KB 5000871 Exchange Server Security Update - OWA/ECP issue

Sébastien 1 Reputation point
2021-03-21T16:31:08.463+00:00

Hello,

I recently applied the KB5000871 on Exchange Server 2013 servers to patch the Exchange vulnerabilities of March 2021. After this application, I had an issue with the ECP and OWA, it was no longer accessible. I know now this is a known issue and that it happened because I didn't run the update via an elevated cmd prompt.

Then, I ran the following scripts located in the Exchange installation folder : UpdateConfigFiles.ps1 and UpdateCAS.ps1. That solved the issue : the OWA and ECP were available again.

However, I have a question : does the application of these two scripts remove the benefits of the KB (as vulnerabilities mainly affect the OWA and ECP) ?

I need to be sure that the vulnerabilities are still fixed.

Is there a Microsoft Exchange expert who could answer me ?

Thank you a lot in advance,

Sébastien

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,281 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Manu Philip 16,951 Reputation points MVP
    2021-03-21T17:30:35.783+00:00

    This the known issue mentioned in the documentation here: description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

    79846-image.png

    So, to install the fix successfully, Disabled UAC and ran de update as administrator.
    UpdateCas.ps1 script reverts the changes made with the failed updates from the back up directory

    0 comments No comments

  2. Xzsssss 8,856 Reputation points Microsoft Vendor
    2021-03-22T02:09:23.41+00:00

    Hi @Sébastien ,

    No you don't have to worry about it. Since the SU has enhanced the defense of your server and the scripts won't break it.
    The scripts

    Also you could use the Test-ProxyLogon.ps1 to detect any potential attacker activity.
    Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities

    Regards,
    Lou


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.