ADV190007

Меры по смягчению последствий

• The issue described in the Blog post: Abusing Exchange: One API call away from Domain Admin only affects OnPrem deployments. Exchange Online is not affected.
• The attack scenario described in the blog referenced above requires NTLM. Systems that have disabled NTLM are not affected.
• Attackers cannot compromise a Domain Admin account if an OnPrem deployment follows Microsoft’s security best practice guidance and has implemented Active Directory Split Permissions. For more information on using Active Directory Split Permissions with Exchange, see Understanding split permissions: Exchange 2013 Help. Note: this document refers to Exchange Server 2013, but the same model can be used for later versions of Exchange Server.

References:

• Introducing the Restriction of NTLM Authentication
• NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7
• Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

Обходное решение

One way to prevent EWS from leaking the Exchange server's NTLM credentials is to block EWS subscriptions from being created. This will negatively impact users who rely on EWS clients such as Outlook for Mac, and may also result in unexpected behavior from third-party software that relies on EWS. It may also reduce the number of EWS connections the server can support. Because throttling policies can be applied per user, it is possible to whitelist trusted users who require EWS functionality.

Note: Customers are strongly encouraged to test workarounds prior to deploying them into production to understand the potential impact.

To prevent EWS subscriptions from being created, use the following steps:

1. Create an organization-scoped policy that blocks all EWS subscriptions:

   New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

2. Create a regular-scoped policy, which can be used to whitelist trusted users who must have full EWS functionality:

   New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

3. Assign the regular policy to any such users:

   Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

Note about this EWS Subscription throttling workaround: A customer’s risk assessment must weigh the protections gained by the workaround as compared to the possible unwanted side effects of the workaround. The following are possible side effects of the EWS Subscription throttling policy:

This workaround may be disruptive to Outlook for Mac, Skype for Business Client, and Apple Mail Clients, causing them to not function properly. Importantly, the throttling policy won't block Autodiscover and Free/Busy requests. The EWS throttling policy will also negatively impact LOB and other third-party Applications that require EWS Notifications. A second policy can be created to whitelist trusted accounts.

FAQ

What are the Common Vulnerabilities and Exposures (CVE) identifiers that Microsoft is using to reference this vulnerability?

Microsoft has assigned both CVE-2019-0686 and CVE-2019-0724 to reference the reported vulnerabilities.

For more information please see: The Microsoft Exchange Team Blog