Configure Download Domains in Microsoft Exchange
Protect Microsoft Exchange From CVE-2021-1730 Vulnerability
Table of Contents
Configure Download Domains on Microsoft Exchange to Address CVE-2021-1730
In Microsoft Exchange, we have vulnerability CVE-2021-1730, so it’s necessary to configure download domains for your Exchange organization.
You might think that your Exchange Server is up to date with the latest Cumulative Updates and Exchange Security updates installed.
Just updating to the latest CU and SU does not mean that your Exchange Server is not vulnerable.
If you still check the health checker script, you will find the Vulnerability CVE-2021-1730 for the download domain is not configured.
Therefore, this article will help you to configure download domains for your Exchange Server to address the CVE-2021-1730
By configuring the download domains for your Microsoft Exchange, you can protect your Exchange Server from Malicious Actor
What is CVE-2021-1730 Vulnerability?
CVE-2021-1730 is a spoofing vulnerability that exists in Exchange Server 2016/19, this vulnerability could result in an attack that can allow a malicious actor to impersonate the user.
So, to prevent this CVE-2021-1730, Microsoft Recommends that all Exchange Consumers configure download domains for inline images to appear from different DNS domains instead of OWA.
Therefore, by following the best practice it’s necessary to configure your download domains correctly.
How to find CVE-2021-1730 Vulnerability with Health Checker Script
To find the CVE-2021-1730 vulnerability, you can download and run the Exchange Health Checker Script and generate the HTML report.
In our case, we downloaded the script in the script folder, inside C drive and ran it.
If you haven’t configured download domains for your Exchange Server.
You will see the below result after generating the HTML report from Healthchecker.ps1
You can see that Exchange Security Vulnerability has been detected for the download domains.
Consideration Before Configure Download Domains
When you configure download domains, it affects inline images only on Outlook on the Web (OWA)
Therefore, it does not have any effect on inline images on mobile devices and Microsoft Outlook desktop applications.
Before you configure the download domains, you have to configure the Exchange Internal and External DNS settings.
To configure the Internal DNS, you have to create a CNAME record and point it to the main Exchange Namespace you are using for OWA.
In our case, we are using a namespace mail.techijack.net for OWA
So, we will create a CNAME record by the name of the attachment and point it to the OWA DNS Name so the FQDN name will be attachment.mail.techijack.net
The below image shows our CNAME Record Attachment pointing to the mail.techijack.net zone in internal DNS.
Therefore, you also need to configure the same CNAME Record on your public DNS.
To add the CNAME record to your public domain, you must log on to your domain registrar DNS management.
The below image shows the CNAME record for public DNS.
One of the important things is that you should have an Exchange SAN Certificate that includes the name of your download domain.
As you know, in our case we are using our download domain as attachment.mail.techijack.net.
So, your SSL SAN Certificate should have this name in the subject alternatives.
The below image shows the SAN Certificate Configured for the Download Domains attachment.mail.techijack.net
Once you have set the above things. Now we are good to configure download domains for the Exchange Server.
How to Configure Download Domains
Step 1. Now we need to configure the OWA virtual directory for download domains host names for both internal and external.
Right now if you run the following cmdlet to check the current download hostname
Get-OwaVirtualDirectory | ft Identity,*DownloadHostNameYou will get the result below
So, to configure the Internal download hostnames for Owa run the following cmdlet
Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -InternalDownloadHostName "attachment.mail.techijack.net"For External download domain hostnames
Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -ExternalDownloadHostName "attachment.mail.techijack.net"After setting the hostname, you can confirm the Internal and External hostnames, you will get the following result
[PS] C:\Windows\system32>Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -InternalDownloadHostName "attachment.mail.techijack.net"
[PS] C:\Windows\system32>Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -ExternalDownloadHostName "attachment.mail.techijack.net"
[PS] C:\Windows\system32>Get-OwaVirtualDirectory | ft Identity,*DownloadHostName
Identity ExternalDownloadHostName InternalDownloadHostName
-------- ------------------------ ------------------------
EX01\owa (Default Web Site) attachment.mail.techijack.net attachment.mail.techijack.netStep 2. Now we need to enable the download domains by running the following cmdlet
Set-OrganizationConfig -EnableDownloadDomains $trueStep 3. Reset the Internet Information Service by just typing iisreset
Step 4. Now you can test your inline image by sending an email with an image attachment to any of your users and then inspect the image on Outlook on the web.
We have sent an image to our internal user with an attachment and inspected the image and it shows the below result.
Now if we go and run the Exchange Health Checker Script again to verify the things we did.
you will get the following result
you can check that, now there is no vulnerability and the enable download domain is true.
Conclusion
It is important to keep your Microsoft Exchange Server environment up-to-date and secure.
So, here we solved the vulnerability issue with CVE-2021-1730, but whenever you find any vulnerability for your exchange. It is important to fix it immediately.
CVE-2021-1730 is not something that will be fixed automatically when you install Cumulative Update or any security update for your Microsoft Exchange. It should be fixed manually.
In case of any issue feel free to Contact Us.
You may also like this if you want to explore more on the Exchange Server Tutorial
Watch the video below for configuring Download Domains in Exchange Server 2019
