How to Perform Microsoft Exchange Server Vulnerability Check?
Microsoft Exchange Server vulnerability refers to a flaw or weakness in the system software, hardware, network, or process that threat actors and cybercriminals can exploit to gain unauthorized access to the server, steal sensitive data, and execute malicious codes or install malware, such as ransomware. They open new doors for threat actors, making it easier to exploit and compromise the unpatched Exchange Server than updated ones.
Updates not only patch the vulnerabilities and bugs that can lead to malicious attacks but also new features and improvements to enhance the server’s performance and stability. Thus, it’s critical to keep your Exchange Server infrastructure updated with the latest Security Updates (SUs) and Cumulative Updates (CUs).
With Microsoft’s release of the Health Checker PowerShell script, it’s now easier to scan an Exchange Server and get a detailed report on the server’s health and vulnerabilities.
In this article, you will learn steps to check Microsoft Exchange Server vulnerabilities and best practices to keep the server healthy by fixing any configuration issues and patching the vulnerabilities.
How to Perform Microsoft Exchange Server Vulnerability Check?
The best way to check if your Exchange Servers are fully patched or vulnerable is to use the Exchange Health Checker Script (HealthChecker.ps1). With the latest release, you can now generate a detailed report in HTML format to quickly find vulnerabilities, configuration issues, and problems on the server.
To use the script and check Microsoft Exchange Server vulnerabilities and issues, follow these steps,
- Download ps1 PowerShell script on your Exchange Server.
- Create a new folder in the C: directory, such as PowerShell Scripts, and copy the HealthChecker.ps1 in that folder.
- Open Command Prompt as administrator and then navigate to the location where HealtHChecker.ps1 script is downloaded using the cd You may also use Exchange Management Shell (EMS to execute the Health Checker script.
For instance,
cd “C:\PowerShell Scripts”
- Then execute the following command to generate a detailed report on Exchange Servers health and check vulnerabilities,
Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match “^Version 15”} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html
- This command will run the Health Checker script to check your Exchange Servers, generate an HTML report, and open it in the default web browser.
- If the HTML report does not open automatically, you can manually open it from the same location where the Health Checker script is located, i.e., the “C:\PowerShell Scripts” folder
The HTML report contains all the information related to your Exchange Servers. If the Servers are not patched or updated, it will display the security vulnerabilities. It also provides you with the links to download and install the pending security updates.
The report highlights and categorizes the health report with color codes.
The items highlighted with Green color match the recommendation and thus require no action.
Items highlighted with the Yellow color are warnings that you must look into.
The items marked with the Red color need your immediate attention and should be fixed asap as they can cause performance issues and other problems. Exchange Server vulnerabilities are also highlighted in the Red category. All other items in the White color space are informational.
Resolve Health Checker PowerShell Script Error
If the Health Checker PowerShell script is not digitally signed, you may encounter the following error in the Command Prompt window while running the command mentioned above.
HealthChecker.ps1 is not digitally signed. The script will not execute on the system.
In such a case, you can change the execution policy temporarily to execute the Health Checker PowerShell script by using the following cmdlet in EMS.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Type Y and press the Enter key to confirm and run the Health Checker script.
What’s Next?
If vulnerabilities are detected on your Microsoft Exchange Servers, you should immediately upgrade or update your server to the latest Cumulative Update or Security Update.
Microsoft usually provides security updates and patches for the latest Cumulative Update or the last two CUs. Therefore, you should always keep your servers updated with the latest Cumulative Update to continue receiving newer security updates and hotfixes to patch the vulnerabilities and safeguard your organization from malicious attacks.
Staying on the latest CU will also help you install the latest security patches immediately as they arrive.
Microsoft releases Security Updates for supported Exchange Server versions and other Microsoft products every second week of the month. The updates are released on Tuesday, and thus, the day is also referred to as Patch Tuesday. If everything is fine with the Exchange Server, you may not receive an update on that month.
To Wrap Up
Exchange Server vulnerabilities can put your organization and data at risk. Thus, it’s critical to keep the servers updated with the latest Cumulative and Security Updates and protect your organization from malicious attacks. In this article, we have shared steps to check Microsoft Exchange Server vulnerabilities using the Health Checker PowerShell script. You can use the script to generate an HTML report that you can view in any web browser and check all the vulnerabilities and issues found on the server.
This enables you to take appropriate actions to update the server and fix the issues to ensure consistent server performance. However, if the server issues can’t be resolved or it’s compromised and damaged, you can use Exchange server recovery software to recover mailboxes and restore them to a new healthy Exchange Server in a few clicks. This will help avoid downtime and save you the effort to manually retrieve mailboxes from the damaged server, especially when a backup isn’t available, obsolete, or fails.
