Getty Images
How to properly implement Exchange Extended Protection
This security feature can better protect Exchange Server deployments to prevent a wide range of attacks and safeguard sensitive data transmitted over the network.
Exchange Server is a favorite target for attackers, but an additional layer of security from Microsoft can help keep cyberattacks at bay.
Windows Extended Protection is a security feature designed to improve protection against certain types of attacks, particularly data interception and tampering. Microsoft recently expanded this coverage to Exchange Server, but without the proper configuration, Exchange Extended Protection can introduce issues. This article explains the prerequisites for Exchange Extended Protection, how to set it up and how to troubleshoot if problems occur.
How does Exchange Extended Protection prevent attacks?
Exchange Extended Protection helps prevent attacks on Exchange by improving the security of communications between Exchange Server and clients. This mitigates the risk of man-in-the-middle (MitM) attacks, where an attacker intercepts and potentially alters communication between a client and server.
Exchange Extended Protection enforces stricter authentication mechanisms, such as requiring clients to use extended validation certificates, and then only authorized clients can connect to Exchange servers. Exchange Extended Protection requires the use of enhanced encryption algorithms, which encode data exchanged between clients and servers more securely. This helps prevent attackers from intercepting and deciphering sensitive information transmitted over the network.
Microsoft addressed known security vulnerabilities and weaknesses in Exchange Server by enforcing more rigorous measures with Exchange Extended Protection. Updating to this security feature makes Exchange deployments follow industry-standard security protocols and best practices.
What are the potential problems with Exchange Extended Protection?
Implementing Exchange Extended Protection can introduce several potential issues or challenges. Some older or less common email clients may not support the security protocols and configurations required by Exchange Extended Protection, leading to compatibility problems that prevent users from accessing Exchange services securely. Incorrectly configuring Exchange Extended Protection settings on Exchange servers or clients can cause connectivity issues and other problems. Additional overhead and processing requirements on servers and clients can affect performance; planning and monitoring by administrators should help to mitigate these issues.
Extended validation certificate management can be complex and time-consuming. Administrators must ensure certificates are issued, renewed and installed correctly on Exchange Server and client systems. Failure to manage certificates can lead to security vulnerabilities and connectivity issues. End users might require training to keep their email clients updated to follow new security policies.
If the organization uses third-party security products or email filtering services, be sure to test their compatibility before enabling Exchange Extended Protection and check for proper functionality afterward.
Testing, monitoring and ongoing maintenance are crucial to stay ahead of any issues that arise from using Exchange Extended Protection.
What are the prerequisites for Exchange Extended Protection?
Microsoft supports Exchange Extended Protection on Exchange Server 2013, 2016 and 2019 with the latest cumulative security updates.
Exchange Server 2016 and 2019 must be on the 2022 H1 cumulative update and have the August 2022 security update or later installed. Exchange Server 2013 must be on cumulative update 23 with the August 2022 security update or later.
Extended Protection cannot be enabled on Exchange Server 2013 with public folders in a coexistence environment. Microsoft ended support for Exchange 2013 in April 2023. Public folders must be moved to a supported Exchange Server deployment.
The NTLM version needs to be NTLMv2. Microsoft does not support NTLMv1 with Exchange Extended Protection. A client that uses NTLMv1 fails to authenticate. Microsoft recommends the Windows clients and Exchange servers have an LmCompatibilityLevel registry value of 3 at minimum, which sends an NTLMv2 response.
Secure Sockets Layer (SSL) offloading is turned on by default for organizations that use Outlook Anywhere, which lets users get to their Exchange mailbox outside of the organization's network without a VPN. SSL offloading improves the performance and scalability of web servers, including Exchange Server, but it is regarded as a security risk for MitM attacks and is not compatible with Exchange Extended Protection.
Disable SSL offloading in Outlook Anywhere to make SSL encryption stop on Exchange Server instead of an intermediary device, such as a reverse proxy or load balancer.
