Ask a question


How can we help you today?

Ask Question
Manage notifications
Subscribe to this question
Robert Bird

Microsoft Exchange Server zero-day vulnerabilities March 2021

Just wanting to confirm really that if you have installed KB5000871 then you do not need to run the mitigations scripts from https://github.com/microsoft/CSS-Exchange/tree/main/Security

Also most of the web reports (sharing the same info) state to try "restricting untrusted connections to exchange". Nowhere can I find how you would restrict untrusted connections (as I have only a single static IP, I'm using a single Exchange Server 2016, which is accessed via a Windows Server via the Web Rewrite as per the migrate documents on this site).

If you have various users coming in from home networks and mobile phones is that even really possible?

Thanks for any input,

Rob

asked03/12/2021 10:51
35 views
Add Comment
Last Activity 03/13/2021 07:23

1 Answer(s)

  • Mariette Knap

    Hello Robert,

    It seems that in a situation where ARR rewrites requests for owa.domain.com to your Exchange Server you need to check the IIS logs for suspicious traffic on the Essentials server. One of my other customers mentioned that he did not find any traces of successful hacks of the Exchange Server when it sits behind the reverse proxy on your Essentials server.

    Restricting access to untrusted connections is impossible as far as I see. You can only do that if you know from where people connect to your Exchange Server.

    Mitigation steps (installing URL rewriting and running ExchangeMitigations.ps1 is not needed on a patched server but if you run it that will increase security. As a matter of fact I use URL Rewriting on this site to 'rewrite and drop' suspicious traffic. It acts as a WAF (Web Application Firewall).

    answered 03/13/2021 07:23
    Add Comment
Add an Answer