Hello, In this article, ECP (Exchange Control Panel) of Microsoft Exchange Server I will talk about why it is important to close your access to the outside world and how to do it.
ECP is a web interface that makes many operations easier for Exchange Server administrators. However, this convenience can be a vulnerability for malicious attackers. An ECP that is especially accessible from the outside world, brute force attacks Therefore, it is critical to limit ECP access and allow access only to authorized users.
Table of Contents
Why Restrict ECP Access in Exchange Server
Having ECP accessible from anywhere can leave your system vulnerable to serious security threats, such as:
- Brute Force Attacks: Attackers can use ECP to attempt password manipulation to access user accounts.
- Unauthorized Access: ECP left open could provide unauthorized access to sensitive administrative tools.
To prevent such threats ECP access It is recommended that you disable it. There are several ways to limit ECP access:
- Using Firewall or WAF (Best Method).
- IP and Domain Restrictions via IIS (Alternative Method).
Blocking ECP and Remote PowerShell in Exchange Server process Client Access Rule You can also do this using .
Disable Exchange Server ECP Access via IIS
ECP's access management is on Exchange Server Mailbox Role on the server Client Access (Frontend) service. To do this, you can use the IIS IP and Domain Restrictions We will use the module.
Installing the IP and Domain Restrictions Module
If this module is not installed on your system, you can install it by following the steps below:
- Server ManagerOpen .
- Add Roles and Features Click .
- Server Roles > Web Server (IIS) > Web Server > Security > IP and Domain Restrictions follow your path.
- Select the relevant option and complete the installation.

Steps to Limit Exchange Server ECP Access
Once the installation is complete, you can limit ECP access by following these steps:
- Open IIS Console:
- on the command line
inetmgr
Open the IIS management console by typing:
- on the command line
- Accessing the ECP Directory:
- Follow the path IIS > Default Web Site > ECP.
- IP Address and Domain Restrictions Click on the module.

- Edit General Settings:
- Located on the right side Actions > Edit Feature Settings Click the menu.

- Access for unspecified clients option Deny change to .
- Deny Action Type Set the option to “Abort”.

If any IP address is not allowed through IIS, access to the Exchange Server ECP page will be blocked from everywhere.
- Identify Authorized IP Addresses:
- Add Allow Entry Add authorized IP addresses with the option.
- Specific IP Address: Allows a single IP address.
- IP Address Range: Used to identify a specific IP range.
Proposal: Grant access only to servers or management IPs where Exchange Server is installed.

Single IP Address:
- The goal of this process is to test the role and privilege manipulation in order to access the resources of a
127.0.0.1
You can allow local access only using the address.
IP Range:
To allow a specific range, you can use the following format:192.168.1.0 - 192.168.1.255

You need to restart IIS to apply the changes:
- Command line With Administrator Powers Open (Run as Administrator) and run the following command
IISRESET
Verify ECP Shutdown
Once you have completed the settings, you can verify your transaction with the following steps:
When you want to go to the localhost/ECP or FQDN/ecp page from a disallowed IP address, you should encounter a warning like the one below.
- Local Testing:
- https://localhost/ecp Check access by going to .
- External Testing:
- Try to access from a non-authorized IP address. If successful, you should see a “403 – Forbidden” error page.

To increase security in your Exchange Server infrastructure, it is critical to close ECP access to the outside world. This process is especially effective in preventing brute force attacks and unauthorized access. If more comprehensive solutions such as Firewall or WAF cannot be used, you can manage this access with the IP and Domain Restrictions module in IIS.
Related content: Exchange Server DAG Setup
Related content: Configuring Witness Server in Exchange Server
Related content: Detecting Non-RFC Compliant P2 FROM Header in Exchange Server
Related content: Exchange Server November 2024 Security Update
Related content: Exchange Server A Reboot From a Previous Installation Is Pending
2 comments on “Exchange Server ECP Shutdown”