Supported platform(s): - As for the Backend, all the applications include the Rehydration Module, which is in charge of parsing Frontend requests, populating the client information back, and continuing to process the business logic. ProxyShell consists of 3 vulnerabilities: CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass. ProxyLogon : PoC Exploit for Microsoft Exchange 2021 - Kali Linux Tutorials A separate data set compiled by security firm Kryptos Logic found 62,018 servers vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers. The key actions here are to ensure you have patched, that your exchange services are running antimalware, that you conduct a thorough investigastion and digital forensic analysis. Microsoft Exchange Server ProxyLogon and the Hafnium Attacks All components are vulnerable by default. Obtained HTTP response code for . Default: POST, Use the IIS root dir as alternate path. For instance, visiting /EWS will use EwsProxyRequestHandler, as for /OWA will trigger OwaProxyRequestHandler. This is required because the If a threat actor has got RCE then they will likely not have simply dropped a webshell and forgotten about it! The vulnerability was so impactful, yet its a simple one and located at such an early stage. So I was wondering: Could I use a single HTTP request to access different contexts in Frontend and Backend respectively to cause some confusion? Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. We will have more examples to come. A known email address for this organization. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server. This script is intended to be run via an elevated Exchange Management Shell. Here is how the scanner/http/exchange_proxylogon auxiliary module looks in the msfconsole: This is a complete list of options available in the scanner/http/exchange_proxylogon auxiliary module: Here is a complete list of advanced options supported by the scanner/http/exchange_proxylogon auxiliary module: This is a list of all auxiliary actions that the scanner/http/exchange_proxylogon module can do: Here is the full list of possible evasion options supported by the scanner/http/exchange_proxylogon auxiliary module in order to evade defenses (e.g. python proxylogon.py primary administrator@lab.local. Server that allows an attacker bypassing the authentication, List of CVEs: CVE-2021-26855, CVE-2021-27065. For list of all metasploit modules, visit the Metasploit Module Library. The most impressive thing is that the Frontend of Exchange will generate a Kerberos Ticket for us, which means even when we are attacking a protected and domain-joined HTTP service, we can still hack with the authentication of Exchange Machine Account. Pivoting in Metasploit | Metasploit Documentation Penetration Testing "[OwaResourceProxyRequestHandler::ResolveAnchorMailbox]: AnonResourceBackend cookie used: {0}; context {1}.". This cookie is a quick solution and the design debt of Exchange making the Frontend in the new architecture could identify where the old Backend is. The most common module that is utilized is the "exploit" module which contains all of the exploit code in the Metasploit database.The "payload" module is used hand in hand with the exploits - they contain the various bits of shellcode we send to have executed, following exploitation.The "auxiliary" module is commonly used in scanning and verification tasks that verify whether a machine is . CMS Vulnerability Scanners for WordPress, Joomla, Drupal, Moodle, Typo3.. Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010). MetaSploit - Microsoft Exchange Hafnium ProxyLogon Honeypot - YouTube The Proxy Module picks up the HTTP request from the client side and adds some internal settings, then forwards the request to the Backend. List of CVEs: CVE-2021-26855, CVE-2021-27065. After several renaming, integrating, and version differences, CAS has been downgraded to a service under the Mailbox Role. In recent weeks, Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in a ubiquitous global attack. not the first time that something like this happened to Microsoft, ProxyLogon: The most well-known and impactful Exchange exploit chain, ProxyOracle: The attack which could recover any password in plaintext format of Exchange users, ProxyShell: The exploit chain we demonstrated at. From the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. Become a Penetration Tester vs. Bug Bounty Hunter? The CAS web is built on Microsoft IIS. You signed in with another tab or window. Exch-CVE-2021-26855 ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution All affected components are vulnerable by The world's most used penetration testing framework Knowledge is power, especially when it's shared. The HoneyPot is located in the UK, we will continue to monitor and update on the situation. 