Exchange ServerExchange Server 2016Exchange Server 2019Microsoft

Configure Download Domains in Microsoft Exchange

Protect Microsoft Exchange From CVE-2021-1730 Vulnerability

Configure Download Domains on Microsoft Exchange to Address CVE-2021-1730

In Microsoft Exchange, we have vulnerability CVE-2021-1730, so it’s necessary to configure download domains for your Exchange organization.

You might think that your Exchange Server is up to date with the latest Cumulative Updates and Exchange Security updates installed.

Just updating to the latest CU and SU does not mean that your Exchange Server is not vulnerable.

If you still check the health checker script, you will find the Vulnerability CVE-2021-1730 for the download domain is not configured.

Therefore, this article will help you to configure download domains for your Exchange Server to address the CVE-2021-1730

By configuring the download domains for your Microsoft Exchange, you can protect your Exchange Server from Malicious Actor

 

What is CVE-2021-1730 Vulnerability?

CVE-2021-1730 is a spoofing vulnerability that exists in Exchange Server 2016/19, this vulnerability could result in an attack that can allow a malicious actor to impersonate the user.

So, to prevent this CVE-2021-1730, Microsoft Recommends that all Exchange Consumers configure download domains for inline images to appear from different DNS domains instead of OWA.

Therefore, by following the best practice it’s necessary to configure your download domains correctly.

 

How to find CVE-2021-1730 Vulnerability with Health Checker Script

To find the CVE-2021-1730 vulnerability, you can download and run the Exchange Health Checker Script and generate the HTML report.

In our case, we downloaded the script in the script folder, inside C drive and ran it.

If you haven’t configured download domains for your Exchange Server.

You will see the below result after generating the HTML report from Healthchecker.ps1

Exchange health checker result

You can see that Exchange Security Vulnerability has been detected for the download domains.

 

Consideration Before Configure Download Domains

When you configure download domains, it affects inline images only on Outlook on the Web (OWA)

Therefore, it does not have any effect on inline images on mobile devices and Microsoft Outlook desktop applications.

Before you configure the download domains, you have to configure the Exchange Internal and External DNS settings.

To configure the Internal DNS, you have to create a CNAME record and point it to the main Exchange Namespace you are using for OWA.

In our case, we are using a namespace mail.techijack.net for OWA

So, we will create a CNAME record by the name of the attachment and point it to the OWA DNS Name so the FQDN name will be attachment.mail.techijack.net

The below image shows our CNAME Record Attachment pointing to the mail.techijack.net zone in internal DNS.

dns setting for download domains

Therefore, you also need to configure the same CNAME Record on your public DNS.

To add the CNAME record to your public domain, you must log on to your domain registrar DNS management.

The below image shows the CNAME record for public DNS.

public dns cname record

One of the important things is that you should have an Exchange SAN Certificate that includes the name of your download domain.

As you know, in our case we are using our download domain as attachment.mail.techijack.net.

So, your SSL SAN Certificate should have this name in the subject alternatives.

The below image shows the SAN Certificate Configured for the Download Domains attachment.mail.techijack.net

download domains san certificate

Once you have set the above things. Now we are good to configure download domains for the Exchange Server.

 

How to Configure Download Domains

Step 1. Now we need to configure the OWA virtual directory for download domains host names for both internal and external.

Right now if you run the following cmdlet to check the current download hostname

Get-OwaVirtualDirectory | ft Identity,*DownloadHostName

You will get the result below

current hostname for downlad domain

So, to configure the Internal download hostnames for Owa run the following cmdlet

Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -InternalDownloadHostName "attachment.mail.techijack.net"

For External download domain hostnames

Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -ExternalDownloadHostName "attachment.mail.techijack.net"

After setting the hostname, you can confirm the Internal and External hostnames, you will get the following result

 

[PS] C:\Windows\system32>Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -InternalDownloadHostName "attachment.mail.techijack.net"
[PS] C:\Windows\system32>Set-OwaVirtualDirectory -Identity "EX01\owa (Default Web site)" -ExternalDownloadHostName "attachment.mail.techijack.net"
[PS] C:\Windows\system32>Get-OwaVirtualDirectory | ft Identity,*DownloadHostName

Identity                    ExternalDownloadHostName      InternalDownloadHostName
--------                    ------------------------      ------------------------
EX01\owa (Default Web Site) attachment.mail.techijack.net attachment.mail.techijack.net

Step 2. Now we need to enable the download domains by running the following cmdlet

Set-OrganizationConfig -EnableDownloadDomains $true

Step 3. Reset the Internet Information Service by just typing iisreset

Step 4. Now you can test your inline image by sending an email with an image attachment to any of your users and then inspect the image on Outlook on the web.

We have sent an image to our internal user with an attachment and inspected the image and it shows the below result.

Exchange download domains configured result

Now if we go and run the Exchange Health Checker Script again to verify the things we did.

you will get the following result

rechecing healthchecker script

you can check that, now there is no vulnerability and the enable download domain is true.

 

Conclusion

It is important to keep your Microsoft Exchange Server environment up-to-date and secure.

So, here we solved the vulnerability issue with CVE-2021-1730, but whenever you find any vulnerability for your exchange. It is important to fix it immediately.

CVE-2021-1730 is not something that will be fixed automatically when you install Cumulative Update or any security update for your Microsoft Exchange. It should be fixed manually.

In case of any issue feel free to Contact Us.

You may also like this if you want to explore more on the Exchange Server Tutorial

Watch the video below for configuring Download Domains in Exchange Server 2019

YouTube video

Vikas Jakhmola

Vikas Jakhmola, the founder of Techijack, with over 15+ years of experience in the IT industry.

Related Articles

Back to top button