Securing access to on-premises Microsoft Exchange server
Need to secure employee access to an on-premises Microsoft Exchange server? Learn what solutions protect exchange access for Active Directory environments.
Published February 3, 2022Unauthorized access to users’ Exchange mailbox is a key security concern for many organizations. And with remote work on the rise, the need to secure access to the company mailbox from outside the office is a pressing one.
To respond to this need, most organizations use Outlook Web Access (OWA) as the client interface and ActiveSync to support Exchange access on mobile devices. Following the 2021 zero-day exploits discovered in on-premises Microsoft Exchange Servers, many organizations are rethinking how they secure access to Exchange email accounts.
There’s often confusion about how to best protect Microsoft Exchange in an on-premises environment. Exchange’s basic credential requirements (username and password) expose organizations to risk, because attackers only need to figure out these simple credentials in order to access these repositories of valuable data. The big concern is: how can organizations who use Microsoft Exchange as their primary email server prevent unauthorized access to data in their Exchange mailboxes even when an attacker uses the correct credentials?
The first step, of course, is multi-factor authentication (MFA). But many organizations often do not have MFA on their on-premises Exchange, believing it’s too difficult or cumbersome to deploy. However, there are several possible solutions.
Microsoft does not offer a single solution to protect all exchange traffic, so a combination of multiple solutions might be necessary to secure all channels, sessions and traffic.
We’ll look at the primary options Microsoft offers to secure on-premises Exchange access below. Most of Microsoft’s solutions are an extension of, feature, or tool associated with Azure Active Directory (AD). Azure AD provides access management control specifically for Microsoft's data and applications, both cloud-based and on-premises.
Application Proxy, a feature of Azure AD (now Microsoft Entra ID), allows users to access Exchange servers through Outlook Web Access (OWA). OWA is then published through Application Proxy, so when a user tries to access Outlook they’re redirected to the Azure AD sign in page. A system administrator can configure this "detour" to prompt MFA or restrict access based on the sign-in location, session type, or IP address.
However, this method has an important problem: Application Proxy does not work for Outlook on desktop applications (PC or Mac) or on mobile (Android or iOS) devices. With such wide limitations, Application Proxy is a specialized solution suited only to organizations wanting to access Exchange by logging in through OWA.
Another option for Outlook access through a desktop application or mobile device is hybrid modern authentication (HMA). This method forwards the exchange authentication to Azure AD, similar to Application Proxy. Also similarly, administrators can take advantage of conditional access management and MFA control for their users by forwarding their login to Azure AD.
The primary issue here is that it doesn’t work if you're trying to access Microsoft Exchange through OWA. HWA only works for Outlook desktop and Outlook mobile versions. You would have to use both HMA and Application Proxy to achieve comprehensive protection for Exchange logins through Outlook installed on desktop and mobile devices, but it is possible.
Active Directory Federation Services (AD FS) offers some protections for customers who use AD FS and have already published OWA through AD FS. As a single sign-on (SSO) solution, simply by logging into one system, the user can access most of their Microsoft applications (or any preconfigured apps). The process starts with a standard login that pushes the user to the AD FS page and initiates an MFA requirement.
While the SSO capabilities are a perk, this method too only works for OWA logins. It won’t work for users trying to log into the Exchange Server on a desktop or mobile device. For organizations already using AD FS, it’s an option worth considering.
Microsoft’s multi-factor solution is an older MFA management method that only protects OWA logins for Internet Information Services (IIS) sessions. No longer even offered for new deployments, customers are advised to use Azure AD (either Application Proxy or HMA) for MFA management.
The need for a single, comprehensive solution to secure access for on-premises Microsoft Exchange accounts leads many organizations to UserLock. UserLock lets you manage on-premises AD users with features like MFA, conditional access management control, and SSO. This includes versatile ways to manage users accessing Exchange mailboxes from outside the office.
UserLock can enable MFA for all users with AD membership or standalone terminal servers. It can also work for AD users accessing the network via a virtual private network (VPN), remote desktop (RD), remote desktop gateway (RDG), and via IIS sessions.
Here are a few of the most common types of remote access to on-premises Exchange Servers, and the protections UserLock offers for each.
Because Microsoft Exchange Server is built on dedicated physical or virtual servers, UserLock’s comprehensive on-premises solution enables MFA protection for all IIS access using HTTP modules. And since OWA is hosted on IIS, that includes MFA protection for OWA access.
Watch this video to find out more about how to protect OWA access with UserLock. You can also learn more specifically about how to apply MFA for IIS apps like OWA with this video below:
Users who need remote mobile access to their Exchange Server mailbox can connect using Outlook for Android and iOS. Both apps rely on Microsoft’s ActiveSync to allow users to synchronize their exchange mailbox with their mobile device. And via ActiveSync, both apps support basic authentication in the Exchange Server’s on-premises environment. While UserLock does not support MFA for Outlook for Android and iOS, it does offer alternative restrictions and monitoring to help secure this access.
Outlook Anywhere allows remote access to users’ Exchange mailbox (on both desktop and mobile) from outside the corporate domain, without the need to log into a VPN. UserLock's extension, UserLock Anywhere, offers a way to enable limited MFA protection to users accessing their Exchange mailbox via OutLook Anywhere from desktop devices.
UserLock can also provide MFA protection for user access to cloud applications such as Exchange Online. For this to work, however, all of your organization’s Exchange Online accounts must be synchronized from an on-premises AD.
Exchange Online is available as a standalone, cloud-based service or as part of a Microsoft Office 365 (MS365) suite. Users can access Exchange Online from any device, anywhere.
UserLock SSO provides MFA by configuring MS365 for SSO. This means that MFA is possible both on desktop access to Exchange Online and access to Exchange online via Outlook mobile. The MFA is only asked during the configuration of the mail account on the client application. This offers the security of an additional layer of login authentication while also offering an efficient option to your employees since it only requires one login.
The SSO settings can be customized for the applications you want to allow your employees to access from a single login. The applications you can connect to include Microsoft products, Google apps, and other popular apps like Slack, Salesforce, and Zendesk.
Securing an on-premises Exchange server can include many different deployment options that may not even protect your organization from various Exchange traffic scenarios or be cost-effective to implement. UserLock, UserLock Anywhere and UserLock SSO solve many of the problems that system administrators and security managers face through session flexibility and multifunctional security, including access control management, MFA protection, and SSO configuration.