Skip to main content

Great Microsoft engineers maintain the Exchange Server Health Checker PowerShell script. The script is excellent because they listen to feedback and are fast at pushing changes. A new update to the script will now show the correct vulnerability information if there are virtual directories (vDirs) with IP filtering.

Exchange Server Health Checker script supports vDir IP filtering

You did  disable external access to ECP in Exchange Server  or another vDir. However, when running the Exchange Server Health Checker script, it shows that there is a vulnerability present.

So what if you want to keep blocking the ECP vDir from external? Is that not the correct approach? Well, it is. But the Exchange Server Health Checker script didn’t correctly show that and flagged it as a security vulnerability.

Many admins removed ECP blocking and thought this was the correct approach. Unfortunately, that isn’t the case, and it’s best to  block ECP with an IIS rule .

The good thing is that everything appears correctly with a new Exchange Health Checker script update. Let’s have a look at it in the next steps.

Note: Blocking external access to ECP is recommended, but that doesn’t mean you’re now completely protected. The best practice is to configure a remote access VPN on the firewall or Windows Server. This will ensure that the Exchange Server (and other servers in the organization) are available only to the users and not everyone.

vDir IP filtering enabled (before)

This is how it looked before when you  disable external access to ECP in Exchange Server  (recommended) and run the Exchange Server Health Checker PowerShell script.

There is a vulnerability detected on both Exchange Servers.

Exchange health checker script vDir IP filtering before

Let’s scroll down in the report and get more information in the Security Vulnerability rows.

The IPFilterEnabled value is True for the ECP vDir (Default Web Site), which is why it flags it as a security vulnerability.

Exchange health checker script vDir IP filtering sec vuln available

vDir IP filtering enabled (after)

Running Exchange Server Health Checker script version v22.10.17.1713 or later shows that there is no security vulnerability when you have IP filtering enabled on the ECP vDir.

Note: The Exchange Server Health Checker script will update itself when you run it. If that’s not the case, ensure you download the latest HealthChecker.

Exchange health checker script vDir IP filtering after

Scroll down and verify that the Security Vulnerabilities row shows the value None.

Exchange health checker script vDir IP filtering sec vuln none

That’s it!

Leave a Reply