Re: I'm already using zero trust with Exchange
see this is a great approach till I read this:
https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps
Especially THIS bit:
"By default, all user accounts have access to remote PowerShell. "
Wait what? It is qualified by:
"However, to actually use remote PowerShell to connect to an Exchange server, the user needs to be a member of a management role group, or be directly assigned a management role that enables the user to run Exchange cmdlets. "
Riiiight. So how about doing THIS instead:
USER->SERVER: Hi, I want to use powershell, totally not to pwn the server
SERVER->USER: credentials please.
USER->SERVER: No
SERVER->USER: .......
rather than
USER->SERVER: Hi, I want to use powershell, totally not to pwn the server
SERVER->USER: sure, here is powershell, please log in.
USER->SERVER: <sends exploit instead of powershell credentials>
And the fix? Surely you could set the default to deny and allow a select few? Nope! You cant set a default, you need to explicitly deny individual users! Insane.
We run hybrid so need an exchange server for management, however the exchange server is nicely locked away on its own subnet, external access is only granted from microsoft 365 IPs, not perfect but stops others knocking on the door.