Posted: 5 Min ReadExpert Perspectives

Harnessing Zero-Day Protection for Microsoft Exchange Servers and Beyond

Unpacking data center security and why it’s paramount to your defense against emerging threats

Today’s threat landscape is evolving at breakneck speed, as is the pace of emerging, unknown threats. Of course, this complicates the task of readying security defenses already hamstrung by traditional solutions not built to withstand our current environment. We only need to reference the 2021 Microsoft Exchange Server breach to demonstrate why protection beyond traditional endpoint solutions is now the bare minimum—and why protecting critical infrastructure like Microsoft Exchange Servers from zero-day attacks and unknown threats is more crucial than ever. 

For many evolving threats, relying on status quo endpoint solutions is akin to using a jackhammer to put in a screw: unproductive and inefficient. This blog will define what data center security (DCS) means and why it offers essential zero-day protection against novel and critical vulnerabilities.

Vulnerabilities to Microsoft Exchange Servers

When investigating what led to Microsoft’s 2021 Exchange Server breach and the orchestrators of the attack, the Microsoft Threat Intelligence Center (MSTIC) identified HAFNIUM, a group they assess is state-sponsored and operating out of China.

Based on telemetry collected from the Palo Alto Networks Expanse platform, there were over 125,000 unpatched Exchange Servers in March 2021. Many of these vulnerabilities were exploited for at least two months before the security patches were made available, so even if users patched their Exchange Servers after, their servers were sitting ducks far in advance and could have been exploited in that wide window.

HAFNIUM is clearly keen on exploiting zero-day vulnerabilities in 2024, but they’re not alone. With so many threat actors focused on zero-day vulns, how can administrators reasonably and effectively protect their environments from past and future vulnerabilities? 

The answer is data center security.

How does data center security (DCS) work?

Data center security (DCS) bolsters the security of servers by defending against malware and network intrusions through hardening. The primary goal of hardening is to minimize the attack surface, making it significantly more difficult for them to exploit vulnerabilities. Hardening provides the context that traditional security solutions lack. With this added context, dual-use tools effectively judge whether an action is allowable.

Think of hardening like a medieval castle’s defense system. Before storming the moat and fortified walls, attackers must first face multiple obstacles: a drawbridge, armed guards at the gate, and layers of reinforced barriers within the belly of the castle. Even if they have the correct “keys” (for instance, passwords), they must still navigate a series of defenses to reach their target. 

Often, individuals in a corporate environment have more access than necessary. DCS allows you to put limits on any superfluous access through controls like hardening and “least privilege access control” (LPAC). For reference, LPAC monitors, manages and detects potential malicious activities by analyzing how processes are created, where they are located, what commands they execute and which users are responsible for them.

DCS gives users the freedom to modify applied policies across their organization. Users can test what policies are right for them in a sandboxed environment. Here are some prime examples of ideal policies:

  • DCS out-of-the-box hardening policy
    • Blocks installation of software/executables 
    • Blocks modification to autostart locations
    • Blocks tampering of critical system configuration files
    • Blocks services from launching dual-use tools, unless approved exceptions – cmd.exe, cscript.exe, net.exe, powershell.exe
  • Even better if a DCS solution offers additional layers of protection such as:
    • App-level network firewall: IP/ports
    • Process access control: opening privileged processes
    • File and registry access control

How does Symantec Data Center Security protect my data center?

For an overwhelming number of Microsoft Exchange users, common endpoint solutions are often too general and ineffective for server-specific vulnerabilities. But Symantec’s answer to DCS, Symantec Data Center Security (DCS), offers a targeted alternative that secures and hardens physical and virtual servers against malware and network threats. 

Unlike traditional security solutions, Symantec DCS leverages hardening to decrease your attack surface, so even if an attacker manages to bypass initial security layers, they are met with additional policies that protect the system. DCS goes even further to extend hardening beyond mere access control, incorporating continuous monitoring, application control and system lockdowns to defend against known and unknown threats.

With Symantec DCS, administrators provide zero-day protection for Microsoft Exchange servers, protecting against future threats before patches are applied, or even available. To protect against these unknown threats without continuous updates, DCS uses competitive differentiators including:

  • Comprehensive hardening and monitoring
  • Heterogeneous operating systems support
  • Exotic/EOL OS support (AIX, Solaris HP-UX, Win2003)
  • Comprehensive Linux security stack
  • Custom application hardening and monitoring
  • Incident alerts and rich events data generation

What are the benefits of Symantec Data Center Security?

Symantec’s DCS enables scalable, application-level, always-on threat protection and hardening to simplify security monitoring across data centers, including AWS and OpenStack clouds. Unlike traditional security products, Symantec’s DCS solution does not require content updates and does not charge additional fees after security policies are crafted. With Symantec, organizations can “set and forget” their protection and allocate their time and resources to more strategic tasks.

What does Symantec protect Exchange users from?

Symantec DCS boasts a robust history of protection against high-profile Exchange vulnerabilities, and out-of-the-box protections from popular attack tools such as mimikatz. Its hardening aspect offers users unique advantages over run-of-the-mill security solutions. The default Symantec Windows hardening policy includes protections that prevent several attack techniques out of the box, such as:

  • Unauthorized file deployment in Exchange directories
  • The downloading of malicious tools
  • Attempts to steal credentials
  • Unauthorized internet connections from the server

Additional DCS controls can be enabled for more specific protections, such as:

  • Blocking suspicious program executions
  • Preventing unauthorized file modifications
  • Limiting network connections to trusted user, processes, IPs and ports only
DCS Application Sandboxing
DCS Application Sandboxing

Can Symantec DCS protect my unpatched EOL systems?

Yes, Symantec protects unpatched End-of-Life systems. Many organizations rely on operating systems that no longer receive patches. This is a common problem, since business needs often don’t match the retirement schedule of these operating systems.

Symantec offers a comprehensive approach to securing and safeguarding Microsoft Exchange servers and underlying operating systems. As time goes on, Symantec DCS continues to prove effective in providing zero-day protection against the increasing prevalence of cyber threats targeting Microsoft Exchange servers.

TL;DR: Symantec protects you against zero-day attacks

Thanks to comprehensive measures and essential capabilities like hardening, Symantec’s DCS offers a welcome alternative to traditional security solutions, enabling organizations to maintain a secure and resilient data center environment without exhausting time and resources.

Ready to secure your data center and protect against the next zero-day attack? Discover how Symantec can safeguard your Microsoft Exchange servers and beyond

Symantec Enterprise Blogs
You might also enjoy
3 Min Read

When EMM Alone is Not Enough

Mobile Threat Defense to the rescue

Symantec Enterprise Blogs
You might also enjoy
3 Min Read

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

Some evidence to suggest that attackers linked to Black Basta compiled CVE-2024-26169 exploit prior to patching.

About the Author

Muhammad Ihsan

Product Manager

I am the Product Manager for Symantec's Data Center Security product, I have been working on DCS since 2007. I am passionate about understanding customer security needs and focus on delivering world class server security product.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.