Skip to main content

Many environments have not yet enabled Extended Protection in Exchange Server. While it’s possible for them to enable Extended Protection, they are not aware or informed correctly that they should enable it for security reasons. In this article, you will learn how to configure Extended Protection in Exchange Server.

What is Extended Protection?

Windows Extended Protection enhances the existing authentication in Windows Server and mitigates authentication relay or “man in the middle” (MitM) attacks. This mitigation is accomplished by using security information that is implemented through Channel-binding information specified through a Channel Binding Token (CBT), which is primarily used for SSL connections.

While Extended Protection can be enabled manually on each virtual directory, Microsoft provided the ExchangeExtendedProtectionManagement.ps1 PowerShell script to help accomplish this in bulk.

There are some limitations to be aware of before enabling Extended Protection on Exchange Server. Therefore, you must review the Microsoft documentation (which is kept up to date) and check if you are eligible.

Windows Extended Protection is supported on the below Exchange Server versions:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Note: You need the August 2022 Exchange Server Security Update (SU) release or later installed on the Exchange Server.

Important: Remember to keep the Exchange Server up to date with the latest Exchange Cumulative Update and Exchange Security Update. Subscribe to the newsletter, and don’t miss out on the Exchange Server updates.

Check Extended Protection status

We recommend two methods to check the Extended Protection status on Exchange Server.

Method 1. Exchange Health Checker script

Run the Exchange Health Checker script and create an Exchange Server Health Check report. This will tell you if Extended Protection is enabled on the Exchange Server.

[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

Extended Protection is not enabled on the Exchange Server, and it shows the security vulnerabilities:

Configure Extended Protection in Exchange Server not configured

Method 2. Exchange Extended Protection Management PowerShell script

Download ExchangeExtendedProtectionManagement.ps1 PowerShell script and save it in the C:\scripts folder.

Run Exchange Management Shell as administrator and run the script, including the -ShowExtendedProtection parameter.

The Value and SupportedValue column should be the same values.

In our example, the Value column shows None for all the virtual directories, which means that Extended Protection is not enabled on the Exchange Server.

[PS] C:\>C:\scripts\.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

Version 23.05.04.2151
Results for Server: EX01-2019

Default Web Site            Value SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
----------------            ----- -------------- --------------- ----------     ----------------- ---------------
API                         None  Require                  False True (128-bit) Ignore                      False
Autodiscover                None  None                      True True (128-bit) Ignore                      False
ECP                         None  Require                  False True (128-bit) Ignore                      False
EWS                         None  Allow                     True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync None  Allow                     True True (128-bit) Ignore                      False
OAB                         None  Require                  False True (128-bit) Ignore                      False
Powershell                  None  Require                  False False          Accept                      False
OWA                         None  Require                  False True (128-bit) Ignore                      False
RPC                         None  Require                  False False          Ignore                      False
MAPI                        None  Require                  False True (128-bit) Ignore                      False




Exchange Back End           Value SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
-----------------           ----- -------------- --------------- ----------     ----------------- ---------------
API                         None  Require                  False True (128-bit) Ignore                      False
Autodiscover                None  None                      True True (128-bit) Ignore                      False
ECP                         None  Require                  False True (128-bit) Ignore                      False
EWS                         None  Require                  False True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync None  Require                  False True (128-bit) Ignore                      False
OAB                         None  Require                  False True (128-bit) Ignore                      False
Powershell                  None  Require                  False True (128-bit) Accept                      False
OWA                         None  Require                  False True (128-bit) Ignore                      False
RPC                         None  Require                  False False          Ignore                      False
PushNotifications           None  Require                  False True (128-bit) Ignore                      False
RPCWithCert                 None  Require                  False False          Ignore                      False
MAPI/emsmdb                 None  Require                  False True           Ignore                      False
MAPI/nspi                   None  Require                  False True           Ignore                      False

In the next step, we will enable Extended Protection on the Exchange Server.

How to enable Exchange Server Extended Protection

Go through the below steps to enable Extended Protection on the Exchange Server.

Important: Do the steps after working hours, even with a DAG configuration. That’s because you need to ensure that Outlook clients can connect successfully after the change.

1. Update to the latest Exchange Server CU/SU.

2. Configure Exchange Server TLS settings.

3. Disable SSL Offloading for Outlook Anywhere.

SSL offloading for Outlook Anywhere is enabled by default and must be disabled for Extended Protection.

