Exchange must have the most current, approved Cumulative Update installed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259711	EX19-MB-000244	SV-259711r942447_rule		Medium

Description
Failure to install the most current Exchange Cumulative Update (CU) leaves a system vulnerable to exploitation. Current CUs correct known security and system vulnerabilities.

STIG	Date
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63450r942445_chk )
Determine the most current, approved service pack. Open the Exchange Management Shell and enter the following command: Get-ExchangeServer \| Select-Object -Property Name, AdminDisplayVersion \|Format-List If the value of "AdminDisplayVersion" does not return the most current, approved Cumulative Update (CU), this is a finding.

Fix Text (F-63358r942446_fix)
Consult the EDSP for the accepted update process within the organization. Install the most current, approved CU. Microsoft recommends as a best practice to always install the latest CU when creating a new server. Existing servers keep as up-to-date as possible and backup any customizations. Follow any additional recommendations by going to the following website: https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates?view=exchserver-2019 All Exchange 2019 updates can be found on the Microsoft Exchange update site: https://learn.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019 Exchange CUs must be manually downloaded. Since CUs are full installations of Exchange, there is no need to install the "Release to Manufacturer" version first. However, once installed, it cannot be uninstalled. Installation must be done on a test server first before placing in production to ensure that it does not disrupt services or conflict with existing configurations. Note: Some CUs will require an Active Directory Schema extension, which adds new Exchange attributes. Consult the EDSP and ensure appropriate permissions before beginning an update. Note: Security updates (SUs) can be downloaded and triggered through Windows Updates by going to Windows Update >>Advanced Options >> "Choose how updates are installed" and select the box "Give me updates for other Microsoft products when I update Windows" if the Exchange server is connected to the web or internal Windows Update Services.

Fix Text (F-63358r942446_fix)

Consult the EDSP for the accepted update process within the organization.

Install the most current, approved CU. Microsoft recommends as a best practice to always install the latest CU when creating a new server. Existing servers keep as up-to-date as possible and backup any customizations. Follow any additional recommendations by going to the following website:
https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates?view=exchserver-2019

All Exchange 2019 updates can be found on the Microsoft Exchange update site:
https://learn.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019

Exchange CUs must be manually downloaded. Since CUs are full installations of Exchange, there is no need to install the "Release to Manufacturer" version first. However, once installed, it cannot be uninstalled. Installation must be done on a test server first before placing in production to ensure that it does not disrupt services or conflict with existing configurations.

Note: Some CUs will require an Active Directory Schema extension, which adds new Exchange attributes. Consult the EDSP and ensure appropriate permissions before beginning an update.

Note: Security updates (SUs) can be downloaded and triggered through Windows Updates by going to Windows Update >>Advanced Options >> "Choose how updates are installed" and select the box "Give me updates for other Microsoft products when I update Windows" if the Exchange server is connected to the web or internal Windows Update Services.