NOTE: This blog has been updated with ESET guidance related to the global ToolShell zero-day vulnerability exploits for local SharePoint servers.

Despite the popularity of cloud-based solutions, there are many organizations that continue to use local servers, such as file servers, mail servers, or even locally run SharePoint servers. There are multiple reasons why, from budgetary concerns to considerations about third-party risks, which are all relevant. 

However, is staying behind the curve a wise decision? Let’s see why on-prem servers are still relevant these days and explore how their relevance can be maintained thanks to dedicated server security solutions.

This server is mine

There are three main reasons why local servers are still relevant for small and medium-sized businesses and enterprises:

  1. Data Control and Security: Many organizations prefer to keep sensitive data on-premises to maintain control over their security measures. This can be particularly important for industries with strict compliance requirements, such as finance, healthcare, or the government sector.
  2. Speed and Performance: Local network speeds are significantly higher than internet speeds, which is crucial for accessing and downloading large files or databases.
  3. Interoperability and Integration: Local servers can be customized to meet specific business needs and integrated with other on-premises systems more easily than cloud solutions. Many organizations have legacy systems that are deeply integrated with their local infrastructure and can’t be easily migrated.

In a way, this is also a matter of perspective. Cloud solutions are often more robust, offer better scalability, and are cheaper in the long term. Likewise, by offloading one’s server needs to another party, there might be multiple benefits contained therein, such as having a lower environmental footprint, or even better security compared to in-house resources (for SMBs this is key).

On-prem vs. cloud: A threat perspective

The deeper question regarding the difference between local and outsourced servers is this: What about the threat landscape? Which kind of server approach is more secure?

Cloud, just like any other solution, introduces specific risks. As highlighted above, data control and security in certain industries are particularly relevant. Generally, any business that works with sensitive data of some form, or has strict regulations placed upon it due to it being a critical node to national infrastructure, must possess extensive security risk management practices.

Nevertheless, unless you have air-gapped devices or proprietary corporate solutions, local/cloud prospects don’t matter from a risk management perspective. Yes, the cloud has many vulnerability issues, but so do improperly patched and protected local servers. 

Web servers running Linux are especially vulnerable due to the sheer volume of them in use globally. Usually, the more popular a type of OS/app/device is, the more likely it is to have malware developed for it.

ESET serving servers

At ESET, we recognize that servers play a vital role in business infrastructure, and their protection demands specialized attention. Depending on the server type, each requires a different form of attention, so our dedicated solutions are designed to address their specific needs.

ESET Server Security

It is thought that endpoints are only represented by laptops/PCs, which is why they’re targeted by malware. However, it’s not strictly the computer an APT group like FIN7 would like to compromise — it’s the servers running the internal network rife with sensitive company data such as financial records, customer information, and more.

ESET Server Security (ESS) covers servers as host, protecting network file storage against data breaches or ransomware attacks, for example. It does so by adding a server host firewall and network attack protection on top of Windows or Linux servers, also supplemented by Vulnerability and Patch Management to keep track of potential exposures.

ESS now also includes a Web Control feature (particularly useful for Terminal Servers), which enables IT admins to allow or block access to specific websites or categories (27 predefined) with customizable notification messages ready to explain why access to these sites is blocked.

Web Control became available for customers with ESET PROTECT Entry + with the release of ESS v12.0. 

While mistakes can happen, ensuring server integrity has never been easier. However, ESET still recommends vigilance, seeing how sophisticated threat actors have stepped up their game to a level where they are capable of killing the security solution itself.

The ESS for Terminal Server offering has also been updated with a new Firewall*, blocking unauthorized traffic both ways, all managed through a single intuitive interface. Moreover, with the new firewall rules’ editor, admins can create, update, and manage security policies consistently to maintain organization-wide security rules.

The Firewall has been available for customers with ESET PROTECT Entry + since the release of ESET Server Security v11.0 in 2024.

ESET Mail Server Security

Aside from local storage servers, we can’t forget about emails. 

Most business communication takes place by email, representing ample opportunities for malicious messages to slip through. Business email compromise (BEC) is one of the costlier attack vectors, losing businesses around $2.7 billion in 2024 according to the FBI’s IC3 report.

To protect against email-born threats such as phishing, ESET Mail Security proactively scans emails and their attachments (even Microsoft 365 mailboxes in hybrid Exchange environments) for all types of threats, and actively blocks phishing, spam, and malware at once, offering robust quarantine management and cluster support for large networks.

ESET Security for Microsoft SharePoint Server

Large numbers of company networks are based on SharePoint due to its robustness and ease of use, offering a one-stop shop for all Microsoft-developed apps in use, such as MS 365. The fact that it is a nexus of all these things is why threat actors would like to take over control.

With ESET Security for Microsoft SharePoint Server, the protection is optimized for said environment, proactively scanning each file on access. 

The solution also offers network attack protection, server host firewall, and vulnerability and patch management to protect against specific subsets of threats vectoring against this server type.

What about the ToolShell zero-day exploits?

On July 19, 2025, Microsoft confirmed that a set of zero-day vulnerabilities in local SharePoint servers called ToolShell were being exploited in the wild, enabling threat actors to gain entry into company systems, breaching multiple governmental agencies and business entities using said server type.

ESET Security for Microsoft SharePoint Server protects against CVE-2025-49704, CVE-2025-53770 and CVE-2025-53771. The security product will report exploitation attempts as Sharepoint/Exploit.CVE-2025-49704 as well as report post-exploitation artefacts such as BH/Webshell or MSIL/Webshell.

Moreover, customers with ESET Inspect can benefit from new detection rule “Potential SharePoint Post-Exploitation (Cmd/PowerShell) (with new response action KillProcess).

The burden of on-prem

The definition of a modern endpoint has irrevocably changed as businesses digitally transform. Consequentially, we must talk about endemic server security as a separate measure that correlates to the efforts of protecting employee endpoints such as laptops in use. Those still access in-house resources, which are running on company servers, after all.

So, it doesn’t matter whether we discuss externally sourced cloud computing or local measures, servers are just as important as the devices they “serve” to access internal networks. While the server types in use are as diverse as a peacock’s tail feathers, distinct solutions preventing their unauthorized plucking by foxy threat actors should be paramount to any business cybersecurity strategy.

*Customers subscribed to the ESS for TS offering will be able to leverage both Web Control and the new Firewall starting July 2, 2025.