Comments
-
We already had Request Method "options" in ours. We did have to add several Content Types to get everything to work. I attached the xml export of what we are using now.
-
Yes Norm we lock our Autodiscover down just to the xml file. Here is what we originally had: ../autodiscover/autodiscover.xml /owa /owa/* /ecp/* /ews/* /mapi/* /microsoft-server-activesync* /oab/* First we removed /ecp/* as your really don't want remote admin console access externally anyway. But now due to the fact that…
-
We setup the Exchange content inspection as described in KB 19376 and working with support we also added URL Paths restriction to only allow access to certain virtual directories and for autodiscover is locked down to autodiscover.mydomain.com/autodiscover/autodiscover.xml. I am pretty sure this would block this attack.…
-
I know this post is kind of old. The article linked talks about JMSAppender.class not being in the Watchguard jar file, but isn't SocketServer.class also vulnerable and it does appear to be in the jar file in the WSM install.
-
We just setup the inbound proxy for Exchange and I tested it by trying to send the eicar test file through it and the Firebox policy did block it.
-
Will I need to modify the Exchange server internal host name setting in Exchange Admin or can I leave set as both being mail.mydomain.com like I have it now?
-
Just wanted to add we are using split-brain DNS to accomplish this.
-
I read that as well, but at least the members of that group at least some that I heard about had IPS signatures available the same day MS released the patches.
-
Well MS did know about this back in January and could do mitigation for the O365 stuff.
-
Thanks, but I have checked and doubled checked those directories as well as others.
-
I don't think we have any web shells installed, but would the IPS signature block access to them?
-
Yes the IPS updates are really too slow. It also would have been nice if Microsoft had gotten together with firewall vendors back in January to try to create mitigation for this.
-
You know it would be nice if Watchguard would put out a video about how this protects Exchange and how to configure it. Thanks.
-
Already patched the day it came out and luckily doesn't appear we were compromised. Thinking though I should setup a reverse/access portal to try to prevent anything new like this.