Avatar of Roger Vallee
Roger Vallee
Flag for United States of America asked on

EWS on exchange 2016


vallee
asked • 18 minutes ago | vallee edited • 4 minutes agoActions

EWS on Exchange 2016

Hello,
We received a notice from our insurance company indicating they want us to disable EWS on our Exchange Server 2016. I am new to exchange. I've seen some articles stating that it should not be disabled as it is a built in component of Exchange. Should this be done and if so what is the recommended way to do this? I've read some posts that stated to set basic authentication to disabled. In my case it already is.
138933-ews-status-20211001.pngI believe disabling EWS would impact Outlook Web access and active sync for mobile users. Is this correct? What is necessary to restrict public access if not disabled and still allow active sync and outlook web access?
Based on what I have found it is not recommended to entirely disable EWS as this could impact active sync among other apps\services.
The insurance company gave the explanation that when EWS is enabled this creates an exploitable condition. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. They indicated that we either disable EWS or restrict public access to the exchange server.
Does changing the two authentication options from my EWS screenshot address this (by blocking external HTTPS access to Exchange) without breaking something else or is there a recommended process to follow in addition or in place of this?
I did see https://msexchangeguru.com/2016/09/10/e2016-deny-external-eac/ but am not clear if this can be used for EWS as well
Thanks


ExchangeOutlookMobile

Avatar of undefined
Last Comment
Roger Vallee

8/22/2022 - Mon
Roger Vallee

ASKER
Hi Paul,

Their comment was that their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. The insurance quote is contingent on disabling EWS, or restricting public access to the exchange server."
 
What is the best way to address their concerns, ensure there are no security concerns without negatively impacting webmail, active sync and potentially other applications?

Thanks,
Roger
 
Seth Simmons

Their comment was that their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled.

can you provide more details?  is there an article cited that explains it?
could be something as simple as a missing update or a configuration change (aside from disabling entirely)
Roger Vallee

ASKER
Hi Seth,
Thank you for the reply. The insurance company didn't provide an article, they just stated "their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. The insurance quote is contingent on disabling EWS, or restricting public access to the exchange server."  I will try to speak with the "team" that raised this concern to get more information from them. 

Based on your question it sounds like you are questioning why they think EWS is an issue. Is this correct?  Exchange is up to date. We had a penetration test in January and EWS was not noted as an issue.  Disabling EWS would impact services like active sync to name one.  

Do you have EWS in your company?  How do you handle this?

Thanks
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Seth Simmons

Based on your question it sounds like you are questioning why they think EWS is an issue.

yes...we are in the same position in terms of working with IT insurance underwriters and some things came up related to the IIS config after they ran tests but not with EWS

Disabling EWS would impact services like active sync to name one.

yeah that would be a huge issue; don't understand why they would want to disable that

Do you have EWS in your company?

EWS is an integral part of exchange

Exchange Web Services (EWS) in Exchange 2010

https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v=exchg.140)

Roger Vallee

ASKER
Thanks.  Besides Blocking external access on port 443 to the Exchange Servers on the firewall, what other action is recommended?  I will check with the insurance company regarding tool they used but it showed the following:

Asset: "External ISP" - Port: 443
Asset: "mail.DomainName" - Port: 443
Asset: "autodiscover.DomainName" - Port: 443
Asset: "External IP" - Port: 443

What tools  would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?
Thank you.
Seth Simmons

if you block port 443 on your firewall to exchange then you kill all client connections from the outside including outlook, owa and activesync.  remote users would be forced to use a vpn

What tools  would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?

it probably found the server by checking MX records or probing external IP addresses and started scanning known ports
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Amit

I am handling several financial clients and haven't seen such request from anyone to disable EWS. As that will surely break your Exchange server. Microsoft regularly release security patches and latest CU's to tackle security issues and you should keep them updated. Atleast n-1. You might need to ask them, specific details, are they able to hack your system using EWS or if it is just a suggestion from them.
Roger Vallee

ASKER
Hi Amit,

Thank you.  The insurance company provided the following from  the tool they used (I am contacting them to clarify what tool was used).  They indicated that we should block basic authentication.  

Asset: "External ISP" - Port: 443
Asset: "mail.DomainName" - Port: 443
Asset: "autodiscover.DomainName" - Port: 443
Asset: "External IP" - Port: 443

My original post shows that basic authentication is disabled.  What am I missing?

Thanks
Amit

You need to clarify this information with that company. and let them know that basic authentication is disabled.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Roger Vallee

ASKER
I am waiting for a reply from a vendor resource. I will provide an update once I have this information.
Thanks.
Roger Vallee

ASKER
Hello,
I received a reply from the insurance company. They are looking for us to block the dialog that appears in a browser if using the  "https://mail.DomainName.com/ews URL.

I was provided a link https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange but it is not clear to me which command will effect the ews dialog and block it from appearing without affecting OWA and ActiveSync.
Thank you
ArneLovius

open /ecp
servers > virtual directories > EWS (Default Web Site) > Edit > authentication
Does it show Basic authentication ticked?

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Roger Vallee

ASKER
Hello Arne,

No, basic authentication is not checked.

Thanks.
ArneLovius

In which case, the prompt that your "auditors" are seeing is not a basic auth prompt, I would suggest providing them with the screencaptures that you have posted in here as "proof" and see if they will accept.
Roger Vallee

ASKER
Hello,

I have explained that basic authentication is not enabled but they provided that screenshot as being an issue that could lead to brute force attacks.  Is there a way to prevent that dialog from being shown without impacting the services that EWS provides?

I found this link regarding configuring IP and Domain Restrictions for ECP. https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/ Will this work to disable the user logon popup and not impact existing services?

Thanks.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Roger Vallee

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question