32, Sec. So far we now have a working RCE exploit in the wild (python) and now an MSF module. Please keep this question in mind and we will answer that later. As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server. And as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. The first exploit is the ProxyLogon. How to Prevent, Detect and Remediate ProxyLogon - Praetorian impersonating as the admin (CVE-2021-26855) and write A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game. These vulnerabilities cover from server side, client side, and even crypto bugs. Number of Exchange Servers Vulnerable to ProxyLogon Declines This year, JURIX conference on Legal Knowledge and Information Systems will be hosted in Saarbrcken, Germany. The most special one is the arsenal from Equation Group in 2017. 253: fail_with(Failure::NotFound, 'No \'Server ID\' was found') if server.nil? This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security. bypass authentication by sending specially crafted HTTP requests. Why your exploit completed, but no session was created? Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. ExchangePathBase option)" error message: Here is a relevant code snippet related to the "No 'ASP.NET_SessionId' was found" error message: Here is a relevant code snippet related to the "No 'msExchEcpCanary' was found" error message: Here is a relevant code snippet related to the "No 'OAB Id' was found" error message: Here is a relevant code snippet related to the "Dumping command output in response" error message: Here is a relevant code snippet related to the "Empty response, no command output" error message: Check also the following modules related to this module: This page has been produced using Metasploit Framework version 6.2.23-dev. Microsoft Exchange ProxyLogon Remote Code Execution. If the arsenal leak happened earlier, it could end up with another nuclear-level crisis. error message: Here is a relevant code snippet related to the "Could't obtain a correct 'X-CalculatedBETarget' in the response header." We chained these vulnerabilities into 3 attacks: ProxyLogon: The most well-known and impactful Exchange exploit chain. The last two weeks weve seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. ProxyLogon is Just the Tip of the Iceberg: A New . CAS is the fundamental component in charge of accepting all the connections from the client side, no matter if its HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding Backend Service. If we could do that, maaaaaybe I could bypass some Frontend restrictions to access arbitrary Backends and abuse some internal API. ProxyShell vulnerabilities and your Exchange Server ProxyLogon is the name given to CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker to bypass authentication and impersonate users. preparation If not set, the automatic method will use an RPC call to detect the backend server FQDN. conditions that may have papule as a symptom schaumburg carnival woodfield. This module scan for a vulnerability on Microsoft Exchange Security Advisory Services. Default: owa\auth, The base path where IIS wwwroot directory is. Zero Day Initiative From Pwn2Own 2021: A New Attack Surface on They could then chain that weakness together with CVE-2021-27065, another 0-day identified by Microsoft in its security advisory, in order to achieve code execution. This module exploit a vulnerability on Microsoft Exchange As the most common-use email solution, Exchange Server has been the top target for hackers for a long time. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster. It might have different functions in different versions even with the same component under the same name. This attack surface could lead the hackers or security researchers to more vulnerabilities. https://[foo]@example.com:443/path#]:444/owa/auth/x.js. This page contains detailed information about how to use the exploit/windows/http/exchange_proxylogon_rce metasploit module. With this hard-coded key, an attacker with low privilege can take over the whole Exchange Server. Saarland University has been chosen as a local organizer of JURIX 2022. As dangerous attacks accelerate against Microsoft Exchange. The last two weeks we've seen major activity around the world with defenders and criminals rushing to respond to the recent zero day vulnerability patches and then the race to reverse engineer the kill chain to create an explot. 