Extended Protection enabled in Exchange Server (KB5017260)

Extended Protection enhances the existing authentication functionality in Microsoft Exchange Server to help mitigate authentication relay or "man in the middle" attacks. To safeguard servers against authentication relay attacks, the Extended Protection feature of Windows authentication will now be supported on servers that run Exchange Server.

More information from the official site below

https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

Here we are going to see, what are he challenges which i faced during the installation

To show the current configuration in IIS

[PS] C:\RamkiScripts>& '.\ExchangeExtendedProtectionManagement (1).ps1' -ShowExtendedProtection

Version 23.01.13.2052

Results for Server: CMEX01

Default Web Site Value SupportedValue ConfigSupported RequireSSL ClientCertificate IPFilterEnabled

---------------- ----- -------------- --------------- ---------- ----------------- ---------------

API None Require False True (128-bit) Ignore False

Autodiscover None None True True (128-bit) Ignore False

ECP None Require False True (128-bit) Ignore False

EWS None Allow True True (128-bit) Ignore False

Microsoft-Server-ActiveSync None Allow True True (128-bit) Ignore False

OAB None Require False True (128-bit) Ignore False

Powershell None Require False False Accept False

OWA None Require False True (128-bit) Ignore False

RPC None Require False False Ignore False

MAPI None Require False True (128-bit) Ignore False

Exchange Back End Value SupportedValue ConfigSupported RequireSSL ClientCertificate IPFilterEnabled

----------------- ----- -------------- --------------- ---------- ----------------- ---------------

API None Require False True (128-bit) Ignore False

Autodiscover None None True True (128-bit) Ignore False

ECP None Require False True (128-bit) Ignore False

EWS None Require False True (128-bit) Ignore False

Microsoft-Server-ActiveSync None Require False True (128-bit) Ignore False

OAB None Require False True (128-bit) Ignore False

Powershell None Require False True (128-bit) Accept False

OWA None Require False True (128-bit) Ignore False

RPC None Require False False Ignore False

PushNotifications None Require False True (128-bit) Ignore False

RPCWithCert None Require False False Ignore False

MAPI/emsmdb None Require False True Ignore False

MAPI/nspi None Require False True Ignore False

Error 1 : SchUseStrongCrypto is not configured as expected

Resolution : https://learn.microsoft.com/en-us/Exchange/exchange-tls-configuration?view=exchserver-2019#enable-tls-12-for-net-4x

As per the above Microsoft link, and i use Dot 4.x version i made the below changes in registry

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001

Error Details Below

[PS] C:\RamkiScripts>& '.\ExchangeExtendedProtectionManagement (1).ps1' -ExchangeServerNames cmex01

Version 23.01.13.2052

Enabling Extended Protection

Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work

when Extended Protection is enabled.

- SSL offloading or SSL termination via Layer 7 load balancing.

- Automated Archiving using Archive policy.

- Exchange Hybrid Features if using Modern Hybrid.

- Access to Public folders on Exchange 2013 Servers.

You can find more information on: https://aka.ms/ExchangeEPDoc. Do you want to proceed?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

WARNING: Removing the following servers from the list to configure because we weren't able to reach them: ONPREMEX01,

ONPREMEX02

The following servers have the TLS Configuration below

CMEX01

RegistryName Location Value

------------ -------- -----

SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v2.0.50727

SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v2.0.50727 1

SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v4.0.30319

SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1

SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727

SystemTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 1

SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

SystemTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 0

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 0

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 1

DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 0

Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 1

Test Failed: SchUseStrongCrypto is not configured as expected

System affected: CMEX01

Action required: Configure SchUseStrongCrypto for NETv4 as described here: https://aka.ms/ExchangeEPDoc

Another Error Below

WARNING: 'CMEX01\RPC (Default Web Site)' has SSLOffloading set to true. Therefore, we can not configure Extended

Protection.

WARNING: Please address the following server regarding RPC (Default Web Site) and SSL Offloading: CMEX01

WARNING: The following cmdlet should be run against each of the servers: Set-OutlookAnywhere 'SERVERNAME\RPC (Default

Web Site)' -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true

Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

[PS] C:\RamkiScripts>& '.\ExchangeExtendedProtectionManagement (1).ps1' -ExchangeServerNames cmex01

Version 23.01.13.2052

Enabling Extended Protection

Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work

when Extended Protection is enabled.

- SSL offloading or SSL termination via Layer 7 load balancing.

- Automated Archiving using Archive policy.

- Exchange Hybrid Features if using Modern Hybrid.

- Access to Public folders on Exchange 2013 Servers.

You can find more information on: https://aka.ms/ExchangeEPDoc. Do you want to proceed?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

WARNING: Removing the following servers from the list to configure because we weren't able to reach them: ONPREMEX01,

ONPREMEX02

The following servers have the TLS Configuration below

CMEX01

RegistryName Location Value

------------ -------- -----

SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v2.0.50727

SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v2.0.50727 1

SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1

SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1

SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727

SystemTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727 1

SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 1