Today we are announcing the availability of quarterly servicing updates, cumulative and update rollups, for all supported versions of Exchange Server. Exchange Server 2010, 2013, 2016 and 2019 all re...
Updated Jul 01, 2019
Version 2.0
Blog Post
@Martin, yes the CU's released today should remove this key, if present. The 2010 RU will not remove the key. There's no harm if you have already done this, it will not interfere with CU installation.
Hi Brent. If DisableLoopbackCheck is now being disabled in all 2013+ CUs, why was it still in-place? Does this mean Exchange Server has been unwinding a default security feature that's been around for something like 15 years for no benefit? And why didn't the Exchange team push BackConnectionHostNames guidance as is common in other web technologies like SharePoint?
- @Tristan - There have been legitimate reasons for Exchange to enable this. We are hearing some reports of certain Exchange monitoring tools requiring loopback to be enabled. We will look to change the behavior of these cmdlets. But honestly it appears to have been an optimization that was made for reasons that may no longer apply to Exchange code, a long time ago. In general we don't like to change behavior that has existed for a very long time due to the surface area that Exchange covers and the risk of regression. In this case however, closing a security hole made that a requirement. Our preference is to remove dependence on NTLM altogether in the product and that is the work that has been more important to us and that we have been working on.
It is a minor optimization based upon reports coming in from SCOM. We likely have to update our cmdlets, but I don't want to give the impression we haven't tested the cmdlets. It's hard for us to tell in a one-box topology what is real and what isn't when tests fail sometimes.
- @Brent. Thanks for the candid reply. I appreciate there's always a balance to be achieved between adaptation and stability, but I think the main concern is that Exchange has been fully disabling the loopback check rather than explicitly whitelisting the Exchange URLs with BackConnectionHostNames, as has been the guidance in the SharePoint, NLB, etc. worlds for over a decade.