You should always disable external access to Exchange Control Panel (ECP). You don’t want a brute force attack on ECP in Exchange Server. It’s a big security risk. In this article, you will learn how to disable external access to ECP in Exchange Server 2016. The best approach and my advice are to block it on the firewall. The firewall is the first point that will block external access. If it’s not possible to do it on the firewall, do it on the Exchange Server. It’s better than not disabling ECP. Let’s have a look at how to disable external access to ECP in Exchange 2016.
Do you have more than one Exchange Server? Do the below steps on all the Exchange Servers accessible from external.
Install IP and Domain Restrictions role
Run the Add Roles and Features Wizard from the Exchange Server. Select your Exchange Server and follow the wizard. Now you are on the Server Roles tab. Expand Web Server (IIS) -> Web Server -> Security. Check the IP and Domain Restrictions role. On our end, it’s already installed on the Exchange Server.
Click on Next. Click Install to install the IP and Domain Restrictions role. Installation completes. Proceed further with the steps below.
Start IP Address and Domain Restrictions in IIS
Open IIS Manager on the Exchange Server. Expand Server -> Sites -> Default Web Site. Select ecp. Double click on IP Address and Domain Restrictions. See screenshot:
Edit feature settings
The IP Address and Domain Restrictions feature is open. Let’s configure it to disable external access to ECP on the Exchange Server 2016. First, click on Edit Feature Settings… and configure it to Deny access for unspecified clients. Set the Deny Action Type to Not Found.
Add allow entry
Click on Add Allow Entry… and configure that you can access ECP internal on the Exchange Server (localhost). Add the IP 127.0.0.0 with prefix 8. If you want to add the subnet mask instead of the prefix, it should be 255.0.0.0.
You added the entry. Now you can log in ECP from the Exchange Server, go to https://localhost/ecp. I don’t recommend to open ECP on the whole internal LAN. If you have management servers, add the IP addresses to the allow list.
You added the entries and it is showing correctly. Start ECP and login from the IP addresses that you added. Make sure you insert the Exchange Server hostname. For example, https://EX01/ecp.
In this article, you learned how to disable external access to ECP Exchange 2016. Remember to test after you applied the configurations. Think smart before allowing access to ECP. If you enjoyed this article, you may also like Disable Symantec Endpoint Protection (SEP). Don’t forget to follow us and share this article.