How To: Disable Exchange 2016 ECP External Access
In a world where the smallest exposure can lead to a full on data breach, we definitely want to be conscious of our security, risks, and attack surface. 9 times out of 10, we are never going to require external ECP access, so why risk leaving it open?
Step one – install the “IP and Domain Restrictions” feature:
In order to achieve this, we are basically going to restrict the ECP directory to only internal IP addresses. In order to do that, we need to ensure we have the “IP and Domain Restrictions” Web Server Security feature installed.
Fire up Server Manager and “Add Roles and Features” on your Exchange Server.
Underneath Server Roles -> Web Server -> Security, check “IP and Domain Restrictions” and next, next, install:
Step two – restrict access to ECP:
Now that we have the IP and Domain Restrictions installed, we can go ahead and restrict access.
Open up IIS Manager and navigate to the ECP directory underneath your Default Web Site.
From here, double click on “IP Address and Domain Restrictions“:
Now we want to start by allowing our internal network.
From the side navigation, click “Add Allow Entry…”:
It’s up to you whether you add a single management IP address (perhaps a jump box you use to manage your network), or to allow a specific range. Either way, take your pick and fill in the blanks:
This allows the IP address(es) we specified to access the ECP, now we want to block anyone else.
Again from the side navigation, click on “Edit Feature Settings…”
Finally, set “Access for unspecified clients” to “Deny” and take your pick for the “Deny Action Type“.
In this case, we chose “Not Found” to assist in preventing bots from potentially recognising that an ECP even exists.
Step three – test our handy work:
Congratulations! You’ve just blocked the world from accessing your ECP.
Let’s give it a test run! Hit your ECP from a web browser outside of the IP scope, and you should receive an error: