How to Disable ECP in Exchange 2016 Server

You may want to disable ECP in Exchange 2016 Mailbox Server to protect it against outside access. A free-to-access ecp is quite dangerous as hackers may launch attacks and cripple your infrastructure.

In earlier version then Exchange 2013 there was Exchange Management Console (EMC) at place of Exchange Admin Center. As you might know that EMC is a Microsoft Management Console (MMC) type application while Exchange Admin Center (EAC) is Web based Management Console.  This allows Exchange Administrators to manage Exchange Server 2016. EAC is installed on Internet Information Services (IIS) as a virtual directory.

In Exchange 2016 Microsoft provides a facility to access Exchange Admin Center from anywhere and control, manage, and monitor it using an Administrator account. However, this can be seen as an advantage as well as a disadvantage. Some admins want to access EAC from an external network while some do not want to access it from an external network or the Internet. Default settings in Exchange 2016 EAC  allow internal and external access. Before we proceed let’s see what are the reasons behind an admin decision to restrict ECP.

Why Disable ECP in the Exchange Server?

Ask any admin and the answer would be security. ECP and the Exchange server are meant for organization only. So if nefarious entities have access to the ECP they do a lot of damage like making in-place archives disappear from Outlook 2013. They may even put the Exchange Database in a not-mounted state. However, putting restrictions is not a one-way denial as it has some drawbacks too.

Disadvantages of a Restricted ECP

After disabling the ECP if you try to access it, you will get a 404 Page Not Found error. The main disadvantage of disabling ECP is that it won’t be accessible from the internal network as well as the internet.

Therefore it will create another problem for the administrator and the next time whenever administrator want to access ECP they will be required to enable it again by running the same command with some changes which is written below.
Command: Set-EcpVirtualDirectory -identity "ecp " -AdminEnabled $true

To overcome this problem Microsoft suggests creating another CAS only for the internal network. But according to me, it will be better to create another website with OWA Virtual Directories and ECP only for the internal networks.

Access ECP at anywhere

For accessing EAC just need to type the same address that is typed for accessing OWA but there is a slight change in the URL for accessing EAC. In the URL at the place of OWA, need to type ECP (for example https://yourcompanydomain/ecp).

Disable ECP in Exchange 2016 by Installing IP and Domain Restrictions Role

Follow these steps:

• Login to Exchange (either directly or via RDC).
• Open Server Manager.
• Click on the Add Roles and Features link present on the main dashboard screen. You can also access it via the Manage tab.
  
• Follow the default on-screen instructions as they appear in the wizard and select the Exchange Server where you want to disable ECP access for external agents.
• In the Server Roles tab follow this path.

• Web Server (IIS) > Web Server > Security.
• Mark the box next to the IP and Domain Restrictions role.
• Hit Next.
• Finish the installation with the preselected settings.
  

In Exchange 2016  Restrict ECP Access by Appling IP Address and Domain Restrictions Via IIS

• Launch IIS Manager on the Exchange Server.
• Open Sites > Default Web Site.
• Select ECP.
• Double-click on IP Address and Domain Restrictions.
• Disable External Access to ECP
• Right-click and Select Edit Feature Settings… (You can also access it via the Actions Tab on the right).
• Set Access for unspecified clients as Deny, and Deny Action type as Abort.
• Click OK.
  
• Tap Add Allow Entry from the Actions Tab.
• Add the IP address range for localhost (e.g., <local_IP> with prefix <prefix_length>).
• Click OK.
• Add Other IP Addresses to Allow List

Note: The general consensus is not to add ECP access on the whole internal LAN instead prepare a list of IP addresses for management servers and place them in the allowed list.

Verify that ECP is Disabled for External agents and Allowed for Others

• Launch a new instance of ECP from the Exchange Server itself.
• Verify sign-in success.
• Start ECP from allowed IP addresses using the Exchange Server hostname (e.g., https://<Exchange_Server_hostname>/ecp).
• Verify sign-in success.
• Then, make a similar attempt to access ECP but this time from an external or non-added IP system.
• Check if the connection is aborted or not.

Disable ECP in Exchange 2016 using Command

Microsoft completely cares about the users of Exchange Server 2016. Therefore, it is possible to restrict the access of ECP from accessing external networks or the Internet. As it increases the probability of being hacked on the server.

There is a command that you can run in Exchange Management Shell to restrict the access of ECP without restricting the access of OWA. Run the below-written command for disabling ECP, you can see the below image for reference.
Command: Set-EcpVirtualDirectory -identity "ecp " -AdminEnabled $false
Where:
ECP is Identity
$false is for restricting the ECP access

By running the above command in Shell you will disable the ECP by it will take up to 5 min to apply changes. Therefore if you want to apply immediate change then run the below command in the shell.
Command: iisreset /noforce

Conclusion

In this article, we have discussed how to disable ECP in Exchange 2016 with the help of a command by running it in Exchange Management Shell. We also discussed about advantages, disadvantages, and effects of command over OWA. As we saw that running this command is not very good till that time we are not preparing to create a new CAS only for the internal network. The same discussed command to disable ECP will also work for the Exchange 2013 server.