This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 50%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hello,
We received a notice from our insurance company indicating they want us to disable EWS on our Exchange Server 2016. I am new to exchange. I've seen some articles stating that it should not be disabled as it is a built in component of Exchange. Should this be done and if so what is the recommended way to do this? I've read some posts that stated to set basic authentication to disabled. In my case it already is.
I believe disabling EWS would impact Outlook Web access and active sync for mobile users. Is this correct? What is necessary to restrict public access if not disabled and still allow active sync and outlook web access?
Based on what I have found it is not recommended to entirely disable EWS as this could impact active sync among other apps\services.
The insurance company gave the explanation that when EWS is enabled this creates an exploitable condition. Attackers can use this condition to brute force access to the mail server, thus causing email compromise. They indicated that we either disable EWS or restrict public access to the exchange server.
Does changing the two authentication options from my EWS screenshot address this (by blocking external HTTPS access to Exchange) without breaking something else or is there a recommended process to follow in addition or in place of this?
I did see https://msexchangeguru.com/2016/09/10/e2016-deny-external-eac/ but am not clear if this can be used for EWS as well
Thanks
Hello,
I followed the steps in this link regarding configuring IP and Domain Restrictions for ECP. https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/ and configured it for EWS and this has addressed the issue.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @vallee2018 ,
What do you mean by preventing this information from being publicly available? Let this information not be parsed by other tools?
1.You are correct, disabling EWS is a not recommended option. EWS is related to the free\busy information of the user's mailbox, Automatic replies (Out of office) and other functions. Disabling the EWS service will affect the normal use of the user's mailbox.
2.What are the specific restrictions you want to achieve? Restrict all external HTTPS access to Exchange server? Restrict access to EWS? Or other restrictions?
If you want to restrict external HTTPS access to Exchange servers, then I agree with Andy's idea that restricting access to port 443 can restrict HTTPS access to Exchange servers. However, it should be noted that many related servers of the Exchange server are related to port 443. If you restrict port 443, it will affect the external access of many Exchange-related servers.
For more information you could refer to: Network ports for clients and mail flow in Exchange
3.For restrictions on external access, you could consult your network team to set it up. For the security recommendations that can be provided for the Exchange server, update the Exchange server to the latest CU version and install the latest security patches.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @vallee2018 ,
Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark the helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
If you are still stuck in this issue, please feel free to post your questions.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Lou,
I received a reply from the insurance company. They are looking for us to block the dialog that appears in a browser if using the "https://mail.DomainName.com/ews URL.
I was provided a link https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-acce... but it is not clear to me which command will effect the ews dialog and block it from appearing without affecting OWA and ActiveSync.
I found this link regarding configuring IP and Domain Restrictions for ECP. https://www.alitajran.com/disable-external-access-to-ecp-exchange-2016/ Will this work to disable the user logon popup and not impact existing services?
Thank you