Microsoft is robotically enabling Home windows Prolonged Safety on Trade servers after putting in this month’s 2024 H1 Cumulative Replace (aka CU14).

Prolonged Safety (EP) will robotically be toggled on by default when putting in Trade Server 2019 CU14 (or later) to strengthen Home windows Server auth performance to mitigate authentication relay and man-in-the-middle (MitM) assaults.

“This can occur when working the GUI model of Setup and when working the command line model of Setup with out utilizing both the /DoNotEnableEP or /DoNotEnableEPFEEWS setup change to choose out,” stated The Trade Group.

“In case your servers should not prepared for utilizing EP (for instance, they use SSL bridging or there are mismatches between shopper and server TLS configuration), and you don’t choose out of EP enablement throughout Setup, it’s doable that some performance might break after putting in CU14.”

Admins are suggested to judge their environments and assessment the problems talked about within the documentation of the Microsoft-provided ExchangeExtendedProtectionManagement PowerShell script earlier than toggling EP on their Trade servers (this script robotically updates itself on programs linked to the Web).

If encountering points after EP is enabled, admins can both be certain that all EP conditions are met or use the script to show off the characteristic.

They’ll additionally allow EP on older variations of Trade Server (i.e., Trade Server 2016) utilizing the identical PowerShell script on on-line servers.

Redmond additionally launched the simple-to-follow choice stream graph embedded beneath to assist those that nonetheless have to allow it to additional safe their Trade surroundings.

​Microsoft first launched Trade Server EP help in August 2022, with cumulative updates launched as a part of the August 2022 Patch Tuesday when it mounted a number of essential severity Trade vulnerabilities (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516), permitting for privilege escalation.

Redmond stated that, in addition to patching these bugs, admins would additionally need to allow Prolonged Safety to make sure that attackers will not be capable of breach weak servers.

The identical request was made this Tuesday to completely deal with the CVE-2024-21410 vulnerability permitting distant menace actors to escalate privileges in NTLM relay assaults.

One 12 months later, the corporate introduced that Trade Prolonged Safety can be enabled by default on all Trade servers after deploying CU14.

Microsoft’s suggestions shared in August 2023 and depending on what safety replace is put in embody:

• Aug 2022 SU or later and EP enabled: Set up CU14 (no particular steps wanted).
• Aug 2022 SU or later, however EP not but enabled: Set up CU14 with the default of ‘Allow EP’ left on.
• Trade Server model sooner than the Aug 2022 SU: “We ship you ideas and prayers, and really sturdy however light steerage to replace your servers to the most recent SU instantly.”

“We suggest that every one prospects allow EP of their surroundings. In case your servers are working the August 2022 SU or later SU, then they already help EP,” The Trade Group stated in August 2023.

“You probably have any servers older than the August 2022 SU, then your servers are thought of persistently weak and needs to be up to date instantly. Additional, you probably have any Trade servers older than the August 2022 SU, you’ll break server-to-server communication with servers which have EP enabled.”

Microsoft additionally urged prospects one 12 months in the past to all the time maintain their on-premises Trade servers up-to-date in order that they’re able to deploy emergency safety patches.