Configure Extended Protection in Exchange Server

-

 https://www.alitajran.com/extended-protection-exchange-server/


Configure Extended Protection in Exchange Server

Many environments have not yet enabled Extended Protection in Exchange Server. While it’s possible for them to enable Extended Protection, they are not aware or informed correctly that they should enable it for security reasons. In this article, you will learn how to configure Extended Protection in Exchange Server.

Table of contents

What is Extended Protection?

Windows Extended Protection enhances the existing authentication in Windows Server and mitigates authentication relay or “man in the middle” (MitM) attacks. This mitigation is accomplished by using security information that is implemented through Channel-binding information specified through a Channel Binding Token (CBT), which is primarily used for SSL connections.

While Extended Protection can be enabled manually on each virtual directory, Microsoft provided the ExchangeExtendedProtectionManagement.ps1 PowerShell script to help accomplish this in bulk.

There are some limitations to be aware of before enabling Extended Protection on Exchange Server. Therefore, you must review the Microsoft documentation (which is kept up to date) and check if you are eligible.

Windows Extended Protection is supported on the below Exchange Server versions:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Note: You need the August 2022 Exchange Server Security Update (SU) release or later installed on the Exchange Server.

Important: Remember to keep the Exchange Server up to date with the latest Exchange Cumulative Update and Exchange Security Update. Subscribe to the newsletter, and don’t miss out on the Exchange Server updates.

Check Extended Protection status

We recommend two methods to check the Extended Protection status on Exchange Server.

Method 1. Exchange Health Checker script

Run the Exchange Health Checker script and create an Exchange Server Health Check report. This will tell you if Extended Protection is enabled on the Exchange Server.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

Extended Protection is not enabled on the Exchange Server, and it shows the security vulnerabilities:

Configure Extended Protection in Exchange Server not configured

Method 2. Exchange Extended Protection Management PowerShell script

Download ExchangeExtendedProtectionManagement.ps1 PowerShell script and save it in the C:\scripts folder.

Run Exchange Management Shell as administrator and run the script, including the -ShowExtendedProtection parameter.

The Value and SupportedValue column should be the same values.

In our example, the Value column shows None for all the virtual directories, which means that Extended Protection is not enabled on the Exchange Server.

[PS] C:\>C:\scripts\.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

Version 23.05.04.2151
Results for Server: EX01-2019

Default Web Site            Value SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
----------------            ----- -------------- --------------- ----------     ----------------- ---------------
API                         None  Require                  False True (128-bit) Ignore                      False
Autodiscover                None  None                      True True (128-bit) Ignore                      False
ECP                         None  Require                  False True (128-bit) Ignore                      False
EWS                         None  Allow                     True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync None  Allow                     True True (128-bit) Ignore                      False
OAB                         None  Require                  False True (128-bit) Ignore                      False
Powershell                  None  Require                  False False          Accept                      False
OWA                         None  Require                  False True (128-bit) Ignore                      False
RPC                         None  Require                  False False          Ignore                      False
MAPI                        None  Require                  False True (128-bit) Ignore                      False




Exchange Back End           Value SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
-----------------           ----- -------------- --------------- ----------     ----------------- ---------------
API                         None  Require                  False True (128-bit) Ignore                      False
Autodiscover                None  None                      True True (128-bit) Ignore                      False
ECP                         None  Require                  False True (128-bit) Ignore                      False
EWS                         None  Require                  False True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync None  Require                  False True (128-bit) Ignore                      False
OAB                         None  Require                  False True (128-bit) Ignore                      False
Powershell                  None  Require                  False True (128-bit) Accept                      False
OWA                         None  Require                  False True (128-bit) Ignore                      False
RPC                         None  Require                  False False          Ignore                      False
PushNotifications           None  Require                  False True (128-bit) Ignore                      False
RPCWithCert                 None  Require                  False False          Ignore                      False
MAPI/emsmdb                 None  Require                  False True           Ignore                      False
MAPI/nspi                   None  Require                  False True           Ignore                      False

In the next step, we will enable Extended Protection on the Exchange Server.

How to enable Exchange Server Extended Protection

Go through the below steps to enable Extended Protection on the Exchange Server.

Important: Do the steps after working hours, even with a DAG configuration. That’s because you need to ensure that Outlook clients can connect successfully after the change.

1. Update to the latest Exchange Server CU/SU.

2. Configure Exchange Server TLS settings.

3. Disable SSL Offloading for Outlook Anywhere.

SSL offloading for Outlook Anywhere is enabled by default and must be disabled for Extended Protection.

[PS] C:>Set-OutlookAnywhere "EX01-2019\RPC (Default Web Site)" -SSLOffloading $false

4. Download ExchangeExtendedProtectionManagement.ps1 PowerShell script and save it in the C:\scripts folder.

5. Ensure that the admin is added to the Organization Management group.

Configure Extended Protection in Exchange Server Organization Management

Note: The user must be in Organization Management and must run this script from an elevated Exchange Management Shell (EMS) command prompt. After adding the user to the Organization Management group, sign off and sign in again to have the changes take effect.

6. Change the path directory to the scripts folder and run the PowerShell script to enable Extended Protection on Exchange Server.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1

7. The output will show information about enabling Extended Protection. Press Y and Enter.

Version 23.05.04.2151

Enabling Extended Protection
Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work
when Extended Protection is enabled.
    - SSL offloading or SSL termination via Layer 7 load balancing.
    - Exchange Hybrid Features if using Modern Hybrid.
    - Access to Public folders on Exchange 2013 Servers.
You can find more information on: https://aka.ms/ExchangeEPDoc. Do you want to proceed?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

8. The script will process the prerequisites tasks, create a backup for applicationHost.config, and configure Extended Protection.

The following servers have the TLS Configuration below
EX01-2019

RegistryName        Location                                                                              Value
------------        --------                                                                              -----
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                           1
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                           1
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727                               1
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727                               1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  1

TLS prerequisites check successfully passed!

All servers that we are trying to currently configure for Extended Protection have RPC (Default Web Site) set to false for SSLOffloading.
EX01-2019: Backing up applicationHost.config.
EX01-2019: Successful backup to C:\Windows\System32\inetSrv\config\applicationHost.cep.20230505220519.bak
EX01-2019: Successfully updated applicationHost.config.

Successfully enabled Extended Protection: EX01-2019
Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

Extended Protection is successfully enabled.

Verify Extended Protection enabled status

Ensure everything is set correctly and create a new Exchange Server Health Check report.

There are no more Security vulnerabilities for Extended Protection. It shows Extended Protection Enabled (Any VDir) with the value True.

Configure Extended Protection in Exchange Server enabled

Another way is to check it with the PowerShell script. This is how it looks.

The Value and SupportedValue column shows the same values. This means that Extended Protection is enabled on the Exchange Server.

[PS] C:\>C:\scripts\.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

Version 23.05.04.2151
Results for Server: EX01-2019

Default Web Site            Value   SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
----------------            -----   -------------- --------------- ----------     ----------------- ---------------
API                         Require Require                   True True (128-bit) Ignore                      False
Autodiscover                None    None                      True True (128-bit) Ignore                      False
ECP                         Require Require                   True True (128-bit) Ignore                      False
EWS                         Allow   Allow                     True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync Allow   Allow                     True True (128-bit) Ignore                      False
OAB                         Require Require                   True True (128-bit) Ignore                      False
Powershell                  Require Require                   True False          Accept                      False
OWA                         Require Require                   True True (128-bit) Ignore                      False
RPC                         Require Require                   True True (128-bit) Ignore                      False
MAPI                        Require Require                   True True (128-bit) Ignore                      False




Exchange Back End           Value   SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
-----------------           -----   -------------- --------------- ----------     ----------------- ---------------
API                         Require Require                   True True (128-bit) Ignore                      False
Autodiscover                None    None                      True True (128-bit) Ignore                      False
ECP                         Require Require                   True True (128-bit) Ignore                      False
EWS                         Require Require                   True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync Require Require                   True True (128-bit) Ignore                      False
OAB                         Require Require                   True True (128-bit) Ignore                      False
Powershell                  Require Require                   True True (128-bit) Accept                      False
OWA                         Require Require                   True True (128-bit) Ignore                      False
RPC                         Require Require                   True True (128-bit) Ignore                      False
PushNotifications           Require Require                   True True (128-bit) Ignore                      False
RPCWithCert                 Require Require                   True True (128-bit) Ignore                      False
MAPI/emsmdb                 Require Require                   True True (128-bit) Ignore                      False
MAPI/nspi                   Require Require                   True True (128-bit) Ignore                      False

Extended Protection is successfully configured on the Exchange Server.

Rollback Exchange Extended Protection

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1 -RollbackType "RestoreIISAppConfig"

This syntax rolls back the Extended Protection mitigation of IP restriction for the EWS Backend virtual directory of all the Exchange Server that are online where Extended Protection was previously configured.

[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1 -RollbackType "RestrictTypeEWSBackend"

That’s it!

Read more: Enable PowerShell serialization payload signing in Exchange Server »

Conclusion

You learned how to configure Extended Protection in Exchange Server. First, ensure that the prerequisites are met. Next, run the PowerShell script. The script will tell you if there is a missing configuration and will abort. If everything looks good, it will enable Extended Protection on all the virtual directories. Suppose you have issues, it’s easy to revert the Extended Protection changes with the PowerShell script.

Did you enjoy this article? You may also like Limit access to/from port 25 on Exchange Server. Don’t forget to follow us and share this article.

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

У вас нет прав для отправки сообщения вместо указанного пользователя. Ошибка: [0x80070005-0x0004dc-0x000524]

-
Изображение
Включить выключить кеширование Закрыть outlook Удалить C:\Users\%username%\AppData\Local\Microsoft\Outlook\Offline Address Books Выключить кэширование почтового ящика http://arozhk.ru/soft/outlook-oshibka-0x80070005-00000000-00000000 Соответственно права все проставлены, проверены и внешне всё нормально. Как я решил эту проблему? Первое, поискал в интернете описание подобных проблем, оказывается я не первый у кого Exchange 2016 выдает ошибку при отправки сообщения из другого почтового ящика. Вариантов получилось несколько, очистить кэш клиента, перезагрузить адресную книгу, перебить права чуть ли не лезя ручками в AD. Много чего. Но в одном мало заметном посте прочитал, что всё банально, такая ошибка, при всех правильно проставленных правах, возникает если адресат от имени которого отправляем письмо, скрыт в глобальной адресной книге … Нонсенс, но факт. Вернул аккаунт в адресную книгу — ошибки не стало. Так что, если и у Вас возникает такая ошибка в Exchange 2016, когда В...
Далее...

KSMG Подготовка конфигурационных файлов для подключения к LDAP

-
  Подготовка конфигурационных файлов для подключения к LDAP Перед тем, как настроить верификацию получателей через LDAP на встроенном MTA, необходимо подготовить конфигурационный файл, содержащий параметры подключения к LDAP-серверу. Если у вас несколько доменов (лесов) Active Directory, для каждого из них необходимо подготовить отдельный конфигурационный файл. Каждый файл с параметрами подключения к LDAP представляет собой обычный текстовый файл в формате Unix (LF переводы строк). Имена файлов должны быть такими:  ldap_map1.cf ,  ldap_map2.cf  и т.д. Процедура подготовки конфигурационного файла состоит из следующих шагов: 1) Создайте на контроллере домена сервисную учетную запись со сложным паролем, которая будет использоваться для подключения к LDAP-серверам данного домена (леса доменов). Для примера будем использовать учетную запись с именем ksmg-relay. 2) Определите DN (Distinguished Name) сервисной учетной записи. Это можно сделать, например, при ...
Далее...

Поиск и удаление писем в ящиках Exchange Server

-
Изображение
 https://winitpro.ru/index.php/2018/07/20/search-mailbox-poisk-i-udalenie-otdelnyx-pisem-iz-yashhikov-exchange/ Поиск и удаление писем в ящиках Exchange Server (Microsoft 365) с помощью PowerShell 22.02.2022   itpro   Exchange ,  Microsoft 365 ,  PowerShell   комментариев 48 В Exchange Server вы можете использовать PowerShell командлеты  Search-Mailbox  или  New-ComplianceSearch  (доступен в новых версиях Exchange Server и в Exchange Online/Microsoft 365) для поиска и удаления писем из ящиков пользователей. Например, пользователь случайно разослал приватные данные коллегам в организации и не успел  отозвать сообщение в Outlook . Департамент защиты информации требует, чтобы вы, как администратор Exchange, удалили случайно отправленное приватное письмо из всех ящиков пользователей в вашей организации/тенанте Exchange Содержание: Предоставить права для поиска по ящикам Exchange Search-Mailbox: поиск и удаление писем в ящиках Exchange П...
Далее...