The installer for Exchange Server 2019 CU14 and later stops SSL offloading automatically, but admins can use the following PowerShell command to disable SSL offloading:
Set-OutlookAnywhere -Identity "<ServerName>\rpc (Default Web Site)" -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $trueBecause Exchange Extended Protection requires extended validation certificates, make sure you have a certificate infrastructure to issue and manage these certificates. This includes obtaining valid SSL/Transport Layer Security (TLS) certificates from a trusted certificate authority and verifying the proper installation and setup of certificates on Exchange Server.
All Exchange servers must use TLS 1.2.
If the organization uses public folders on Exchange Server 2013, they must be migrated to a supported version of Exchange Server.
Exchange Server relies on AD for authentication, authorization and other directory services. It's important to check the AD infrastructure remains properly configured, healthy and accessible from Exchange Server.
The clients used by your users must support the necessary security protocols and configurations, which might require an update to client applications, such as Outlook and mobile email clients, to support extended validation certificates, encryption algorithms and other security features.
How do you check for Exchange Extended Protection compatibility?
Microsoft provides tools for Exchange administrators that might not specifically check for Exchange Extended Protection compatibility, but they can identify potential issues in the Exchange Server deployment:
- Exchange Server Health Checker. This PowerShell script from Microsoft produces a report of configuration problems in the Exchange environment, including load balancers and mailboxes, as well as any vulnerabilities.
- Microsoft Remote Connectivity Analyzer. This diagnoses and troubleshoots Exchange Server connectivity issues. This tool aids with testing Exchange services and protocols after enabling Exchange Extended Protection.
How to enable Exchange Extended Protection
The steps to start Exchange Extended Protection may vary depending on the version of Exchange Server. You typically enable Exchange Extended Protection with a PowerShell script from Microsoft.
Download the latest version of the ExchangeExtendedProtectionManagement.ps1 script from the Microsoft repository.
This PowerShell script can run an additional prerequisite check to ensure all Exchange servers are running the minimum required cumulative updates and security updates, and they all use the same TLS configuration. Run the following command using elevated privileges from Exchange Management Shell (EMS) to check the prerequisites for Exchange Extended Protection:
.\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnlyIf the script finds issues, it outputs its findings to help admins correct specific issues. After making updates, the administrator can run the following command to check specific Exchange Server systems:
.\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly -ExchangeServerNames <Server Name>Run through checks after upgrading Exchange security
After enabling Exchange Extended Protection, perform thorough testing to ensure that Exchange Server communication functions correctly and that clients can connect securely. Test various client access methods, such as Outlook on the web, Outlook Anywhere and Exchange ActiveSync, to verify that they work as expected.
Consult Microsoft's official documentation and best practices for your specific version of Exchange Server when enabling Exchange Extended Protection, as the exact steps and requirements may vary. Additionally, consider testing Exchange Extended Protection in a nonproduction environment before deploying it in the working platform to ensure compatibility and minimize potential disruptions.
Common issues and troubleshooting
Users may experience issues when accessing Exchange services after enabling Exchange Extended Protection. Look at the following areas to help troubleshoot Exchange connectivity issues:
- Network connectivity between clients and Exchange servers.
- DNS resolution for Exchange Server hostnames.
- Firewalls and network devices allowing necessary traffic, such as HTTPS and Remote Procedure Call over HTTP, to pass through.
- Exchange Server event logs for any connectivity-related errors or warnings.
- Disabled SSL offloading.
Regularly monitor Exchange server logs and performance metrics to identify any issues or anomalies related to Exchange Extended Protection. Use logging and monitoring tools to track system performance, detect security incidents and troubleshoot problems proactively.
Helen Searle-Jones holds a group head of IT position in the manufacturing sector. She draws on 30 years of experience in enterprise and end-user computing, utilizing cloud and on-premises technologies to enhance IT performance.
