ACIM Personal Knowledgebase

User Tools

Site Tools

Trace: Exchange 2013 EAC Securing access to Microsoft
microsoft:secure_excange_2012_eac

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
microsoft:secure_excange_2012_eac [2017/01/10 15:22]
admin 		microsoft:secure_excange_2012_eac [2017/01/12 11:44] (current)
admin
Line 1: Line 1:
-====== Securing access to Microsoft ​Exchange 2013 EAC ======+====== ​Exchange 2013 EAC Securing access to Microsoft ======
  
 The coexistence of the Exchange 2013 Administration Console (EAC) with the other Exchange website virtual directories represents a considerable security vulnerability for any organization that installs it using the out-of-box defaults. Since most organizations need Outlook Anywhere and EWS to be Web-facing, and usually OWA too, the EAC will also end up being publicly accessible – inadvisable security practice in itself, even more so for another important reason that I will explain. The EAC uses the IIS Virtual Directory /ecp which has other non-admin functions for normal email users, so it is not really desirable to try to limit access to it. Besides, an Exchange Service Pack or Cumulative Update is quite likely to reset the Virtual Directory settings and permissions later anyway. Now that the Exchange Management Console application has been retired, it is not practical to completely disable EAC unless you especially enjoy PowerShell, so we need to find a way to harden the server. The coexistence of the Exchange 2013 Administration Console (EAC) with the other Exchange website virtual directories represents a considerable security vulnerability for any organization that installs it using the out-of-box defaults. Since most organizations need Outlook Anywhere and EWS to be Web-facing, and usually OWA too, the EAC will also end up being publicly accessible – inadvisable security practice in itself, even more so for another important reason that I will explain. The EAC uses the IIS Virtual Directory /ecp which has other non-admin functions for normal email users, so it is not really desirable to try to limit access to it. Besides, an Exchange Service Pack or Cumulative Update is quite likely to reset the Virtual Directory settings and permissions later anyway. Now that the Exchange Management Console application has been retired, it is not practical to completely disable EAC unless you especially enjoy PowerShell, so we need to find a way to harden the server.
microsoft/secure_excange_2012_eac.1484058177.txt.gz · Last modified: 2017/01/10 15:22 by admin

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki