EWS on Exchange 2016

vallee2018 331 Reputation points
2021-10-08T15:52:50.383+00:00

Hello,

We received a notice from our insurance company indicating they want us to disable EWS on our Exchange Server 2016. I am new to exchange. I've seen some articles stating that it should not be disabled as it is a built in component of Exchange. Should this be done and if so what is the recommended way to do this? I've read some posts that stated to set basic authentication to disabled. In my case it already is.

138933-ews-status-20211001.png

I believe disabling EWS would impact Outlook Web access and active sync for mobile users. Is this correct? What is necessary to restrict public access if not disabled and still allow active sync and outlook web access?

Based on what I have found it is not recommended to entirely disable EWS as this could impact active sync among other apps\services.

The insurance company gave the explanation that when EWS is enabled this creates an exploitable condition. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. They indicated that we either disable EWS or restrict public access to the exchange server.

Does changing the two authentication options from my EWS screenshot address this (by blocking external HTTPS access to Exchange) without breaking something else or is there a recommended process to follow in addition or in place of this?

I did see https://msexchangeguru.com/2016/09/10/e2016-deny-external-eac/ but am not clear if this can be used for EWS as well

Thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,497 questions
0 comments No comments
{count} votes

6 additional answers

Sort by: Most helpful
  1. Andy David - MVP 145.1K Reputation points MVP
    2021-10-08T17:44:51.71+00:00

    Correct, you can't disable EWS. You need to either block all external access to the Exchange Servers or leverage a Modern Auth method such as:

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

    Disabling external access means just that - no access at all for any device

    You could disable external access and only access via a VPN of course

    Also, very important - ensure you are on the latest CU and security updates for Exchange.

    0 comments No comments

  2. vallee2018 331 Reputation points
    2021-10-08T18:13:54.943+00:00

    Hello Andy,

    Thank you for the reply. OK, disabling EWS is not an option. Understood. What is required to block all external access to the Exchange Servers?

    The link you provided mentions hybrid authentication. Unfortunately, in my organization's case, we don't use cloud services and management is not open to doing so.

    You stated "Disabling external access means just that - no access at all for any device" Just to confirm you are referring to if EWS is disabled and that it why it can't be disabled. Is this correct?

    You stated "You could disable external access and only access via a VPN of course". What is the correct process to do this? Please note I am somewhat new to Exchange.

    Thanks

    0 comments No comments

  3. Andy David - MVP 145.1K Reputation points MVP
    2021-10-08T18:21:17.01+00:00

    Sorry, to be clear:
    Disabling external access means just that - no access at all for any device" I mean only for external users of course. Blocking external access on port 443 to the Exchange Servers would accomplish this

    "You could disable external access and only access via a VPN of course" Well, that is not something I could comment on. If your company has an existing VPN solution, you could use that - but thats not really an Exchange issue as much a network / security one.

    0 comments No comments

  4. vallee2018 331 Reputation points
    2021-10-10T23:53:31.693+00:00

    Hi Andy,

    Besides Blocking external access on port 443 to the Exchange Servers on the firewall, what other action is recommended? I will check with the insurance company regarding tool they used but it showed the following:

    Asset: "External ISP" - Port: 443
    Asset: "mail.DomainName" - Port: 443
    Asset: "autodiscover.DomainName" - Port: 443
    Asset: "External IP" - Port: 443

    What tools would be used to reveal this information on a domain name and what would I need to do to prevent this information from being publicly available?
    Thank you.

    0 comments No comments