How to block external access to the Exchange Admin Center
source: http://www.expta.com/2018/10/how-to-block-external-access-to.html
How To: Disable Exchange 2016 ECP External Access
In a world where the smallest exposure can lead to a full on data breach, we definitely want to be conscious of our security, risks, and attack surface. 9 times out of 10, we are never going to require external ECP access, so why risk leaving it open?
Step one – install the “IP and Domain Restrictions” feature:
In order to achieve this, we are basically going to restrict the ECP directory to only internal IP addresses. In order to do that, we need to ensure we have the “IP and Domain Restrictions” Web Server Security feature installed.
Fire up Server Manager and “Add Roles and Features” on your Exchange Server.
Underneath Server Roles -> Web Server -> Security, check “IP and Domain Restrictions” and next, next, install:
Step two – restrict access to ECP:
Now that we have the IP and Domain Restrictions installed, we can go ahead and restrict access.
Open up IIS
Manager and navigate to the ECP directory
underneath your Default Web Site.
From here, double click on “IP Address and Domain Restrictions“:
Now we want to start by allowing our
internal network.
From the side navigation, click “Add
Allow Entry…”:
It’s up to you whether you add a single management IP address (perhaps a jump box you use to manage your network), or to allow a specific range. Either way, take your pick and fill in the blanks:
This allows the IP address(es) we
specified to access the ECP, now we want to block anyone else.
Again from the side navigation, click on “Edit
Feature Settings…”
Finally, set “Access
for unspecified clients” to “Deny” and take your pick
for the “Deny Action Type“.
In this case, we chose “Not Found” to assist in
preventing bots from potentially recognising that an ECP even exists.
Step three – test our handy work:
Congratulations! You’ve just blocked the world from accessing your ECP.
Let’s give it a test run! Hit your ECP from a web browser outside of the IP
scope, and you should receive an error:
