Microsoft has recommended that administrators remove antivirus exclusions that target Temporary ASP.NET Files and Inetsrv folders, as well as the PowerShell and w3wp processes, for better security in Exchange servers. Although these exclusions were previously suggested, they are no longer necessary, according to Microsoft.
The Exchange Team advised admins to scan these locations and processes, as they are commonly targeted in attacks to distribute malware. Keeping the exclusions may prevent detection of IIS webshells and backdoor modules, which are the most common security issues, the team added. Removing these exclusions has been verified to have no impact on performance or stability, according to the team.
This recommendation comes as malicious actors have been using harmful IIS web server extensions and modules to backdoor unpatched Microsoft Exchange servers globally. In addition to removing antivirus exclusions, Microsoft advises keeping Exchange servers updated and deploying anti-malware and security solutions, restricting access to IIS virtual directories, prioritizing alerts, and inspecting configuration files and bin folders regularly.
Moreover, Microsoft has urged customers to keep on-premises Exchange servers up to date by applying the latest Cumulative Update (CU) to prepare for emergency security updates. After deploying updates, it is recommended to run the Exchange Server Health Checker script to identify and address any configuration or other issues.
Despite these warnings, tens of thousands of Internet-exposed Microsoft Exchange servers remain vulnerable to ProxyNotShell exploits, as discovered by security researchers at the Shadowserver Foundation in January. According to Shodan, thousands of Exchange servers are exposed online, with many defenseless against attacks targeting the ProxyShell and ProxyLogon flaws, which were two of the most frequently exploited vulnerabilities in 2021.