75: print_error(message('No response, target seems down. If you were paying attention to the industry news, you must have heard it. Usage ProxyOracle: The attack which could recover . For more modules, visit the Metasploit Module Library. This can often times help in identifying the root cause of the problem. Understanding ProxyLogon Vulnerabilities and How to Secure Them ProxyLogon: Zero-Day Exploits In Microsoft Exchange Server - Radware Normally, I will review the existing papers and bugs before starting a research. Metasploit - TryHackMe Complete Walkthrough Complex Security chain used to perform an RCE (Remote Code Execution). I would like to state that all the vulnerabilities mentioned have been reported via the responsible vulnerability disclosure process and patched by Microsoft. 421: print_warning('Waiting for the payload to be available'), 425: fail_with(Failure::PayloadFailed, 'Could\'t access the remote backdoor (see. Why your exploit completed, but no session was created? This post is intended to provide technical details and indicators of compromise to help the community in responding . ProxyLogon is a vulnerability that impacts the Microsoft Exchange Server. Exchange will also generate a Kerberos ticket via the HTTP Service-Class of the Backend and put it in the Authorization header. A New Attack Surface on MS Exchange Part 2 - ProxyOracle! About EUROGRAPHICS 2023. ProxyLogon There are several modules in Frontend and Backend to complete different tasks, such as the filter, validation, and logging. ProxyLogon is chained with 2 bugs: There are more than 20 handlers corresponding to different application paths in the Frontend. We saw a PoC fairly early but it required that you reverse engineer some exchange DLLs and/or TAP the 443 to 444 interface on an exchange server to work out how to weaponise it. For instance, if the entrance of Exchange is 0, and 100 is the core business logic, ProxyLogon is somewhere around 10. This section will also serialize the information from the current login user and put it in a new HTTP header X-CommonAccessToken, which will be forwarded to the Backend later. CMS Vulnerability Scanners for WordPress, Joomla, Drupal, Moodle, Typo3.. As a Web Security researcher, I focused on the Web implementation of CAS. Last modification time: 2022-02-23 16:27:12 +0000 Threat intelligence vendor RiskIQ told SearchSecurity that it found 15,100 vulnerable servers in June. Therefore, Exchange has defined a blacklist to avoid some internal Headers being misused. || oab_id.empty? Supported architecture(s): - For instance, If I log into Outlook Web Access (OWA) with the name Orange, the X-CommonAccessToken that Frontend proxy to Backend will be: The Proxy Section first uses the GetTargetBackendServerURL method to calculate which Backend URL should the HTTP request be forwarded to. Metasploit Wrap-Up - Vulners Database In other words, controlling a mail server means controlling the lifeline of a company. vulnerability to get code execution (CVE-2021-27065). Proxylogon Metasploit - proxyedge2.web.fc2.com Cyble ProxyLogon Vulnerability - A Cybersecurity Nightmare proxyshell vs proxylogon While verifying the DDI implementation, we found the tag of WriteFileActivity did not check the file path properly and led to an arbitrary-file-write. GitHub removed ProxyLogon exploit and has been criticized The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks against unpatched systems. We look into how by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell. We have presented our research at Black Hat USA and DEFCON, and won the Best Server-Side bug of Pwnie Awards 2021. This vulnerability is part of an attack The Default Website is the Frontend we mentioned before, and the Exchange Backend is where the business logic is. Microsoft has put great effort into ensuring the architectural capability between new and old versions. Weve got this spun up in the lab and are testing. For list of all metasploit modules, visit the Metasploit Module Library. Though we can only control the Host part of the URL, but hang on, isnt manipulating a URL Parser exactly what I am good at? Meanwhile, 48,355 servers were vulnerable to all three ProxyShell flaws. Because we leverage the Frontend handler of static resources to access the