Detections
Analytics

Sensitive Exchange Permissions

critical

Language:

Description

Microsoft Exchange on-premises relies heavily on deep integration with Active Directory (AD) for essential functions such as user authentication, mailbox management, and some configuration storage. This integration automatically grants extensive permissions to specific Exchange groups within the AD environment, potentially expanding the attack surface. Today, attackers often exploit these permissions to escalate privileges and gain control over the entire domain.

Solution

To mitigate the risks of Microsoft Exchange on-premises, Tenable recommends first adopting the Active Directory split permissions model, as it significantly reduces Exchange's ability to compromise AD users and groups. Additionally, enforcing stricter Access Control Lists (ACLs) further limits Exchange's permissions to essential objects, protecting administrative and sensitive service accounts from unauthorized modifications.

See Also

Pwned by the Mail Carrier

Exchange privilege escalations to Active Directory

Configure Exchange Server for split permissions

Exchange 2013 deployment permissions reference

Indicator Details

Name: Sensitive Exchange Permissions

Codename: C-EXCHANGE-PERMISSIONS

Severity: Critical

Type: Active Directory Indicator of Exposure

MITRE ATT&CK Information:

Attacker Known Tools

Andrew Robbins (@_wald0), Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y): BloodHound

dirkjanm: PrivExchange