[PS] C:>Set-OutlookAnywhere "EX01-2019\RPC (Default Web Site)" -SSLOffloading $false

4. Download ExchangeExtendedProtectionManagement.ps1 PowerShell script and save it in the C:\scripts folder.

5. Ensure that the admin is added to the Organization Management group.

Configure Extended Protection in Exchange Server Organization Management

Note: The user must be in Organization Management and must run this script from an elevated Exchange Management Shell (EMS) command prompt. After adding the user to the Organization Management group, sign off and sign in again to have the changes take effect.

6. Change the path directory to the scripts folder and run the PowerShell script to enable Extended Protection on Exchange Server.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1

7. The output will show information about enabling Extended Protection. Press Y and Enter.

Version 23.05.04.2151

Enabling Extended Protection
Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work
when Extended Protection is enabled.
    - SSL offloading or SSL termination via Layer 7 load balancing.
    - Exchange Hybrid Features if using Modern Hybrid.
    - Access to Public folders on Exchange 2013 Servers.
You can find more information on: https://aka.ms/ExchangeEPDoc. Do you want to proceed?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

8. The script will process the prerequisites tasks, create a backup for applicationHost.config, and configure Extended Protection.

The following servers have the TLS Configuration below
EX01-2019

RegistryName        Location                                                                              Value
------------        --------                                                                              -----
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                           1
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v2.0.50727                                           1
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727                               1
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727                               1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  1

TLS prerequisites check successfully passed!

All servers that we are trying to currently configure for Extended Protection have RPC (Default Web Site) set to false for SSLOffloading.
EX01-2019: Backing up applicationHost.config.
EX01-2019: Successful backup to C:\Windows\System32\inetSrv\config\applicationHost.cep.20230505220519.bak
EX01-2019: Successfully updated applicationHost.config.

Successfully enabled Extended Protection: EX01-2019
Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

Extended Protection is successfully enabled.

Verify Extended Protection enabled status

Ensure everything is set correctly and create a new Exchange Server Health Check report.

There are no more Security vulnerabilities for Extended Protection. It shows Extended Protection Enabled (Any VDir) with the value True.

Configure Extended Protection in Exchange Server enabled

Another way is to check it with the PowerShell script. This is how it looks.

The Value and SupportedValue column shows the same values. This means that Extended Protection is enabled on the Exchange Server.

[PS] C:\>C:\scripts\.\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection

Version 23.05.04.2151
Results for Server: EX01-2019

Default Web Site            Value   SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
----------------            -----   -------------- --------------- ----------     ----------------- ---------------
API                         Require Require                   True True (128-bit) Ignore                      False
Autodiscover                None    None                      True True (128-bit) Ignore                      False
ECP                         Require Require                   True True (128-bit) Ignore                      False
EWS                         Allow   Allow                     True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync Allow   Allow                     True True (128-bit) Ignore                      False
OAB                         Require Require                   True True (128-bit) Ignore                      False
Powershell                  Require Require                   True False          Accept                      False
OWA                         Require Require                   True True (128-bit) Ignore                      False
RPC                         Require Require                   True True (128-bit) Ignore                      False
MAPI                        Require Require                   True True (128-bit) Ignore                      False




Exchange Back End           Value   SupportedValue ConfigSupported RequireSSL     ClientCertificate IPFilterEnabled
-----------------           -----   -------------- --------------- ----------     ----------------- ---------------
API                         Require Require                   True True (128-bit) Ignore                      False
Autodiscover                None    None                      True True (128-bit) Ignore                      False
ECP                         Require Require                   True True (128-bit) Ignore                      False
EWS                         Require Require                   True True (128-bit) Ignore                      False
Microsoft-Server-ActiveSync Require Require                   True True (128-bit) Ignore                      False
OAB                         Require Require                   True True (128-bit) Ignore                      False
Powershell                  Require Require                   True True (128-bit) Accept                      False
OWA                         Require Require                   True True (128-bit) Ignore                      False
RPC                         Require Require                   True True (128-bit) Ignore                      False
PushNotifications           Require Require                   True True (128-bit) Ignore                      False
RPCWithCert                 Require Require                   True True (128-bit) Ignore                      False
MAPI/emsmdb                 Require Require                   True True (128-bit) Ignore                      False
MAPI/nspi                   Require Require                   True True (128-bit) Ignore                      False

Extended Protection is successfully configured on the Exchange Server.

Rollback Exchange Extended Protection

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1 -RollbackType "RestoreIISAppConfig"

This syntax rolls back the Extended Protection mitigation of IP restriction for the EWS Backend virtual directory of all the Exchange Server that are online where Extended Protection was previously configured.

[PS] C:\scripts>.\ExchangeExtendedProtectionManagement.ps1 -RollbackType "RestrictTypeEWSBackend"

That’s it!

Leave a Reply