There is currently a security vulnerability in all Exchange Server versions, which makes it possible to obtain domain administrator authorizations via EWS or, for example, to redirect emails. What makes this vulnerability particularly critical is that it can be exploited remotely. The attacker only needs to have access to a mailbox on the Exchange Server.
As the EWS API and often also the EAC can be accessed from the Internet, it is important to react quickly in this case.
There is even a HowTo including the necessary scripts explaining the attack:
The vulnerability dates back to December 2018, but there is currently no fix. A corresponding update is not expected until February, at least if "The Register" is correct:
Click here for the corresponding Microsoft CVE entry:
To ensure that the gap can no longer be exploited, it helps to delete the following registry key:
The "DisableLoopbackCheck" key can be deleted with this command:
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /f
It is not necessary to restart the server or restart the services.
Alternatively, the key can be deleted via GPO, which is usually easier and faster in a larger environment:
As the security vulnerability is currently being reported in the media, the registry key specified above should be deleted as soon as possible and the future update installed as soon as possible.
As soon as there is an update on this vulnerability, I will update this post.
Update: Removing the registry value seems to have an effect on third-party tools. At least G-Data Mailsecurity for Exchange seems to have problems here. However, it cannot be ruled out that other products are affected.
Update 12.02.19: The February updates fix the vulnerability and should therefore be installed promptly: