How to Protect Exchange Server OWA/ECP from Attacks?

Amit SinghCloud Security Engineer
I am a dynamic Tech Enthusiast, specializing in various Microsoft technologies.
Exchange Server OWA/ECP can be secured Exchange with MFA, Google Re-Captcha, and limiting access to certain IP addresses. MFA can be done with third-party providers or a hybrid system with Exchange Online. ReCaptcha can be integrated using a Google account to set up a Label and reCAPTCHA type.
In the past few years, there has been an increase in brute-force attacks on Exchange Servers via Outlook Web Access (OWA) and Exchange Control Panel (ECP). So, it is important to protect and secure the Exchange Server OWA/ECP from such attacks. To increase the protection level, you can follow some protection measures, such as Multi-Factor Authentication (MFA), Google Re-Captcha, and limiting access to certain IP addresses. In this article, we will be discussing how to implement these measures to protect Exchange Servers from such attacks.

Measures to Protect Exchange Server OWA/ECP from Attacks

There are a lot of things you can do to protect Exchange Server OWA and ECP from brute force attacks. Here are a few measures you can take to protect them.

Multi-Factor Authentication

It is always recommended to enable Multi-Factor Authentication (MFA) for all users. Unfortunately, till now, Exchange Server on its own doesn’t offer this service. So, you can use a third-party provider.

Microsoft might be implementing modern authentication to Exchange Server 2019. In the next Cumulative Update, Microsoft is planning to introduce modern authentication using OAuth 2.0 protocol, which could resolve the problem. However, for older versions of Exchange Server, this would be a problem. For more information on this update, click here.
This will allow stronger authentication that is simply based on featuring, Multi-Factor Authentication (MFA), smart cards, certificate-based authentication, and integration with third-party authentication.

Another way is to have a hybrid system with Exchange Online and use the benefits of Azure Active Directory Premium P1 and P2 licenses. However, for this, you need to consider the cost of the setup as well.

Use Google ReCaptcha

Another option for two-factor authentication (2FA) is to connect and integrate with Google ReCaptcha system.

To protect the sites using Google integration, first browse to and sign in with a Google account. If you don’t have one, you can create a free one.

Then, enter the Label as Exchange Server or give it a name.
Set the reCAPTCHA type, if you require to verify requests with a score or a challenge.


Now, enter the domains. These would be your external addresses of the domain and localhost (see the example below).

Accept the terms and conditions and click on Submit.

Now, your Exchange Server Captcha has been registered. Copy the Site Key and Secret Key, and keep them somewhere safe.

To integrate in the Exchange Server, you need to browse to the Auth folder (see the example below). 

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Create a new file called reCAPTCHA.aspx in the folder and copy the below in it using Notepad. In the third line, make sure to replace the <SECRET KEY> with the secret key provided and save the file.

<% @ Page AspCompat=True Language = "VB" %>
Dim strPrivateKey As String = "<SECRET KEY>"
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "secret=" & strPrivateKey & "&response=" & strResponse
Dim strResponseText = objWinHTTP.ResponseText

In the next step, you need to integrate the new authentication into the sites. In the same folder, you will find the logon.aspx. Take a backup of it before proceeding. Once the backup is done, edit the file using Notepad.

Find the line starting with <form action="/owa/auth.owa" and change the part as <form action="".

Find the line starting with <div onclick="clkLgn()" and change the part as <div onclick="myClkLgn()”. . 

Find the link starting with <div><input id="passwordText" and put some empty lines after the line, then paste the below in the empty space.

<script type="text/javascript">
function myClkLgn()
var oReq = new XMLHttpRequest();
var sResponse = document.getElementById("g-recaptcha-response").value;
var sData = "response=" + sResponse;"GET", "/owa/auth/recaptcha.aspx?" + sData, false);
if (oReq.responseText.indexOf("true") != -1)
document.forms[0].action = "/owa/auth.owa";
alert("Invalid CAPTCHA response");
<script src="" async defer></script>
<div class="g-recaptcha" data-sitekey="SITE_KEY"></div>

In the last line, replace the SITE_KEY with the site key provided.

Run iisreset from Command Prompt (as administrator) to restart the web services. After this, open your Exchange Admin Center or Exchange Web Access and try to login. You should see the reCAPTCHA part in your page.

Limit the Access

You can also restrict the access to OWA and ECP at network level. This means that you need to ensure that a certain range of IP addresses can access the system. Some would force the users to connect via VPN to be able to access their OWA and ECP portals. Although this would be very secure, it’s a huge inconvenience to the end users as they would need to first connect VPN.
To totally secure the access of OWA and ECP, you can always close the connectivity to these sites from outside. In case the device of the user is not working, they will not be able to access their emails and other settings from the web.

What to do if disaster strikes?

You cannot predict what can happen and also when it could happen. It may happen that your Exchange Server went down due to ransomware or other types of attacks, human error, corrupted update installation, corrupted databases due to hardware failure or any other issues. In such cases, you need to restore the services and bring the data back as soon as possible, without any data loss. Unfortunately, it is not easy to achieve this with the native tools. You need to take the help of an advanced Exchange recovery tool. This tool allows you to open any version of Exchange Server database, of any size, and in any condition. You can browse through the database and granularly export recovered data to PST and other formats. You can also export recovered mailboxes, public folders, archives, shared mailboxes, and disabled mailboxes directly to a new Exchange Server database or Office 365 tenant. It offers features, like automatic mailbox matching, continuation in case of failure, parallel export, and priority exports.


Amit SinghCloud Security Engineer
I am a dynamic Tech Enthusiast, specializing in various Microsoft technologies.

Comments (1)

Amit SinghCloud Security Engineer


Hi David. Thanks for your response. It would be the best if you make content more interesting.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.