Comments
 
posted on March 5th 2015, at 12:35
by lunarg
By default, when opening up OWA (Outlook Web App) access to the internet, you could technically also get into Exchange Admin Center (EAC) by appending /ecp after the external OWA URL, potentionally creating a security vulnerability and increasing the chance for a brute-force attack to succeed.

While it is generally a good idea to deny access to the Administrator user to manage the Exchange-server, this is not always possible or desireable. Additionally, because EAC is a VirtualDirectory within a site in IIS, it is not possible to have it listen on a separate internal IP address and secure it through the edge firewall. Luckily, IIS also has some other mechanisms to secure access. There's an   ...
 
On March 1st 2016 at 07:48, Paul wrote:
 
IP blocking on /ecp is a bad idea. Outlook Web App users also need access to /ecp for various settings.
It's beter to create separate websites on the same server, or use separate servers for internal/external users.