabilities (mitigation):<\/p>\n<ul>\n<li><strong>IIS URL rewrite rule mitigation:<\/strong> this is a rule that blocks certain patterns of malicious HTTP requests that can compromise an Exchange server.<\/li>\n<li><strong>Exchange service mitigation:<\/strong> This disables a vulnerable service on an Exchange server.<\/li>\n<li><strong>App Pool Mitigation:<\/strong> Disables a vulnerable app pool on an Exchange server.<\/li>\n<\/ul>\n<p>As soon as Microsoft detects a new attack, these temporary mitigations are distributed via EM to all Exchange servers worldwide and work begins on a software patch. The service uses the cloud-based Office Config Service (OCS) to search for and download available mitigations and send diagnostic data to Microsoft.<\/p>\n<p>The EM service runs as a Windows service on an Exchange mail server as soon as the September 2021 (or later) CU is installed on Exchange Server 2016 or Exchange Server 2019. The EM service is automatically installed on Exchange servers with the Mailbox role. The EM service is not installed on Edge Transport servers. However, the use of the EM service is optional and this function can be deactivated.<\/p>\n<p>I reported on the new feature in the article <a href=\"https:\/\/borncity.com\/win\/2021\/09\/27\/exchange-server-september-2021-cu-kommt-zum-28-9-2021-mit-microsoft-exchange-emergency-mitigation-service\/\" rel=\"bookmark\">Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service<\/a>. Details can be found in a\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/new-security-feature-in-september-2021-cumulative-update-for\/ba-p\/2783155#.YU4fjvvSK2c.twitter\" target=\"_blank\" rel=\"noopener\">Techcommunity article<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/exchange\/exchange-emergency-mitigation-service?view=exchserver-2019\" target=\"_blank\" rel=\"noopener\">this Microsoft support article<\/a>.<\/p>\n<h2>EEMS will only work on patched systems in future<\/h2>\n<p>Microsoft has now pointed out a certain problem in the Technet article <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/exchange-emergency-mitigation-service-might-not-work-for-servers-significantly-o\/4370312\" target=\"_blank\" rel=\"noopener\">Exchange Emergency Mitigation Service might not work for servers significantly out of date<\/a> on January 24, 2025.<\/p>\n<p><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/exchange-emergency-mitigation-service-might-not-work-for-servers-significantly-o\/4370312\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" title=\"Exchange EEMS \" src=\"https:\/\/i.postimg.cc\/jqm5ryXc\/image.png\" alt=\"Exchange EEMS \" width=\"513\" height=\"444\" \/><\/a><\/p>\n<p>Many Exchange installations are not fully patched.\u00a0This simply leads to increasing problems for developers. Microsoft is therefore pulling a kind of emergency brake and announcing changes for the future. Microsoft is therefore providing information about future changes.<\/p>\n<h3>Certificate types expired<\/h3>\n<p>One of the older certificate types in the Office Configuration Service (OCS) has expired. A new certificate has already been provided in OCS. Any Exchange Server that is updated to an Exchange Server Cumulative Update (CU) or Security Update (SU) newer than March 2023 will have the updated certificate. This Exchange Server can continue to check for new EEMS mitigations.<\/p>\n<h3>Consequences of a missing certificate<\/h3>\n<p>According to Microsoft, EEMS running Exchange versions older than March 2023 will not be able to contact the Office Configuration Service (OCS) to check for and download new mitigation definitions. An event like the following may be logged in the server's application log:<\/p>\n<pre>Error, MSExchange Mitigation Service \r\nEvent ID: 1008\r\nAn unexpected exception occurred. \r\nDiagnostic information: Exception encountered while fetching mitigations.<\/pre>\n<p>In addition, the following will be included in the EEMS protocol:<\/p>\n<pre>FetchMitigation,S:LogLevel=Warning;S:Message=Connection attempted against untrusted endpoint<\/pre>\n<p>In addition, the execution of the script $exscripts\\Get-Mitigations.ps1 fails with the following message:<\/p>\n<pre>WARNING: Connection with Mitigation Endpoint was not successful. To enable connectivity please refer: https:\/\/aka.ms\/HelpConnectivityEEMS<\/pre>\n<p>Microsoft therefore asks administrators to update their servers as soon as possible if they are no longer up to date. The Exchange server must then be reactivated in order to check the EEMS rules.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Since September 2021, Microsoft has provided the Exchange Emergency Mitigation Service (EEMS) for Exchange Server to improve Exchange protection. However, this service only works on systems that are up to date. Microsoft explicitly pointed this out at the end of &hellip; <a href=\"https:\/\/borncity.com\/win\/2025\/02\/01\/exchange-emergency-mitigation-service-for-patched-systems-only\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[869,69],"class_list":["post-37012","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exchange","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37012"}],"version-history":[{"count":4,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37012\/revisions"}],"predecessor-version":[{"id":37016,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37012\/revisions\/37016"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}