It is imperative to keep your systems and infrastructure up-to-date to mitigate security issues and loopholes, and to protect them against any known vulnerabilities and security risks. There are many things you can do to keep your Exchange Server up-to-date. In this article, we will be discussing the ways to keep your Exchange Server secure and up-to-date, how to check the status of your Exchange Server, and what to do in case the server is compromised.

Ways to Keep Exchange Server Secure and Up-to-Date

To keep your Exchange Server up-to-date and secure, you need to check and install Exchange server cumulative and security updates as and when available.

Exchange Server Cumulative Updates

These cumulative updates are a bundle of updates for your Exchange Server that come with security fixes, new features, bug fixes, and other changes. You can view all the versions of the server and each version’s cumulative update, along with the release date on this page. 

It’s important to update according to the requirements. If it is an old version, you first need to install a previous Cumulative Update to ensure compatibility. To check your current version, you can use the PowerShell command – Get-ExchangeServer (see the below example).

Get-ExchangeServer | Get-ExchangeVersion

Exchange Server Security Updates

Cumulative Updates are released by Microsoft at specific times. But when there is an emergency security patch or a vulnerability is identified, Microsoft releases Security Updates. On every second week of the month, Microsoft releases updates for all Microsoft products, including Exchange Server.

Note: It is always suggested to take a system backup before proceeding with the installation of any security updates, cumulative updates, and any other security/ configuration changes. Also, specify a maintenance window to ensure that the business will not be affected by these changes. Keep a log of all the changes being done, apart from having a backup. This will ensure a feasible rollback in case an issue occurs.

Check for Vulnerabilities in Exchange Server

Manually checking for vulnerabilities and other issues in Exchange Server would take a long time and consume a lot of resources. Thankfully, there is a neat script called HealthChecker.ps1 to check the health of the server.

• You can download the HealthChecker.ps1 script into C:\Scripts, which is the recommended folder to save the scripts. Run the Exchange Management Shell (EMS) as Administrator and type the following command.

• Once it collects all the information, it will immediately show the results on the screen.

• Apart from showing the results, it creates a TXT file and an XML file. These files will be a bit tedious to check but you can use the command a little bit differently to generate an HTML report (see the below example).

HealthChecker.ps1 -BuildHtmlServersReport;

• This will generate an HTML report from the results of your previous run.

• You will get all the information needed in a more readable format. In the first part, you will see the status of your server. You will immediately know if your server is vulnerable or not.

The script provided by Microsoft will not only help you know about the vulnerabilities and their mitigations, but it will also provide recommendations on other things to have a fully functional Exchange Server. It checks the Active Directory, hardware resources, performance, network, cryptography, power, certificates, and all that is needed to ensure that the server is running in top shape and secured to the latest security recommendations.

What to Do if the Exchange Server is Compromised

In case of ransomware or virus attacks, Exchange Server services would lock the databases to prevent them from being affected. However, the server itself will be rendered useless. In such a case, you can rebuild the server. It’s not just an easy task to recover the data as the databases might be damaged.

In such a situation, you can take the help of a third-party Exchange server recovery tool, such as Stellar Repair for Exchange. This tool will allow you to easily open orphaned, or damaged databases from any Exchange version and of any size. In fact, you wouldn’t need to have a running Exchange Server to open the databases. You can granularly export recovered mailboxes directly to a live Exchange Server or Office 365 tenant. You can repair user mailboxes, user archives, shared mailboxes, disabled mailboxes, and public folders. The tool helps you keep your recovery time objective to a minimum, with the least amount of resources and administrative effort.