Microsoft has released security updates (SUs) for vulnerabilities found in:
Exchange Server 2013
Exchange Server 2016
Exchange Server 2019
IMPORTANT: Updates are released in a self-extrac...
Updated Aug 11, 2022
Version 8.0
Blog Post
Hello Nino_Bilic and LukasSMSFT
I have question about Windows Authentication state on virtual directories.
Per table with virtual directories listed in https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/, some virtual directories should have WEP set to Allow or Required. But some of them does not have Windows Authentication enabled by default (for instance OWA in Default Web Site) while WEP is enhancement of Windows Authentication feature (per https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/extendedprotection/)
How Extended protection is supposed to work in this case if Windows Authentication is disabled for such virtual directory? If it is not supposed to work, why documentation lists it as Required/Allow for vdirs without Windows Authentication and why does script enable it?
Thank you!