Fully Protect your Microsoft Exchange server with TransientX

Hafnium attack a wakeup call to protect on-premises assets with true zero trust application access.

A Critical Problem To Address

On March 3, 2021 the US Government issued a rare directive to mitigate vulnerabilities with on-premises Microsoft Exchange servers because of a widespread hack by a state-sponsored group Microsoft calls Hafnium. With 43% of all Exchange mail accounts managed on-premises, and more than 30,000 servers in the United States alone, the risk of Chinese hackers obtaining invaluable data from these at-risk servers is the new info-pandemic

The underlying reason why this hack is so widespread is simple: Businesses have cracks in IT infrastructure that permit hackers to violate two key tenets of IT security:

  1. Protect the servers: Block bad-actors from access to the enterprise data center or private cloud where the apps and data reside
  2. Protect the data: Prevent end-users or malware on devices to exfiltrate data

Hackers have accessed Microsoft Exchange through publicly exposed paths, and back-door breaches have allowed them to access the server directly. To stop both risks, all access to the servers must be controlled. Specifically, unprotected access to these services must be stopped:

  • Outlook Web Access (OWA)
  • Microsoft Active Sync for mobile access
  • Microsoft MAPI over HTTP access for Outlook to access Exchange

VPN: You are still at risk

The first answer that may come to mind is to use a VPN. That unfortunately just kicks the can down the road. The VPN limits access to the data center only. However, any infected end-user device then just needs to connect via the VPN to OWA or the Exchange server. At that point, malware will have unfettered access

ZTNA: You could still be exposed

Many zero trust access services have arisen to limit user devices to only access designated servers. Said differently, if a user device uses Zero-Trust Network Access (ZTNA) and their infected device is accessing an application other than Exchange, they will not be able to reach Exchange and infect the server. This is fine if the user is not using Outlook or OWA. If they are, once Outlook attempts to access Exchange, most ZTNA solutions will treat this as a legitimate access request and open the path to Exchange. Then, malware on the device will likewise have a clear path to Exchange!

TransientX: The only Zero Trust solution to prevent Microsoft Exchange Server infections

The only fool-proof way to protect enterprise-managed on-premises Microsoft Exchange servers is via TransientAccess, the next-generation Zero Trust Application Access solution from TransientX. 

TransientAccess delivers three distinct capabilities to prevent malware from ever reaching the Exchange server, for all access methods:

  • Hide the Exchange Server: The server IP addresses, and DNS names are never published or visible. The TransientAccess virtual network dynamically maps virtual addresses to the real address, with different mappings per user and per server. Malware looking for these servers cannot find them because they are camouflaged. By preventing this potential east-west traversal, malware is blocked from attacking the servers.
  • Connect the app to the Exchange server: TransientAccess is unique in the market in its ability to securely wrap any application, including browsers and Outlook, in an isolated workspace to limit its available network destinations. Therefore, malware cannot reach the enterprise data center without infecting Outlook itself, or the browser directly.
  • Secure the browser and Outlook from malware: The TransientAccess secure micro-container protects applications from malware. When the user activates their browser to reach OWA, or uses Outlook, the secure micro-container prevents malware from affecting the application. This means that as long as the browser or Outlook are protected by TransientAccess, malware cannot reach or infect Exchange servers.
Protecting Microsoft Exchange with Zero Trust Application Access
Protecting Microsoft Exchange with Zero Trust Application Access

Below is a comparison between VPN, basic ZTNA, and TransientAccess:

VPNZero Trust Network AccessTransientX- Zero Trust Application Access
Protect Data Center and cloud
Controlled Access
Prevent Malware from accessing Exchange
Prevent users from copying, downloading data
VPN vs ZTNA vs Zero Trust Application Access with TransientAcccess

Visit  www.transientx.com for more on zero-trust network access or go here to get TransientAccess now for free!

Leave a Reply

Your email address will not be published. Required fields are marked *