Exchange 2019 CU14 will enforce the use of Extended Protection (EP) by default. This is the desired security configuration as we need to harden the traffic to help prevent Attacker In the Middle (AiTM) style attacks. This is not a new thing, and the Exchange team added support for EP in the previous releases as an optional (but strongly recommended) feature. The intent was that customers would plan to implement EP on a schedule that allowed them to test and resolve any issues that may occur. That optional time has now passed, and EP will be enabled by default.
For additional details on Extended Protection, please see this post: Exchange Server Extended Protection.
There are some scenarions that are not currently supported with Extended Protection. Since this EP a security feature, EP should only be disabled if you are in one of those unsupported situations.
Command Line Setup - Do Not Enable Extended Protection
There is a new command line paramater to prevent Extended Protection from being enabled. This is:
/DoNotEnableEP
Example - Do Not Enable Extended Protection At Install
Below is an example of CU14 setup on a brand new Exchange Server. The /DoNotEnableEP option was added.
For search engines, the output result from running setup was:
Warning: Exchange Setup did not enable Extended Protection on this machine. Your machine may be vulnerable against
authentication relay attacks. For more information visit: https://aka.ms/EnableEPviaSetup.
We recommend running Exchange HealthChecker script to evaluate if there are any configuration issues which can cause
feature breakdowns. HealthChecker script can be downloaded from https://aka.ms/ExchangeSetupHC.
Setup has made changes to operating system settings that require a reboot to take effect. Please reboot this server
prior to placing it into production.
Example - Do Not Enable Extended Protection PrepareSchema
Note that the /DoNotEnableEP switch was not required to execute /PrepareSchema.
Example - Do Not Enable Extended Protection PrepareDomain
Note that the /DoNotEnableEP switch was not required to execute /PrepareAD.
Cheers,
Rhoderick
