Deploy Extended Protection for Exchange server NOW

Thursday, January 18, 2024

Exchange 2019 CU14 is expected to enable Windows Extended Protection in Exchange Server by default. This feature enhances the existing authentication in Windows Server and mitigates authentication relay or man-in-the-middle (MitM) attacks..

Extended Protection requires several very important prerequisites, which the link above describes.

Prerequisites for enabling Extended Protection on Exchange Server:

  • SSL offloading must be disabled on all Exchange servers (it's enabled by default).
  • Clients should use NTLMv2 instead of NTLMv1, which is the default setting in Windows. I recommend configuring this via Group Policy. If NTLMv1 is used by clients when Extended Protection is enabled, the configuration leads to password prompts on the client side without a way to authenticate successfully against the Exchange server.
  • TLS configurations must be consistent across all Exchange servers within the organization. Any variation in TLS version use across servers can cause client connections to fail. I recommend that all Exchange servers be configured to use only TLS 1.2 for client and server operations, as well as .NET.
  • Third-Party software running on your Exchange server must be compatible with Extended Protection. Ensure to test all third-party products that are running in your Exchange Server environment to ensure that they work properly when Extended Protection is enabled.
  • Extended Protection doesn't work with hybrid servers using a Modern Hybrid configuration.
  • Extended Protection can't be enabled on Exchange Server 2013 servers with Public Folders in a coexistence environment.
  • Extended Protection can't be enabled on Exchange Server 2016 CU22 or Exchange Server 2019 CU11 or older that hosts a Public Folder hierarchy.

It's unlikely that the Exchange 2019 CU14 installer will perform "deep" inspection for these prerequisites, so this may cause problems in your environment if the prerequisites are not met and CU14 enables Extended Protection. The most likely issue will be that clients will be unable to connect or authenticate to Exchange server after Extended Protection is enabled.

I strongly recommend that all customers with Exchange server (including hybrid) check that they meet the requirements above and run the Exchange Extended Protection Management script before they install Exchange 2019 CU14. This script will check that the major requirements are met before enabling Extended Protection across all Exchange servers (not just Exchange 2019) in the organization.

The best course of action is to check and mitigate the Extended Protection prerequisites first. Always read the CU installation notes, especially if you use Windows Update to deploy this security update.

Please reach out to EXPTA Consulting if you would like assistance.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.