[German]With CU14, Microsoft pans to enable the Windows Server Extended Protection feature by default for Exchange Server 2019 for improved protection. However, it will be possible to deactivate this feature when installing the CU14 if required. Redmond has announced this as of August 28, 2023. Furthermore, there is the announcement that Exchange 2016/2019 will finally get support for HTTP Strict Transport Security (HSTS). Microsoft has also just announced this in a tech community post.
Advertising
Exchange 2019 CU14 activates Extended Protection
Extended Protection (EP) is a Windows feature designed to protect servers from Man in the Middle (MiTM) type attacks. EP provides a binding within Windows authentication in IIS between authentication information passed at the application layer and TLS encapsulation at lower levels of the protocol stack. The authentication information is also augmented by including the namespace that the client is accessing in the connection. If a MiTM does not represent the namespace the server expects, or if it tampers with the TLS information between the client and server, the binding is invalid and the authentication request fails. This makes NTLM relay and ticket replay scenarios much more difficult for malicious actors.
According to the above tweet and this Techcommunity article dated August 28, 2023, Microsoft has announced that starting with Cumulative Update (CU) CU14 (release is scheduled for H2 2023), Exchange Server 2019 will have Extended Protection (EP) enabled by default. Exchange Server 2019 is currently in mainstream support and is the only version still receiving CU.
Administrators can disable this default setting at any time after installing CU14, and re-enable it at a later time if necessary, Microsoft writes. To disable EP, administrators must use the command-line version of Setup (Microsoft plans to document the call details at a later date). If CU14 is installed via the GUI version, the EP option is automatically enabled. Those using the unattended setup or scripts to deploy CU must modify them to add the new setup parameter to disable EP.
However, Microsoft recommends that all customers enable EP in their environment. If your servers have the August 2022 SU or a newer SU installed, EP is already supported. Servers that are on a patch level older than the August 2022 SU are considered persistently vulnerable and should be updated immediately. Also, if you have Exchange servers that are older than the August 2022 SU, server-to-server communication with servers that have EP enabled will be broken. More details can be found in this Techcommunity article.
Advertising
Exchange 2016/2019 get HSTS support
In another announcement, see the following tweet, Microsoft announced in the Techcommunity post Announcing support for HSTS on Exchange Server 2016 and 2019 that HTTP Strict Transport Security (HSTS) is now officially supported.
HSTS is a policy mechanism that helps protect websites (OWA or ECP on Exchange Server) from man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It is a widely supported standard defined in RFC 6797. HSTS support allows web servers to specify to browsers that browser requests should only be made over HTTPS connections. This ensures that encryption and authentication are used during transmission. HSTS prevents users from bypassing warnings about invalid certificates (e.g., expired, invalid, or untrusted certificates, name matches, etc.). If an attacker attempts a protocol downgrade attack or a man-in-the-middle attack, the browser detects the HSTS policy violation and terminates the connection.
Microsoft has published this documentation with the steps needed to configure HSTS on Exchange Server 2016 and 2019. Exchange HealthChecker is scheduled to receive an update soon so it can indicate whether the HSTS configuration on Exchange Server has been set up as expected.
Advertising
