skip to Main Content

Microsoft Exchange Server vulnerability check

Your Exchange Server infrastructure needs to stay up to date because of vulnerabilities, new features, and bug fixes. The best approach to get an Exchange Server security test is to run the Health Checker PowerShell script. It will scan the Exchange Servers and create a report if there are any vulnerabilities. In this article, you will learn how to do a Microsoft Exchange Server vulnerability check.

The Exchange Server Health Checker script is a PowerShell tool that scans an Exchange Server 2013/2016/2019 organization and evaluates it against a series of best practices and common configuration issues.

Exchange Server Cumulative Updates

You usually download the latest Exchange Server CU and install that. For example, you’re running Exchange 2019 CU7, and you download Exchange Server 2019 CU8, which is the newest version at that time. That does not mean you’re protected against all the known vulnerabilities. That’s when the Security Updates come into action.

With each Exchange CU version, you will have all security fixes, new features, bug fixes, and changes. Sometimes Microsoft doesn’t wait for the next CU because security is essential. That’s why they release Security Updates.

Microsoft will eventually add these Security Updates in the next CU. If you install a new Exchange Server, you should always install the latest CU and check for Security Updates available to install.

Exchange Server Security Updates

Microsoft Security Updates are also known as Microsoft patch Tuesday. Every second week of the month, Microsoft releases patches for all Microsoft products. One of these products is Exchange Server. If there is no Microsoft Exchange Security Update available at that time, it means all is okay, and you don’t need to patch.

Go to the Microsoft Security Update Guide for all the Security Updates. Filter on product family Exchange Server.

Microsoft Exchange Server vulnerability check MSRC portal

The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services. It provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.

Patch Exchange Server immediately

Download and install Security Updates immediately on the Exchange Servers. If you wait or don’t, a significant chance of a live attack can take place. Check if you are compromised later.

You must patch the Exchange Server first and investigate later. Don’t do it the other way around.

As long it’s not Microsoft 365 – Exchange Online, you need to install Cumulative Updates and Security Updates. An Exchange Server can be the:

  • Exchange on-premises
  • Exchange hybrid
  • Exchange in Azure

Now that you’re up to date between Cumulative Updates and Security Updates, let’s look at how to check if the Exchange Server is vulnerable or already patched.

Exchange Server vulnerability check

There is a good chance that you want to know if all Exchange Servers are patched. You don’t want to have an Exchange Server that is vulnerable (in a risk state). The best way is to run the Exchange Health Checker Powershell script and generate a report. Read more on that in the article to make yourself familiar with the script.

The authors add Microsoft security vulnerabilities in the Health Checker script once they are out. Remember to download the latest script version every time you want to check for Exchange Server security checks and best practices.

At the moment of writing, the latest release of the Health Checker script is version 3.3.2. In that release, they added security vulnerabilities results to the HTML Report for quick detection, which is an excellent addition to the script.

Download Health Checker PowerShell script

Download and place the HealthChecker.ps1 PowerShell script on the Exchange Server C:\scripts folder. If you don’t have a scripts folder, create one. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Microsoft Exchange Server vulnerability check script

Create Exchange Servers report

Run Exchange Management Shell as administrator. Change the path to the scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>

Verify the signature before running the script with the Get-AuthenticodeSignature cmdlet.

[PS] C:\scripts>Get-AuthenticodeSignature -FilePath ".\HealthChecker.ps1" | ft -AutoSize


    Directory: C:\scripts


SignerCertificate                        Status Path
-----------------                        ------ ----
ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B Valid  HealthChecker.ps1

Run the cmdlet to create a report for all Exchange Servers. It will run the HTML report and open it automatically.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

If the report does not open automatically, you can find the report in the C:\scripts folder.

Microsoft Exchange Server vulnerability check script report file

Check Exchange Servers report for vulnerabilities

The HTML Report will show as below screen. All looks great because the environment got two Exchange Servers with the mailbox role. Both of them are on Exchange 2016 CU19 and patched. The column Security Vulnerabilities shows both Exchange Servers as None.

Microsoft Exchange Server vulnerability check report

If you’re not up to date or not patched, it will show you that you’re vulnerable. What you can do is download and patch the vulnerability with the appropriate Security Update. The Exchange Team will most likely release the security patch only for the latest or the last two Cumulative Updates.

Do you see red or yellow warnings in the Exchange Server report? Look into it and fix it!

It’s important to have the Exchange Servers up to date as it will simplify pushing the Security Updates. When new security patches are rolling out, you don’t have to update to the latest CU and patch, which takes much more time than immediately patching because you are already on the latest CU.

Read more: March 2021 Exchange Server Security Updates »

Conclusion

In this article, you learned how to check for Microsoft Exchange Server vulnerabilities with the PowerShell HealthChecker.ps1 script. Secure the Exchange Server with the latest Cumulative Updates and Security Updates once they are released. After that, check if you are compromised or not with the guidelines that Microsoft provides.

Did you enjoy this article? You may also like Check Exchange health mailboxes. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. I have upgraded Exchange 2016 from CU 16 to CU21. After that I have installed the security update (KB5004779). rebooted the server. I ran latest HealthChecker and it is still reporting the following, any guidance to mitigate this would be much appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *