Link to home
Start Free TrialLog in
Avatar of Roger Vallee
Roger ValleeFlag for United States of America

asked on

EWS on exchange 2016


vallee
asked • 18 minutes ago | vallee edited • 4 minutes agoActions

EWS on Exchange 2016

Hello,
We received a notice from our insurance company indicating they want us to disable EWS on our Exchange Server 2016. I am new to exchange. I've seen some articles stating that it should not be disabled as it is a built in component of Exchange. Should this be done and if so what is the recommended way to do this? I've read some posts that stated to set basic authentication to disabled. In my case it already is.
User generated imageI believe disabling EWS would impact Outlook Web access and active sync for mobile users. Is this correct? What is necessary to restrict public access if not disabled and still allow active sync and outlook web access?
Based on what I have found it is not recommended to entirely disable EWS as this could impact active sync among other apps\services.
The insurance company gave the explanation that when EWS is enabled this creates an exploitable condition. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. They indicated that we either disable EWS or restrict public access to the exchange server.
Does changing the two authentication options from my EWS screenshot address this (by blocking external HTTPS access to Exchange) without breaking something else or is there a recommended process to follow in addition or in place of this?
I did see https://msexchangeguru.com/2016/09/10/e2016-deny-external-eac/ but am not clear if this can be used for EWS as well
Thanks


Avatar of Roger Vallee
Roger Vallee
Flag of United States of America image

ASKER

Hi Paul,

Their comment was that their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. The insurance quote is contingent on disabling EWS, or restricting public access to the exchange server."
 
What is the best way to address their concerns, ensure there are no security concerns without negatively impacting webmail, active sync and potentially other applications?

Thanks,
Roger
 
Avatar of Seth Simmons
Their comment was that their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled.

can you provide more details?  is there an article cited that explains it?
could be something as simple as a missing update or a configuration change (aside from disabling entirely)
Hi Seth,
Thank you for the reply. The insurance company didn't provide an article, they just stated "their team identified the use of a vulnerable Microsoft Exchange email server condition and this exploitable condition is created when EWS is enabled. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. The insurance quote is contingent on disabling EWS, or restricting public access to the exchange server."  I will try to speak with the "team" that raised this concern to get more information from them. 

Based on your question it sounds like you are questioning why they think EWS is an issue. Is this correct?  Exchange is up to date. We had a penetration test in January and EWS was not noted as an issue.  Disabling EWS would impact services like active sync to name one.  

Do you have EWS in your company?  How do you handle this?

Thanks
Based on your question it sounds like you are questioning why they think EWS is an issue.

yes...we are in the same position in terms of working with IT insurance underwriters and some things came up related to the IIS config after they ran tests but not with EWS

Disabling EWS would impact services like active sync to name one.

yeah that would be a huge issue; don't understand why they would want to disable that

Do you have EWS in your company?

EWS is an integral part of exchange

Exchange Web Services (EWS) in Exchange 2010

https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/dd877045(v=exchg.140)

Thanks.  Besides Blocking external access on port 443 to the Exchange Servers on the firewall, what other action is recommended?  I will check with the insurance company regarding tool they used but it showed the following:

Asset: "External ISP" - Port: 443
Asset: "mail.DomainName" - Port: 443
Asset: "autodiscover.DomainName" - Port: 443
Asset: "External IP" - Port: 443

What tools  would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?
Thank you.
if you block port 443 on your firewall to exchange then you kill all client connections from the outside including outlook, owa and activesync.  remote users would be forced to use a vpn

What tools  would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?

it probably found the server by checking MX records or probing external IP addresses and started scanning known ports
I am handling several financial clients and haven't seen such request from anyone to disable EWS. As that will surely break your Exchange server. Microsoft regularly release security patches and latest CU's to tackle security issues and you should keep them updated. Atleast n-1. You might need to ask them, specific details, are they able to hack your system using EWS or if it is just a suggestion from them.
Hi Amit,

Thank you.  The insurance company provided the following from  the tool they used (I am contacting them to clarify what tool was used).  They indicated that we should block basic authentication.  

Asset: "External ISP" - Port: 443
Asset: "mail.DomainName" - Port: 443
Asset: "autodiscover.DomainName" - Port: 443
Asset: "External IP" - Port: 443

My original post shows that basic authentication is disabled.  What am I missing?

Thanks
You need to clarify this information with that company. and let them know that basic authentication is disabled.
I am waiting for a reply from a vendor resource. I will provide an update once I have this information.
Thanks.
Hello,
I received a reply from the insurance company. They are looking for us to block the dialog that appears in a browser if using the  "https://mail.DomainName.com/ews URL.
User generated image
I was provided a link https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange but it is not clear to me which command will effect the ews dialog and block it from appearing without affecting OWA and ActiveSync.
Thank you
open /ecp
servers > virtual directories > EWS (Default Web Site) > Edit > authentication
Does it show Basic authentication ticked?

Hello Arne,

No, basic authentication is not checked.
User generated image
Thanks.
In which case, the prompt that your "auditors" are seeing is not a basic auth prompt, I would suggest providing them with the screencaptures that you have posted in here as "proof" and see if they will accept.
Hello,

I have explained that basic authentication is not enabled but they provided that screenshot as being an issue that could lead to brute force attacks.  Is there a way to prevent that dialog from being shown without impacting the services that EWS provides?

I found this link regarding configuring IP and Domain Restrictions for ECP. https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/ Will this work to disable the user logon popup and not impact existing services?

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Roger Vallee
Roger Vallee
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial