New Exchange Zero Day

Skip to first unread message

Michael B. Smith

Sep 30, 2022, 10:19:21 AM9/30/22

tl;dr: if you don’t expose IIS on Exchange to the internet, you aren’t at risk. Otherwise you need to remediate quickly.





Michael B. Smith

Managing Consultant

Smith Consulting, LLC


Steve Saporito

Sep 30, 2022, 3:31:53 PM9/30/22
If it's helpful I crafted some line commands that can quickly create the Rewrite rule.   So far as I can tell the below creates the exact same rule as the manual procedure.  I used the the procedure from Adam The Automator here . Then used the information in the web.config file on a server with a manually created rule to craft the commands.  The URL rewrite module should be installed on 2019 server as it was required in previous updates.  I don't think the same is true for earlier versions, but provided the module is installed, you should be able to rapidly paste the commands into a PowerShell window on the Exchange server.

If you see any issues with this let me know, as I'll want to backtrack it in my own environment.

# Create the rule:

Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules" -name "." -value @{name='RequestBlockingRule1'patternSyntax='ECMAScript'stopProcessing='True'}


# Add/Set the URL match:

Set-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='RequestBlockingRule1']/match" -name url -value ".*"


# Add/Set the condition:

Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='RequestBlockingRule1']/conditions" -name "." -value @{input="{REQUEST_URI}"pattern=".*autodiscover\.json.*\@.*Powershell.*"ignoreCase="true"negate="false"}


# Add The actions(s)

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "type" -value "CustomResponse"

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusCode" -value 403

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusReason" -value "Forbidden: Access is denied."

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusDescription" -value "You do not have permission to view this directory or page using the credentials that you supplied."

You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages