Cyberattacks on on-premises Exchange servers, such as the recent Hafnium attack, have increased substantially. On March 02, 2021, Microsoft released emergency security updates to patch vulnerabilities that affected almost all versions of the Exchange server, including Exchange 2010.
However, by the time Microsoft identified and released security updates, the Hafnium group had already infected over 35000 Exchange servers across the globe.
Later, other threat actors joined the Hafnium group and attacked more servers. They deployed ransomware, web shells, and backdoors on compromised servers. As a result, all the data, including the mailbox database, was either damaged, corrupted, or encrypted by malware and ransomware.
However, you can minimize the damage and prevent a data loss situation due to Exchange database corruption caused by cyberattack by maintaining a VSS-based backup, creating DAG (Data Availability Group), and keeping the server updated with the latest security patches.
In this guide, we’ll discuss some useful tips to prevent Exchange database from corruption. Also, how you can recover and restore mailboxes from a corrupt database to a new healthy database.
Tips to Prevent Exchange Database from Corruption
Below are some tips that can help Exchange administrators to protect and prevent Exchange databases from corruption. These tips will help keep the database healthy and restore mailboxes when needed.
1. Backup the Database
Backups are critical, especially when it comes to protecting the Exchange database. A regular backup can help administrators restore the user mailboxes if the database gets damaged or corrupted after a malware attack. In Exchange Server, you can create VSS or Volume Shadow Copy Service-based backups of the Exchange database using Windows Server Backup plug-in.
A VSS backup, especially in a standalone environment, helps administrators restore the database and mailbox on the same or another server. Thus, after an attack, if the database gets corrupted or encrypted by ransomware, admins can quickly restore the database copy from the VSS backup and restore the mailbox connectivity.
2. Update Exchange Server
Microsoft regularly releases security and cumulative updates for Microsoft Exchange Server. These updates patch the vulnerabilities that otherwise can be exploited by the threat actors to gain access to the Exchange server and damage or encrypt the database.
Thus, it is critical to apply the Exchange Server and Windows Server OS updates as soon as possible to patch vulnerabilities and prevent any malicious attacks. To know more about recent attacks, vulnerability flaws, and their fixes, refer to this guide.
3. Keep the Mailboxes and Database Size Under Recommended Limits
The maximum size of the Exchange database varies based on the edition and version of the Exchange server installed on the machine. For instance, by default, the Exchange 2016 Standard edition is set to 1 TB, and the maximum size can grow up to 16 TB. However, it is highly recommended not to exceed over 2 TB if your Exchange Server is set up in a DAG environment.
In the case of a standalone Exchange environment, the recommended limit is 200 GB to avoid database corruption. Similarly, mailboxes should not exceed more than 100,000 mail items per folder.
Keeping the database and mailbox size under recommended limits can help protect the Exchange mailbox database from corruption and damage caused by inconsistencies.
4. Use Application-Aware Antivirus/Malware Protection
In addition to regular Exchange server and Windows Server OS updates, it is critical to use application-aware or Exchange server-friendly antivirus/malware protection. This will help safeguard the server from malicious attacks, viruses, malware, and keep the server and mailbox database (EDB) file healthy.
However, you should add folder, file, and extension exclusions while using antivirus/malware protection to prevent the application from removing or accessing critical Exchange server files. This will help prevent any conflict between the Exchange server and the antivirus/malware software.
5. Use the Exchange Server Best Practices Analyzer
Microsoft Exchange Server Best Practices Analyzer or ExBPA is a tool that helps administrators check the Exchange server and database health. It scans the server, collects the information, and then analyzes the results. Based on the reports, the tool displays if your server is in line with the best practices recommended by Microsoft.
It also suggests what changes you can make to comply with the best practices, which will improve the server performance and protect the database from corruption.
6. Ensure Free Storage Space for Database
Database corruption may also occur when there isn’t enough free storage space on the volume or drive where database (EDB) or transaction logs are stored. Based on the usage, the logs may be generated in large numbers. This can also cause insufficient storage space for new logs, leading to corruption in the database. You can enable Circular Logging, which will automatically truncate committed transaction logs to keep the logs under control.
Similarly, performing a VSS backup using an application-aware backup tool, the logs are truncated automatically.
Additionally, you may run integrity and maintenance checks on the database using the Eseutil utility in Exchange to ensure database health.
Follow the tips discussed in this guide to safeguard the Exchange database and prevent it from corruption. However, if the database gets damaged or corrupted after a malicious attack or any other event, you can use Eseutil or a third-party Exchange recovery software, such as Stellar Repair for Exchange.
The software helps Exchange administrators to restore user mailboxes from damaged Exchange database to PST, which can be imported into any Outlook profile or Exchange mailbox. The software can also export the recovered mailboxes directly to the live Exchange server or Office 365 account. This can save you from fixing the database manually and help reduce the downtime caused by damaged and dismounted Exchange mailbox database after malicious attack.