Microsoft: Don’t Not Scan These Folders(!)

Exchange on-premises AV scan exclusion folders and processes.

The headline is not a typo but a paraphrase of the latest statement from Microsoft regarding Exchange on-premises:

“We’ve found that some existing exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes – are no longer needed.”

A plainer way to express this would be: “You now need to include additional folders and processes in your AV scanning on Exchange on-premises.”

With the risk of reading too much into the choice of words, it seems Microsoft is under tremendous pressure regarding Exchange on-premises.

Endless String of Exchange Exploits

The last couple of years has been terrible for Exchange on-premises admins.

The first half of 2021 saw tens of thousands of Exchange on-premises servers being hit by Hafnium, primarily in the US.

The attack was so overwhelming that at some point FBI started to patch company servers without consent.

Later that same year, Microsoft released a new patch, CVE-2021-42321, to fix a remote code execution vulnerability.

In September 2022, another breach, CVE-2022-41082,  was found in Exchange on-premises. And before the end of 2022, the very same exploit resurfaced with the ability to circumvent Microsoft’s Exchange Emergency Mitigation Service (EM Service).

Exchange On-Premises – The Ideal Target?

According to Microsoft, most of these attacks are state-sponsored. This is indicated, among other things, by their complexity and the selection of target organizations.

The attacks are usually zero-day exploits, i.e., completely unknown before they surface, thus making it very hard to mitigate.

Once the exploits are known, they are often morphed into ransomware by common criminals and spread to a larger audience.

But why is Exchange on-premises so frequently targeted?

One reason is, of course, that Exchange on-premise gateways often are Internet-connected. But there’s probably more to it:

Many organizations have migrated to Exchange Online and forget to maintain their on-premises Exchange Server properly.

The Exchange On-Premises Dilemma

For over a decade, Microsoft has failed to develop a decent strategy for removing the on-premises Exchange Server after migrating to Exchange Online.

In April 2023 Microsoft released Exchange 2019 CU12, which, at least in theory, allows for shutting down the on-premises Exchange Server. With one critical caveat: You need to manage on-premises mail settings with PowerShell scripting only.

Using PowerShell for first-level support is certainly not ideal for most organizations. First-level supporters often lack the skills or require extensive training. In reality, Microsoft’s solution will move a lot of work from first-level supporters to senior admins.

Using Third-Party Solutions to Kill Exchange On-Premises

That’s why many companies are now looking for third-party solutions to remove their last on-premises Exchange Server.

The main challenge is that Microsoft does not support changes made with third-party solutions. So you need to ensure the vendor has good support in case issues arise.

Other potential challenges are the complexity of learning a new product and the price tag.

One tool that’s gaining significant traction with companies of all sizes is Easy365Manager.

Easy365Manager is a snap-in for AD Users & Computers that allows you to perform all daily Office 365 and mailbox management directly from AD user properties.

This is a unique solution in the market that offers a huge benefit relative to other solutions:

Integrating with AD Users & Computers makes the interface well-known and intuitive and represents a zero learning curve to your first-level supporters.

With Easy365Manager, your helpdesk can even start taking over complex tasks from your senior admins that normally require complex PowerShell scripting.

Example tasks easily performed are scheduling of auto-reply, the configuration of Outlook auto-mapping, and the management of calendar permissions:

Easy365Manager is available as a 30-day trial, requires no changes to your infrastructure, can run in parallel with your Exchange on-premises, and only takes a few minutes to implement.