URL rewrite rule Exchange 2019 Powershell issue

Matt Pollock 246 Reputation points
2021-11-17T08:18:20.29+00:00

Hi,

I recently had to implement URL rewrite rules on my Exchange 2019 servers after they were flagged as being vulnerable to host header injection in a recent pen test.
Since implementing the rules I can no longer open EMS on any Exchange server and initiate a PS session to "itself".

For example, if I open EMS on Server 1, the connection to "remote host" Server 1 will fail, and a connection to Server 2 will be initiated instead.
This behaviour is that same on all Exchange servers.

URL rewrite rule:
150142-2021-11-17-08-04-53-window.png

EMS error:
150132-2021-11-17-08-07-35-window.png

I would expect the local connection in EMS to be made to the fqdn of the local server, which is catered for in the regex of the rule, however clearly I am missing something.

Any help would be appreciated

Thanks in advance.

Internet Information Services
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,335 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
0 comments
Accepted answer
  1. Rich Matheisen 44,696 Reputation points
    2021-11-18T03:11:57.79+00:00

    I'm not sure what the Exchange server does with that, but the regex's look a little dicey to me. All of them have un-escaped "." characters in them. Those will match any character, not just the "dot" that separates the tokens in a host name.

    You also have an asterisk in the patterns. And they follow regex groups. Effectively they're saying that the group is optional (the asterisk matches "zero or more") and that multiple groups may be present.

    I'm not sure if you meant either of those.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,206 Reputation points
    2021-11-18T02:44:57.073+00:00

    @Matt Pollock

    From the Exchange side, I would suggest you use the new function of Exchange 2019: Client Access Rules

    It could limit which IP address PowerShell could connected from. Such as: 

    New-ClientAccessRule -Name "Block Remote PowerShell" -Action DenyAccess -AnyOfProtocols RemotePowerShell -ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1

    About the using of regular expressions in URL rewrite rule, we may check from the IIS side.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments