Exchange 2019

Exchange 2019

Microsoft Issues Security Updates for Exchange On-Premises Servers


Keep on Patching

Fifteen weeks on from the Hafnium fiasco, I hope those responsible for Exchange Server maintenance haven’t forgotten the need to keep their on-premises fully patched and up to date. Microsoft has released security updates to address issues like the remote code vulnerability reported in CVE-2021-34473 and CVE-2021-31206. The updates apply to:

  • Exchange Server 2013 CU23.
  • Exchange Server 2016 CU20 and CU21.
  • Exchange Server 2019 CU9 and CU10.

All servers, including those used for hybrid account management, must be updated.

Obviously, if you haven’t updated Exchange Server to one of the releases updated above, some extra effort is necessary to get to a suitable build.

Like taking a second vaccination dose to protect against Covid-19, full protection isn’t assured unless you also apply an Active Directory schema update. If you’re running Exchange 2016 CU21 or Exchange 2019 CU10, you’re already protected. Those running Exchange 2016 CU20 or Exchange 2019 CU9 need to extend the schema using the June 2021 cumulative updates.

For Those Running Exchange 2013

While Exchange 2016 and 2019 received schema updates through cumulative updates, Exchange 2013 was not updated in June 2021. Special processing is therefore needed for Exchange 2013 servers when Exchange 2013 is the latest server version in the organization (if it’s not, the schema updates are done when cumulative updates are applied to Exchange 2016 or 2019).

  • Go ahead and install the security update for Exchange 2013 CU23. This leaves some updates schema files on the server but does not install them. Microsoft uses the security update to distribute the schema files to servers in the absence of a cumulative update.
  • When you’re ready to extend the schema, run Setup.exe to perform the update (/prepareschema from v15\Bin). Setup will use the updated schema files left by the security update to apply the changes to Active Directory.

As always make sure that you apply Exchange server updates using an administrator account with elevated permissions.

Block the Attackers

One of the lessons we learned from Hafnium is how easy it is for attackers to exploit new weaknesses discovered in on-premises servers. The imperative is for administrators to stay on top of problems by installing security updates as soon as possible after Microsoft releases code. If you don’t, your servers might be on the target list for the next attack, and that wouldn’t be nice.

Source Practical365

read more
Exchange 2019

Microsoft Exchange Server Gets Patches for New Vulnerabilities


Microsoft Exchange Server has been the talk of the cybersecurity world during the first months of 2020. A major vulnerability allowed state sponsored threat actors to breach the servers of tens of thousands of customers. Microsoft has now released a new update of security patches for Exchange Server.

This latest release tackles new Remote Code Execution (RCE) flaws in the platform. Microsoft is warning customers to update their Exchange Server as quickly as possible, although no exploit for these vulnerabilities has been observed in the wild. The company was told of the vulnerabilities by the National Security Agency (NSA).

Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. More threat groups have since targeted the exploit. Microsoft has sent out patches for all versions of the service, including those out of support.

Microsoft says updating Exchange Server is the best way to avoid the exploit. Furthermore, the company has launched a tool to help customers know if they have been breached.

These security updates are specifically for Microsoft Exchange Server 2013 CU23, Exchange Server 2016 CU19/CU20, and Exchange Server 2019 CU8/CU9. If you don’t run any of those cumulative updates, you should update to those versions first. One you have, the latest patches can be applied and Exchange Server should be protected against the old vulnerabilities and the new ones.

Tackling the Ongoing Problem

The attacks on Microsoft Exchange Server customers is ongoing, although more organizations are now patching. There’s a chance many businesses have been attacked and the FBI is now targeting these exploits.

In a statement this week, the Department of Justice confirmed the FBI has the authorization to remove web shells on compromised servers if they are related to the exploit. While that’s a nice backup for organizations, it is worrying that the FBI can do this without the customer knowing.

“Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said.

“This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

Tip of the day:

With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows 10 to block certain WiFi networks or all unknown WiFi networks.

Source Winbuzzer

read more
Exchange 2019

Microsoft Exchange Server Attacks Get White House Taskforce Response


As we reported yesterday, Microsoft Exchange Server is in the midst of an attack through an exploit first used by the HAFNIUM group. In response to the ongoing problem, President Joe Biden is now launching an emergency taskforce to manage the massive attack.

By using remote back access attacks against Microsoft Exchange Server, threat actors can access email accounts. 30,000 organizations have already been impacted by the vulnerability. All the critical vulnerabilities are found in Exchange Server 2019, 2016, and 2013. Only Exchange Online has escaped the flaw.

The vulnerabilities are as follows:

  • CVE-2021-26855: CVSS 9.1
  • CVE-2021-26857: CVSS 7.8
  • CVE-2021-26858: CVSS 7.8
  • CVE-2021-27065: CVSS 7.8

Following the Cybersecurity and Infrastructure Agency (CISA) issuing a warning on Saturday, the Biden administration is also getting involved. White House press secretary Jen Psaki says the attack is “a significant vulnerability that could have far-reaching impacts.”

