EWS on Exchange 2016

Question

Hello,

We received a notice from our insurance company indicating they want us to disable EWS on our Exchange Server 2016. I am new to exchange. I've seen some articles stating that it should not be disabled as it is a built in component of Exchange. Should this be done and if so what is the recommended way to do this? I've read some posts that stated to set basic authentication to disabled. In my case it already is.

I believe disabling EWS would impact Outlook Web access and active sync for mobile users. Is this correct? What is necessary to restrict public access if not disabled and still allow active sync and outlook web access?

Based on what I have found it is not recommended to entirely disable EWS as this could impact active sync among other apps\services.

The insurance company gave the explanation that when EWS is enabled this creates an exploitable condition. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. They indicated that we either disable EWS or restrict public access to the exchange server.

Does changing the two authentication options from my EWS screenshot address this (by blocking external HTTPS access to Exchange) without breaking something else or is there a recommended process to follow in addition or in place of this?

I did see https://msexchangeguru.com/2016/09/10/e2016-deny-external-eac/ but am not clear if this can be used for EWS as well

Thanks

Answer 1

Hello,

I followed the steps in this link regarding configuring IP and Domain Restrictions for ECP. https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/ and configured it for EWS and this has addressed the issue.

Thanks.

Answer 2

Correct, you can't disable EWS. You need to either block all external access to the Exchange Servers or leverage a Modern Auth method such as:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

Disabling external access means just that - no access at all for any device

You could disable external access and only access via a VPN of course

Also, very important - ensure you are on the latest CU and security updates for Exchange.

Answer 3

Hello Andy,

Thank you for the reply. OK, disabling EWS is not an option. Understood. What is required to block all external access to the Exchange Servers?

The link you provided mentions hybrid authentication. Unfortunately, in my organization's case, we don't use cloud services and management is not open to doing so.

You stated "Disabling external access means just that - no access at all for any device" Just to confirm you are referring to if EWS is disabled and that it why it can't be disabled. Is this correct?

You stated "You could disable external access and only access via a VPN of course". What is the correct process to do this? Please note I am somewhat new to Exchange.

Thanks

Answer 4

Sorry, to be clear:
Disabling external access means just that - no access at all for any device" I mean only for external users of course. Blocking external access on port 443 to the Exchange Servers would accomplish this

"You could disable external access and only access via a VPN of course" Well, that is not something I could comment on. If your company has an existing VPN solution, you could use that - but thats not really an Exchange issue as much a network / security one.

Answer 5

Hi Andy,

Besides Blocking external access on port 443 to the Exchange Servers on the firewall, what other action is recommended? I will check with the insurance company regarding tool they used but it showed the following:

Asset: "External ISP" - Port: 443
Asset: "mail.DomainName" - Port: 443
Asset: "autodiscover.DomainName" - Port: 443
Asset: "External IP" - Port: 443

What tools would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?
Thank you.