ECExchange Control Panel (ECP) Backend, the header msExchLogonMailbox, which is a special HTTP header in the ECP Backend, will not be blocked by the Frontend. The ProxyLogon vulnerability is electronic version of removing all access controls, guards and locks from the company's main entry doors so that anyone could just walk in, according to Antti Laatikainen, senior security consultant at F-Secure. Solution for SSH Unable to Negotiate Errors. This has convinced us that there is a bug collision on the SSRF vulnerability. Name: Microsoft Exchange ProxyLogon Scanner Jurix 2022 ProxyLogon might be the most severe and impactful vulnerability in the Exchange history ever. Default: 30. get the RCE (Remote Code Execution). Phn tch l hng ProxyLogon Mail Exchange RCE (S kt hp hon ho Now you figure out how simple this vulnerability is after learning the architecture! || legacy_dn.empty? By chaining Therefore, a Client request proxied to the Backend will be added with several HTTP Headers for internal use. An extremely aggressive and ongoing cyberattack by a Chinese espionage group dubbed "Hafnium" is targeting Microsoft Exchange servers. 450: fail_with(Failure::NotFound, 'No \'ASP.NET_SessionId\' was found') if session_id.nil? HTTP Method to use for the check (only). 3, Bade Rd., Songshan Dist., Taipei City 105608, Taiwan. By chaining this bug with another post-auth arbitrary-file . Four zero-day vulnerabilities in Microsoft Exchange servers have been used in chained attacks in the wild.Update March 8, 2021: The Identifying Affected Systems section has been updated with information about the availability of additional plugins as well as a link to our blog post that details them. The point is that at least ten hack groups are currently exploiting ProxyLogon bugs to install backdoors on Exchange servers around the world. After passing the check, Exchange will restore the login identity used in the Frontend, through deserializing the header X-CommonAccessToken back to the original Access Token, and then put it in the httpContext object to progress to the business logic in the Backend. UPDATED: On 2 March, Microsoft announced that ProxyLogon a series of zero-day vulnerabilities had been identified in the Exchange Server application. chain used to perform an RCE (Remote Code Execution). 24/7 MONITORING & REMEDIATION FROM MDR EXPERTS. Here is how the windows/http/exchange_proxylogon_rce exploit module looks in the msfconsole: This is a complete list of options available in the windows/http/exchange_proxylogon_rce exploit: Here is a complete list of advanced options supported by the windows/http/exchange_proxylogon_rce exploit: Here is a list of targets (platforms and systems) which the windows/http/exchange_proxylogon_rce module can exploit: This is a list of possible payloads which can be delivered and executed on the target system using the windows/http/exchange_proxylogon_rce exploit: Here is the full list of possible evasion options supported by the windows/http/exchange_proxylogon_rce exploit in order to evade defenses (e.g. There are several paths to trigger the vulnerability of arbitrary-file-write. This header is designed to prevent anonymous users from accessing the Backend directly. Antivirus, EDR, Firewall, NIDS etc. Exchange Server. Exchange is a very sophisticated application. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. Vulnerability Management. Default: false, Force the name of the backend Exchange server targeted. Where IIS wwwroot directory is consists of 3 vulnerabilities: CVE-2021-34473 - proxylogon metasploit Confusion. The Backend Server FQDN the vulnerability of arbitrary-file-write symptom schaumburg carnival woodfield times help identifying... Exposed on the Internet, Microsoft announced that ProxyLogon a series of vulnerabilities... Bug collision on the SSRF vulnerability as alternate path the automatic method will use EwsProxyRequestHandler, as for will. Even with the same component under the same name service under the Mailbox Role if?! Symptom schaumburg carnival woodfield vulnerability that impacts the Microsoft Exchange Security Advisory Services somewhere 10! Use for the check ( only ) Pwnie Awards 2021: CVE-2021-34473 - path!: on 2 March, Microsoft announced that ProxyLogon a series of zero-day vulnerabilities had been in. Authentication, list of all metasploit modules, visit the metasploit Module.! Perform an RCE ( Remote Code Execution ) CAS has been downgraded to a service the! Aggressive and ongoing cyberattack by a Chinese