CISA and NSA release Exchange Server security best practices guidance
Public Sector Action
Summary
Hide ▲
Show ▼
CISA, NSA, and international partners released Microsoft Exchange Server Security Best Practices guidance to reduce exposure and harden hybrid and on-premises deployments against cyber-attacks. The blueprint builds on Emergency Directive 25-02 and recommends restricted administrator access, MFA, TLS hardening, and zero-trust controls. It also urges organizations to migrate away from or disconnect unsupported and EOL Exchange versions because the threat to Exchange servers remains persistent.
Related Happenings
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/Mitigation
First: 15.05.2026 12:40
Last: 15.05.2026 12:40
Sources 1
About this happening:
**Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/MitigationAbout this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Latest development: 15.05.2026 15:35
Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.
ICO releases five-step AI cyber guidance
Public Sector Action
First: 14.05.2026 12:00
Last: 14.05.2026 12:00
Sources 1
About this happening:
The **UK Information Commissioner’s Office (ICO)** released a **five-step guide** urging organizations to prepare for **AI-powered cyber threats**, making it clear that stronger r...
ICO releases five-step AI cyber guidance
Public Sector ActionAbout this happening: The **UK Information Commissioner’s Office (ICO)** released a **five-step guide** urging organizations to prepare for **AI-powered cyber threats**, making it clear that stronger r...
CISA releases CI Fortify guidance for critical infrastructure resilience
Public Sector Action
First: 05.05.2026 15:00
Last: 05.05.2026 15:00
Sources 1
About this happening:
CISA released CI Fortify, guidance for critical infrastructure operators across sectors to help keep essential services running during cyberattack or crisis conditions. The framew...
CISA releases CI Fortify guidance for critical infrastructure resilience
Public Sector ActionAbout this happening: CISA released CI Fortify, guidance for critical infrastructure operators across sectors to help keep essential services running during cyberattack or crisis conditions. The framew...
Latest development: 06.05.2026 16:15
CISA launched CI Fortify on Tuesday as a planning framework for critical infrastructure operators in water, energy, transportation and communications to prepare for cyber disruption by disconnecting OT systems from third-party and business networks, maintaining essential services in degraded communications conditions, and recovering compromised systems through backups, component replacement, or a transition to manual operations.
CISA-led zero-trust guide for OT environments
Public Sector Action
First: 30.04.2026 17:00
Last: 30.04.2026 17:00
Sources 1
About this happening:
US government agencies led by **CISA** released **Adapting Zero Trust Principles to Operational Technology**, giving **OT operators** a framework to improve **critical infrastruct...
CISA-led zero-trust guide for OT environments
Public Sector ActionAbout this happening: US government agencies led by **CISA** released **Adapting Zero Trust Principles to Operational Technology**, giving **OT operators** a framework to improve **critical infrastruct...
CISA KEV directive for CVE-2026-20133
Public Sector Action
First: 21.04.2026 15:30
Last: 21.04.2026 15:30
Sources 1
About this happening:
On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...
CISA KEV directive for CVE-2026-20133
Public Sector ActionAbout this happening: On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...
Timeline
-
03.11.2025 18:45 2 articles · 6mo ago
CISA, NSA and partners release Microsoft Exchange Server security best practices
Industry Or Public Sector UpdateUS Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and international partners released Microsoft Exchange Server Security Best Practices guidance to reduce exposure in hybrid and on-premises deployments. The blueprint builds on CISA’s Emergency Directive 25-02 and recommends restricting administrative access, enabling MFA and modern authentication, tightening transport security and TLS settings, applying Microsoft’s Exchange Emergency Mitigation service, adopting zero-trust principles, and migrating away from unsupported or end-of-life Exchange versions.
Show sources
- CISA and NSA Outline Best Practices to Secure Exchange Servers — www.infosecurity-magazine.com — 03.11.2025 18:45
- CISA and NSA Outline Best Practices to Secure Exchange Servers — www.infosecurity-magazine.com — 03.11.2025 18:45