“First and foremost, this is an active threat,” she said. “We are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”


The messages from CISA, the White House, and Microsoft is clear; Microsoft Exchange Server users must update to issue patches Microsoft has already sent out. Failing an update, customers should scan their servers to ensure they have not been exploited.

For those in that bracket, Microsoft yesterday launched a tool to help see if their Exchange Server is compromised.

Specifically, an update for its free Exchange server Indicators of Compromise tool allows users to scan server logs for problems. Microsoft and security researchers say the best way to mitigate against the exploit is to ensure Exchange Server installations are up to date.

“These vulnerabilities are used as part of an attack chain,” Microsoft says. “The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.”

Tip of the day:

If your PC keeps connecting to the wrong WiFi network, you can set WiFi priority to avoid the need to manually select access points over and over again.

Source Winbuzzer

read more
Exchange 2019

Microsoft Exchange Online Users to Be Throttled When Reaching Upper Mail Limit


Microsoft says it is going to take a stricter position on the number of emails that Microsoft Exchange Online can accept. The company’s email hosting service, which underpins the Outlook experience, will start enforcing its upper limit for messages received starting this April.

It is worth noting Microsoft Exchange Online has always had an upper limit. This is a cap on the number of emails someone can receive. This upper limit only really bothers so-called “hot recipients”, users who receive thousands of emails each hour.

That upper limit is 3,600 but Microsoft has never really been strict about enforcing it. In other words, recipients were receiving over the upper limit without Microsoft stopping them. The company now says that will change.

In an effort to optimize Exchange performance across inboxes and deliver a unified capacity, the company will start enforcing that 3,600 emails per hour limit. According to Microsoft, mailboxes that pass this limit often see service disruptions for themselves and others.

New Method

To prevent this, Microsoft will throttle tenants receiving over the upper limit. Emails to mailboxes will get a non-delivery report if it is over the limit. Because the limit is hourly, Microsoft will continue to reset the threshold automatically each hour.

The company says the changes reflects in the following products:

  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard Office
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Enterprise E5
  • Office 365 Enterprise F3

Microsoft new throttle and limit will come into action this April. The company says admins should be more wary of the number of mails they are receiving across mailboxes, especially if there are hot recipients.

To ease customers into the change, Microsoft will start the threshold above 3,600 and slowly reduce to help organizations adapt.

Tip of the day:

When Windows 10 runs into serious problems, it’s not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows 10 startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it’s important to try a Windows 10 boot repair so you can at least narrow down the source of the issue. If it doesn’t work, you may have to reinstall the OS or test your hardware.

Source Winbuzzer

read more
Exchange 2019

Security updates released for Exchange and SharePoint Servers 2010 to 2019


Microsoft recently released several security updates for Exchange Server and SharePoint Server to mitigate against proof-of-concept flaws in all recent versions of the product, including Exchange Server 2010, which left support in October – supposedly never to receive security patches again.

These updates should indicate the severity of the issues discovered. Although little has been published so far about this, Steven Seeley from Source Incite, who identified the vulnerability and reported it to Microsoft, explained that the flaw allows an attacker with low-privilege credentials (e.g., a user mailbox) to elevate to the SYSTEM account on the Exchange Server and retrieve information.

The vulnerabilities are not limited to one type either – and affect Exchange Web Services on Exchange 2016 and 2019, and the way information is retrieved via XML for OWA for Exchange 2013, 2016, and 2019.

On SharePoint Server 2010 to 2019 – which is less frequently installed on-premises but still a target, a similar XML-based exploit can be used and detected by the same researcher.

Less information is available about the Exchange Server 2010 exploit, which appears to be vulnerable by using the Exchange Management Shell. According to Microsoft, this can be exploited by using cmdlet arguments by an authenticated user. Most importantly, Microsoft considered this serious enough to release a new update rollup to resolve.

Exchange Server Patches

Download updates for Exchange Server below. You’ll find links to the relevant CVEs on each page.

  • Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: December 8, 2020
  • Description of the security update for Microsoft Exchange Server 2013: December 8, 2020
  • Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

SharePoint Server Patches

Finally, you’ll find links to updates for SharePoint Foundation and SharePoint Server below, again alongside the relevant CVEs.

  • Description of the security update for SharePoint Foundation 2010: December 8, 2020
  • Description of the security update for SharePoint Foundation 2013: December 8, 2020
  • Description of the security update for SharePoint Enterprise Server 2016: December 8, 2020
  • Description of the security update for SharePoint Server 2019: December 8, 2020

If you have any questions, please let us know in the comment section.

Source Practical365

read more
Exchange 2019

Switching off legacy authentication for Exchange Online


Keeping legacy authentication enabled in your Microsoft 365 tenant should be avoided; however, going ahead and disabling has traditionally been difficult. Unless you already have a good understanding of your clients, it may present a risk.