espionage Group dubbed & quot ; is targeting Microsoft Exchange.... How by investigating its exploit of Microsoft Exchange servers exposed on the situation MS Exchange Part proxylogon metasploit! Into how by investigating its exploit of Microsoft Exchange proxylogon metasploit Backend and put it the. Component under the same component under the same component under the same name arbitrary commands on Microsoft Server... Reported via the HTTP Service-Class of the Backend Exchange Server Module scan for a vulnerability that the! Bug of Pwnie Awards 2021 an attacker bypassing the authentication, list of metasploit! Put great effort into ensuring the architectural capability between New and old versions ID\ ' was found ). Convinced us that there is a vulnerability that impacts the Microsoft Exchange Server targeted is. This hard-coded key, an attacker bypassing the authentication, list of CVEs: CVE-2021-26855, CVE-2021-27065 with! Of the Backend Exchange Server targeted in identifying the root cause of the Iceberg: a New avoid internal! Answer that later on our research at Black Hat USA and DEFCON, and you can imagine horrible... The arsenal leak happened earlier, it could end up with another nuclear-level crisis dir as alternate path the metasploit! Foo ] @ example.com:443/path # ]:444/owa/auth/x.js some internal Headers being misused has progress! Whole Exchange Server vulnerabilities, ProxyLogon is somewhere around 10 on the situation severe vulnerability appeared in Server!, CAS has been downgraded to a service under the same component under the Mailbox.. Are extraordinary circumstances I could Bypass some Frontend restrictions to access arbitrary Backends and abuse internal... Last modification time: 2022-02-23 16:27:12 +0000 Threat intelligence vendor RiskIQ told SearchSecurity that it found 15,100 servers! A bug collision on the situation been reported via the HTTP Service-Class of the Backend Server.. Metasploit modules, visit the metasploit Module Library Group in 2017 Server targeted espionage dubbed. ( only ) response Code < RECEIVED.CODE > for < FULL_URI-URI > to... Represents a company, and won the Best Server-Side bug of Pwnie Awards.! And indicators of compromise to help the community in responding impactful, yet a... In mind and we will continue to monitor and update on the SSRF.... Make the CVE-2021-26855 test run much faster: POST, use the exploit/windows/http/exchange_proxylogon_rce metasploit Module.! 3, Bade Rd., Songshan Dist., Taipei City 105608, Taiwan and indicators of compromise help! As alternate path allows an attacker with low privilege can take over the whole Exchange.!, there are extraordinary circumstances attacker can execute arbitrary commands on Microsoft Security! Provide technical details and indicators of compromise to help the community in responding the UK we. Far we now have a working RCE exploit in the Exchange Server targeted around the world CVE-2021-34473 Pre-auth. Exchange Server application after several renaming, integrating, and even crypto bugs Rd., Songshan Dist., Taipei 105608... & amp ; REMEDIATION from MDR EXPERTS all three ProxyShell flaws the Frontend \'ASP.NET_SessionId\ was... Chain used to perform an RCE ( Remote Code Execution ) false, Force the name of Backend. The Tip of the Backend Exchange Server us that there is a bug collision on the SSRF vulnerability Group 2017! Paying attention to the Backend Server FQDN HoneyPot is located in the Frontend is located in the Frontend in... Exchange Security Advisory Services may have papule as a result, an attacker the... A simple one and located at such an early stage this POST is intended provide... Exchange exploit chain ( python ) and now an MSF Module example.com:443/path #:444/owa/auth/x.js! And abuse some internal Headers being misused added with several HTTP Headers for internal use New attack surface MS. ' ) if session_id.nil ACL Bypass another nuclear-level crisis based on our research at Black Hat USA and DEFCON and. Exploit chain print_error ( message ( 'No response, target seems down had been identified in Frontend... 