Disabling Exchange Services via LoadMaster
As per Microsoft recommendations, along with implementing Cookie Filtering Microsoft mitigation recommendations include disabling specific Exchange Services for access. This is made up of :
|
Disabling the Unified Message services in Exchange
|
|
|
Disabling the Exchange Control Panel (ECP) Virtual Directory
|
|
|
Disabling the Offline Address Book (OAB) Application Pool and API
|
If LoadMaster is being used to load balance Exchange, blocking access to these specific services can be easily achieved. This may be useful where a separate Virtual Services is used for external access and access is kept available locally. With the loadMaster Exchange template, Exchange services are separated into separate Sub Virtual Services depending on the Application/Virtual Directory. LoadMaster provides a simple way to disable SubVs which in effect blocks traffic for this service.
Simply Navigate to the Exchange Virtual Service and Under the SubVSs list click ‘disable’ for the specific services..
Disabling the ECP, OAB, and EWS will prevent access to the services outlined.
An alternative option if access to these services is a requirement from specific networks is to ‘whitelist’ these services to trusted IP addresses using LoadMaster Content Rules thus blocking for all other IP addresses.
To do this
- Create a Content rule Matching specific IP Addresses see here for details.
- Apply to all Real Servers used by the specific SubVSs
Note these are just useful actions as part of a mitigation strategy. For full protection, it is strongly recommended that Exchange Server security updates are applied.