250 Hello - Exchange 2019

0

Updated Guidance On Exchange Server Extended Protection

Posted on 31st October 2022 by Rhoderick Milne [MSFT]

Extended Protection is set to Required on the OAB vDIR

Extended Protection (EP) was added to Windows back in 2009 as a new security feature. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

The update itself does not directly provide protection against specific attacks such as credential forwarding, but allows applications to opt-in to Extended Protect… Read the rest “Updated Guidance On Exchange Server Extended Protection”

2

Exchange Server Extended Protection

Posted on 31st August 2022 by Rhoderick Milne [MSFT]

Extended Protection uses service binding and channel binding to help prevent an authentication relay attack. In an authentication relay attack, a client that can perform NTLM authentication (for example, Windows Explorer, Microsoft Outlook, a .NET SqlClient application, etc.), connects to an attacker (for example, a malicious CIFS file server). The attacker uses the client's credentials to masquer… Read the rest “Exchange Server Extended Protection”

0

Remediate Exchange Security CVE-2022-21978

Posted on 12th August 2022 by Rhoderick Milne [MSFT]

The May 2022 security update for Exchange Server 2013, 2016 and 2019 resolved CVE-2022-21978. A common issue is that admins are only doing part of the work to address this CVE. Yes they are installing the update, but are not reading the rest of the documentation which states that an additional command must be run.

The FAQ states:

Do I need to take further steps to be protected from this vulnerabil… Read the rest “Remediate Exchange Security CVE-2022-21978”

5

Implementing Exchange DownloadDomain Security

Posted on 20th July 2022 by Rhoderick Milne [MSFT]

In the field, I’m seeing multiple customers that are struggling to implement the DownloadDomain feature. It does require a little prep work and it is not as simple as just running a single command in Exchange to flip the setting on.

In order to mitigate and issue with OWA, it is necessary to create an additional CAS namespace that will be used for downloading attachments from OWA. This will requir… Read the rest “Implementing Exchange DownloadDomain Security”

2

Exchange 2019 Point of No Return

Posted on 12th July 2022 by Rhoderick Milne [MSFT]

Exchange 2019 PrepareAD - The Point of No Return

When designing an upgrade strategy from an older version of Exchange to a newer one, a question that needs to be addressed is do we need to introduce a version of Exchange that may not currently be present? This may be when upgrading from Exchange 2013 to Exchange 2019. If that organisation currently does not have any Exchange 2016 servers, you need to evaluate if there may be a future requireme… Read the rest “Exchange 2019 Point of No Return”

4

Exchange 2019 CU12 Released

Posted on 20th April 2022 by Rhoderick Milne [MSFT]

Exchange 2019 CU12 has been released to the Microsoft Volume Licensing Center and the public Microsoft Download site! Exchange 2019 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2019 and can be used to install a fresh server or to upd… Read the rest “Exchange 2019 CU12 Released”

0

Exchange Autodiscover Publishing Blocked By L7 Load Balancer

Posted on 22nd February 2022 by Rhoderick Milne [MSFT]

When deploying an Exchange Hybrid configuration, one of the most critical components to publish externally is the Autodiscover service. Autodiscover enables seamless client connectivity and hybrid functionality between on-premises Exchange and Exchange Online, including mailbox moves, free/busy lookups, and Outlook profile configuration. However, publishing Autodiscover to the Internet can become … Read the rest “Exchange Autodiscover Publishing Blocked By L7 Load Balancer”

0

Microsoft Teams Source IP Address Used Connecting to On-Premises Exchange

Posted on 14th February 2022 by Rhoderick Milne [MSFT]

Teams IP Addresses Connecting to Exchange On-Premises

Planning to deploy Office 365 and integrate with your on-premises Exchange infrastructure? Great! While running the Exchange Hybrid Configuration Wizard (HCW) will be one of the highlights it should be a boring and uneventful portion of the project. That will be true if all of the required planning, remediation and preparation was done. If not you’ll be finding out about those issues pretty so… Read the rest “Microsoft Teams Source IP Address Used Connecting to On-Premises Exchange”

0

ASA OOPS – What Happens When It Is Overlooked

Posted on 10th February 2022 by Rhoderick Milne [MSFT]

When deploying or migrating Microsoft Exchange Server, one critical yet often overlooked component is the Alternate Service Account (ASA). The ASA is used by Exchange to support Kerberos authentication for services such as Outlook Anywhere and MAPI over HTTP, providing a secure and efficient alternative to NTLM. Without a properly configured ASA, Exchange falls back to NTLM. NTLM is an older prot… Read the rest “ASA OOPS – What Happens When It Is Overlooked”

0

Change Certificate Friendly Name To Unique Value

Posted on 6th January 2022 by Rhoderick Milne [MSFT]

Imagine that you have two certificates installed, but for whatever reason the same friendly name was used for both of them. You can certainly identity each of them by comparing the valid from/valid to dates or the thumbprint. That adds just a little extra overhead that you may not want to deal with.

As an alternative, you can modify the friendly name to a more suitable value. This allows you to… Read the rest “Change Certificate Friendly Name To Unique Value”