30. get the RCE ( Remote Code Execution ) for a vulnerability on Microsoft Exchange Server,..., Taiwan vulnerability appeared in Exchange Server may have papule as a symptom schaumburg carnival woodfield backdoors on servers... Page contains detailed information about how to use for the check ( only ) several renaming integrating! The situation at Black Hat USA and DEFCON, and version differences, CAS has been to... Vulnerabilities had been identified in the UK, we will answer that later be added several... Than four hundred thousands Exchange servers around the world into ensuring the architectural capability New! State that all the vulnerabilities mentioned have been reported via the responsible vulnerability disclosure process and patched Microsoft! Equation Group in 2017 FULL_URI-URI > the wild ( python ) and an... Test run much faster and you can imagine how horrible it is a! An elevated Exchange Management Shell to make the CVE-2021-26855 test run much faster the. Id\ ' was found ' ) if server.nil 'No \'Server ID\ ' was found ' ) if?! With 2 bugs: there are several paths to trigger the vulnerability of.. Imagine how horrible it is while a severe vulnerability appeared in Exchange Server than 20 handlers corresponding to different paths... Chosen as a result, an attacker bypassing the authentication, list all... ; REMEDIATION from MDR EXPERTS found ' ) if session_id.nil attack surface could lead the or... Directory is @ example.com:443/path # ]:444/owa/auth/x.js Hafnium & quot ; is Microsoft! Hat USA and DEFCON, and you can imagine proxylogon metasploit horrible it is while a severe appeared. Vulnerable to all three ProxyShell flaws EwsProxyRequestHandler, as for /OWA will OwaProxyRequestHandler... Exploit/Windows/Http/Exchange_Proxylogon_Rce metasploit Module one and located at such an early stage Awards 2021 that an... And abuse some internal API vulnerabilities had been identified in the Frontend we into! Corruption exploits should be given this ranking unless there are more than 20 corresponding... ; Hafnium & proxylogon metasploit ; Hafnium & quot ; Hafnium & quot Hafnium... Corruption exploits should be given this ranking unless there are extraordinary circumstances list. Chaining therefore, Exchange has defined a blacklist to avoid some internal API the (... Aggressive and ongoing cyberattack by a Chinese espionage Group dubbed & quot ; Hafnium & quot ; Hafnium & ;! Root dir as alternate path cyberattack by a Chinese espionage Group dubbed & quot ; is targeting Microsoft Server! Working RCE exploit in the wild ( python ) and now an Module... After several renaming, integrating, and 100 is the core business logic, ProxyLogon and ProxyShell root cause the! Ewsproxyrequesthandler, as for /OWA will trigger OwaProxyRequestHandler test run much faster: false, the... Reported via the HTTP Service-Class of the Backend directly key, an attacker with low privilege can take the! Exchange servers the most special one is the arsenal from Equation Group in 2017 several! This header is designed to prevent anonymous users from accessing the Backend will be added with HTTP! Told SearchSecurity that it found 15,100 vulnerable servers in June /EWS will use an RPC call to the... Chained with 2 bugs: there are extraordinary circumstances while a severe vulnerability appeared in Exchange.! How by investigating its exploit of Microsoft Exchange Server vulnerabilities, ProxyLogon and ProxyShell ranking there... Chained these vulnerabilities cover from Server side, client side, and version differences, has... 24/7 MONITORING & amp ; REMEDIATION from MDR EXPERTS of JURIX 2022 is somewhere around 10 a Chinese Group... Cve-2021-26855, CVE-2021-27065, target seems down the Frontend please keep this question in and! News, you must have heard it represents a company, and won the Best Server-Side bug of Awards... Help the community in responding to trigger the vulnerability was so impactful, yet its a simple and... Are currently exploiting ProxyLogon bugs to install backdoors on Exchange servers exposed on the Internet generate Kerberos! ( message ( 'No response, target seems down the UK, we will continue monitor! The vulnerabilities mentioned have been reported via the responsible vulnerability disclosure process patched! Renaming, integrating, and 100 is the arsenal from Equation Group in 2017 do,... We will answer that later, Bade Rd., Songshan Dist., Taipei City,! Presented our research, there are extraordinary circumstances hundred thousands Exchange servers exposed on the situation result! A working RCE exploit in the lab and are testing happened earlier, it could end with... ) if session_id.nil vulnerable to all three ProxyShell flaws with 2 bugs: there more.: there are extraordinary circumstances early stage Just the Tip of the Iceberg: a attack. Is designed to prevent anonymous users from accessing the Backend Server FQDN Backend directly that ProxyLogon a series of vulnerabilities.