Restrict access to the Exchange admin center

Restrict access to the Exchange admin center

I. Presentation

After seeing how to install Exchange Server 2019 on Windows Server 2022, we will see how to protect the administration interface of Exchange called “Exchange Administration Center” (or ECP / EAC) by limiting access to a few IP addresses sources.

I remind you that by default, the Exchange Administration Center is accessible from the Exchange server itself, from a machine on the local network, but also from the Internet (if you have authorized the HTTPS flow for access to the Webmail). For obvious security reasons, it is best to limit access to the administration console from certain IP addresses, or at worst, from the local network. It is better to prevent this console from being accessible from the outside.

Since the HTTPS protocol is also used to access Webmail, we cannot play directly with the Windows firewall, because we would also cut off access to Webmail. The restriction should be applied on a top layer. We have two solutions for apply restrictions by IP addresses :

  • Configure the IIS Web server using the IP address restriction module
  • Configure a “Client Access Rules” in Exchange 2019 (not available on earlier versions)

II. Method #1: Restrict via IIS

A. Install the “Restrictions by IP address and domain” function

Let’s start with this first method, more traditional one can say.

On your Exchange server, open the PowerShell console as administrator and run the following command:

Install-WindowsFeature -Name Web-IP-Security

This command is equivalent to installing the following feature in IIS, from the Server Manager:

Once the installation is complete, move on. There is no need to restart the server.

B. Restrict Access to Exchange ECP

Open the IIS management console and expand the “Sites“. Here, click “Default Web Site” (1), then “ecp” (2) in order to access “IP Address and Domain Restrictions” (or “Restrictions by IP address and domain” in French).

Exchange 2019 - Configurer site ECP

In the section that opens, click “Add Allow Entry” (1) to add a new authorization. The objective here is to indicate which is the machine or the subnet authorized to access the Exchange admin center. It is possible to add several authorization rules. In this example, I allow connections to ECP to machines in the subnet “10.10.100.0/24” (2). When done, validate with “OK” (3).

Exchange 2019 - Allow network to access ECP

Once your rule is defined (it can be modified later), click on “Edit Feature Settings” (1) to change the action to take for unauthorized clients. By default this is allowed, so we need to reverse this behavior. Choose “Deny” (2) and for the action to perform, choose “Abort” (3) to cut the connection with the client trying to connect. Validate with “OK” (4).

Exchange 2019 - Securing the Exchange Admin Center

Finally, click “Default Web Site” left then right on the button “Restart” to restart the IIS site in order to apply the change.

Exchange 2019 - Restart IIS site

From an authorized client, access to the Exchange admin center should work normally. While from an unauthorized client, an error should be displayed, like this:

Restrict Exchange admin center access

III. Method #2: Client Access Rules

To protect the Exchange admin center, we can set up a Client Access Rules rule. It is an official method of which the configuration is done only in PowerShell from the Exchange Management Shell.

Note : With Client Access Rules, it is possible to go further than a restriction based on IP addresses. For example, we can rely on the value of an attribute in the Active Directory.

I invite you to open the Exchange Management Shell console.

First, you can list the rules in place. By default, there is none.

Get-ClientAccessRule

Then we go set up a rule to always allow Remote PowerShell so as not to lose control of the Exchange if you create a bad rule… This is a recommendation from Microsoft and the American company even provides the command to create this rule:

New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action AllowAccess -AnyOfProtocols RemotePowerShell -Priority 1

The rule with priority 1 will therefore be this one. Next, we will create a new rule on the same principle. This rule allows deny access au Centre d’administration Exchange except for machines that belong to the network “10.10.100.0/24”. Which give :

New-ClientAccessRule -Name "Allow ECP console only for 10.10.100.0/24" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges 10.10.100.0/24 -Priority 2

Following the execution of this command, you can list your rules:

Exchange 2019 - Client Access Rules ECP

Once the rule is in place, you can test to see if the restriction applies… There, I manage to connect to the ECP authentication page, and even to connect. On the other hand, I cannot go further, because the rule is triggered as shown in the image below. We can say that it’s consistent: it’s not IIS that blocks me, but Exchange.

Exchange admin center blocked by a rule

Not what you wanted? No worries, you can delete the rule by specifying its name:

Remove-ClientAccessRule "Allow ECP console only for 10.10.100.0/24"

Full help on Exchange 2019 Client Access Rules is available on the Microsoft site:

IV. Conclusion

We just saw how to restrict access to exchange admin center by applying a restriction based on IP addresses. This has no impact on the Webmail Exchange itself, but it is a recommended action to protect the administration interface. The ideal being to allow access from one or more management machines (or a management VLAN), and refuse access from outside as well as access from the local network (excluding declared machines) .

Windows Server,IIS,Microsoft Exchange 2019,Sécurité,

#Restrict #access #Exchange #admin #center

Leave a Comment

Your email address will not be published. Required fields are marked *