Items related to messaging services with a focus on Exchange Online (EXO) and Exchange server (on-premises)
Today Exchange 2013 reaches the end of the road and it will transition out of extended support. Hopefully everyone has migrated to a newer version and/or Office 365. But experience tells me that will not be the case.
Hopefully no one will have Exchange 2013 published to the Internet either, but again experience says otherwise…
Please note that Microsoft will not provide technical support, time zon… Read the rest “End of Exchange 2013 Support”
Azure AD Self Service Password Reset (SSPR) has the ability to restrict which group of users are able to perform SSPR tasks. It is a slightly limited administrator control as only a single group can be selected. Azure AD administrator roles are able to perform SSPR even if they are not in scope of the selected group.
They typical user experience is that the person goes to https://aka.ms/SSPR and … Read the rest “Out of SSPR Scope User Experience”
A common issue when deploying Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) with on-premises Exchange is making Exchange aware of the EOP spam filtering. This is because EOP uses slightly different logic to stamp the spam results etc. into the message. Exchange Server needs to be aware of this so that it can take action upon those settings.
Active Directory synchronization was designed not just to move objects from on-premises AD to Azure AD, but to give administrators precise control over how identities were matched, transformed, and filtered. This is not a new thing. It dates back to very early days of Microsoft cloud hosted email, both commercial and educational orientated. Azure AD Connect evolved from earlier solutions such as… Read the rest “Azure AD Connect Sync Options”
Self Service Password Reset (SSPR) in Microsoft Entra ID is one of those features that often goes unnoticed until it is urgently needed. It gives end users the ability to securely reset or unlock their account without calling the helpdesk, while administrators benefit from reduced support costs and improved security posture. Ideally users will have to use MFA to perform SSPR. This means that lame… Read the rest “SSPR Screenshots – December 2022”
The November 8, 2022 and later Windows updates address a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.
This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.
To help secure your environment, install the Windows update that is dated … Read the rest “Kerberos Issues November 2022”
Extended Protection (EP) was added to Windows back in 2009 as a new security feature. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protect… Read the rest “Updated Guidance On Exchange Server Extended Protection”
There was a time when every obscure error code, undocumented quirk, and tricky deployment scenario in the Microsoft ecosystem had an answer, and more often than not you would find it on the MSDN or TechNet blogs. Written by Microsoft engineers, product teams, and MVPs who lived and breathed the technology, these posts were not marketing gloss. They were raw, detailed, and practical. The kind of c… Read the rest “Why Can’t I Search For Content In TechNet and MSDN Blogs?”
There are a multitude of online tools that help diagnose issues with various mail services, but understanding what these tools actually check is valuable. One example is around manually checking published DomainKeys Identified Mail (DKIM) records. DKIM is described in RFC 4871. As an interesting piece of history DKIM went through a previous iteration "Domain-Based Email Authentication Using Pub… Read the rest “How to Use NsLookup To Check DKIM Record”
Extended Protection uses service binding and channel binding to help prevent an authentication relay attack. In an authentication relay attack, a client that can perform NTLM authentication (for example, Windows Explorer, Microsoft Outlook, a .NET SqlClient application, etc.), connects to an attacker (for example, a malicious CIFS file server). The attacker uses the client's credentials to masquer… Read the rest “Exchange Server Extended Protection”