Extended Protection (EP) is a Windows feature that helps protect servers from ‘man in the middle’ (MiTM) type attacks. EP allows a binding to occur within Windows Authentication in IIS between the auth information passed at the Application layer and the TLS encapsulation at the lower levels of the protocol stack. Auth information is also supplemented by adding the namespace the client is accessing in the connection. If a MiTM doesn’t represent the namespace the server is expecting or if they are tampering with the TLS information between the client and server, the binding will be invalid, and the authentication request will fail. This makes NTLM Relay and Ticket Replay scenarios much more difficult for bad actors.
We added support for EP in last year’s August 2022 Security Updates (SUs). Since then, we have provided guidance and made various improvements to the script that you can use to enable EP on your Exchange servers.
Today, we wanted to let you know that starting with the 2023 H2 Cumulative Update (CU) for Exchange Server 2019 (aka CU14), EP will be enabled by default when CU14 (or later) is installed. Exchange Server 2019 is currently in Mainstream Support and is the only version that still gets CUs.
Note, though, that this is only the default setting. Admins will be able to opt out of this, allowing them to enable EP later, or not at all if they choose. If you do want to opt-out, you’ll need to use the command-line version of Setup (to be documented at the later time). The GUI version opts-in automatically. If you use unattended Setup or scripts to deploy CUs today, you will need to modify them to add the new Setup parameter, only in case you want to opt out.
We recommend that all customers enable EP in their environment. If your servers are running the August 2022 SU or later SU, then they already support EP. If you have any servers older than the August 2022 SU, then your servers are considered persistently vulnerable and should be updated immediately. Further, if you have any Exchange servers older than the August 2022 SU, you will break server-to-server communication with servers that have EP enabled.
The script we provide can be used to enable EP on all Exchange servers in your organization. Exchange Setup, however, enables EP only on the local server. You can continue to use our EP script to evaluate your organization’s readiness and enable or disable EP. Our recommendation is to enable EP, and using the script provides you a more comprehensive look at requirements that you might need to address.
If you… |
Then, when CU 14 releases… |
Are running the Aug 2022 SU or later and have enabled EP already, |
Install CU14 (no special steps needed). |
Are running the Aug 2022 SU or later but have not yet enabled EP, |
We recommend installing CU14 with the default of ‘Enable EP’ left on. If you don’t want to enable EP when installing CU14, then you must use the command-line version of Setup and opt-out of enabling EP. |
Are running a version of Exchange Server earlier than the Aug 2022 SU, |
We send you thoughts and prayers, and very strong but gentle guidance to update your servers to the latest SU immediately. The minimum SU for EP is from Aug 2022. This is not a typo. That’s more than a year ago. Seriously, why are you not updating your servers? If you don’t update them, eventually you won’t be able to send email into Microsoft 365 or Exchange Online. And no one wants that. We don’t. We just want you to keep your servers updated. |
We know that changes related to security configuration need to be evaluated carefully. We are committed to helping you make your Exchange organization more secure. As always, we welcome and hear your feedback.
Exchange Server Team
You Had Me at EHLO.