Exchange must have the most current, approved Cumulative Update installed.

An XCCDF Rule

Description

<VulnDiscussion>Failure to install the most current Exchange Cumulative Update (CU) leaves a system vulnerable to exploitation. Current CUs correct known security and system vulnerabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259711r942447_rule
Severity: Medium
References: CCI-002605
Updated: 8 months ago

Consult the EDSP for the accepted update process within the organization.

Install the most current, approved CU. Microsoft recommends as a best practice to always install the latest CU when creating a new server. Existing servers keep as up-to-date as possible and backup any customizations. Follow any additional recommendations by going to the following website:
https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates?view=exchserver-2019

All Exchange 2019 updates can be found on the Microsoft Exchange update site:https://learn.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019

Exchange CUs must be manually downloaded. Since CUs are full installations of Exchange, there is no need to install the "Release to Manufacturer" version first. However, once installed, it cannot be uninstalled. Installation must be done on a test server first before placing in production to ensure that it does not disrupt services or conflict with existing configurations.

Note: Some CUs will require an Active Directory Schema extension, which adds new Exchange attributes. Consult the EDSP and ensure appropriate permissions before beginning an update.

Note: Security updates (SUs) can be downloaded and triggered through Windows Updates by going to Windows Update >>Advanced Options >> "Choose how updates are installed" and select the box "Give me updates for other Microsoft products when I update Windows" if the Exchange server is connected to the web or internal Windows Update Services.

Exchange must have the most current, approved Cumulative Update installed.

Description

Remediation - Manual Procedure