This article provides information about Exchange Zero day Vulnerabilities and how to fix these while using MachPanel.
This article applies to Exchange 2013, 2016, 2019
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center
Investigate if you are affected:
Get-ChildItem -Recurse -Path C:\inetpub\logs\LogFiles -Filter "*.log" |
Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
- URL Rewrite rule
- Disable remote PowerShell access for non-admins
URL Rewrite rule:
Disable remote PowerShell access for non-admins:
- Option 1: For customers who have the Exchange Emergency
Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite
mitigation for Exchange Server 2016 and Exchange Server 2019. The
mitigation is enabled automatically and is updated to include the URL
Rewrite rule improvements
- Option 2: Microsoft created the EOMTv2 script for the URL
Rewrite mitigation steps and updated it to include the URL Rewrite rule
improvements. EOMTv2 script will auto-update on Internet connected
machines and the updated version will show as 22.10.05.2304. The script
should be re-run on any Exchange Server without EEMS enabled.
- Option 3: Customers can follow the instructions as stated at Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center
Please refer to Control remote PowerShell access to Exchange servers | Microsoft Learn to disable remote PowerShell access for users per user and bulk users.
How MachPanel cares about its customers?
Deploy Hotfix v7.0.41 HF2
- Afterwards Every new created Mailbox will come up with RemotePowerShellEnabled as $false.
- For Existing Mailboxes, please trigger Fix security permissions per tenant.
Caution: MachPanel Service / Provisioning account should be kept as RemotePowerShellEnabled as $true.