Recent improvements to Exchange Online make this simple to configure, and you can now retrieve the information you need to identify potential clients that might be affected.

In this article, we will walk through the process to identify clients using legacy authentication, then utilize the new functionality available to Exchange Online to disable legacy auth for selected protocols.

Reviewing legacy sign-ins to Exchange Online

Before disabling legacy authentication for Exchange Online, it is essential to ensure that clients won’t be affected or prevented from signing in, or if they will, gather enough information so that you can inform people who will be impacted.

You can do this in the Azure Active Directory portal by reviewing sign-in logs using dedicated capabilities to filter based on legacy authentication. To do this, navigate to the Azure AD portal and then select Sign-ins under Monitoring.

Learn more: Introducing Certificate-Based Authentication for Exchange Online Remote PowerShell with Microsoft MVP Vasil Michev

In this section, you will see all sign-in attempts to Azure AD, including sign-in to all Microsoft 365 services from all your clients. We’ll first make sure the information we need is clearly displayed by adjusting the columns displayed by adding client app, as shown below:

client app

Next, we’ll use Add filters to add a filter based on client app:

add filters

The filter for client app will allow us to reduce the list shown to only relevant clients. To do this, expand the filter and from the drop-down list only select the protocols listed under Legacy authentication clients:

Legacy authentication clients

This list is likely to show us both successful and unsuccessful sign-ins. Whilst unsuccessful sign-ins are a concern; we will focus on successful sign-ins to gain insight into what should be real sign-ins from our users. We’ll do this by using Add filters to add a filter based on Status:


We’ll then change the filter for Status to only show results that are a Success:

Status: success

You will then see what may be a long list of sign-ins from legacy authentication clients to Exchange Online. You can expand this using the Date filter to up to one month to gain more insights and use Download to export a list for review.

In the example below, we can see that many users widely use exchange Activesync. Therefore before disabling this protocol, we’ll need to move them to a modern-authentication capable client such as the Outlook App.

Learn more: How to Migrate Exchange Mailbox Permissions with Mike Weaver

If you examine the list and want to understand which legacy authentication protocols are not in active use and can be immediately disabled, then re-open the Client app filter and unselect protocols shown in your results. By unselecting Exchange Activesync, we will be able to see other protocols in active use then easily:

Exchange ActiveSync

We will repeat the process by removing other protocols in active usage until no results are shown. In the example below, we have discovered quickly that only Activesync and Exchange Web Services are in use, and there are no sign-ins over the last month from any other clients.

Exchange ActiveSync and Exchange Web Services

Selectively switching off legacy authentication

After discovering which protocols are not in active use, we are in a position where it becomes low-risk to disable legacy authentication.

Instead of using Exchange Online PowerShell, we can now use the Microsoft 365 admin center to disable legacy authentication for Exchange Online on a protocol-by-protocol basis affecting all users. To do this, navigate to Settings>Org Settings and choose Modern authentication from the services list. In the Modern authentication page, we’ll disable the legacy protocols no longer in use:

Modern authentication

You’ll note in the example above; we’ve disabled legacy authentication for IMAP4, POP3, Exchange Online PowerShell, and Autodiscover. For Exchange Online Powershell, this means you must use either the V2 module or the deprecated V1 module that supports MFA. By disabling legacy authentication to Autodiscover, we will prevent additional legacy clients from attempting to discover Exchange Online information.

Because we know legacy Activesync is in use in our organization and there is a small amount of active legacy Exchange Web Services usage, we’ll leave these protocols enabled.

Once we are happy with the settings, we’ll choose Save to apply these to all Exchange Online clients.

Disabling Legacy Authentication for all Exchange Online services

Using our sign-in log information, we will upgrade or reconfigure discovered clients to use modern authentication. After re-running the steps to filter Azure AD sign-ins and confirming we no longer have any active usage of legacy authentication, we’ll re-visit the Microsoft 365 admin center and disable legacy authentication for all Exchange Online protocols:

Modern authentication options

Further improving security for Microsoft 365 and Exchange Online

Disabling legacy authentication to Exchange Online isn’t the panacea of Microsoft 365 security – it is just one step towards helping keep the environment secure from particular threats, like password spray attacks.

Suppose you have Microsoft 365 E3, Microsoft 365 Business Premium, EMS E3, or Azure AD Premium licenses. In that case, you should consider configuring Conditional Access in your environment to selectively enable Azure Multi-Factor Authentication or configure rules to only allow access to your environment from Intune enrolled devices, Hybrid Azure AD domain-joined PC – or other criteria, such as IP address.

However, suppose you don’t have Conditional Access available. In that case, you may want to consider using Azure AD Security Defaults or (if you need it on a per-user basis) Office 365 multi-factor authentication. Azure AD Security Defaults is particularly useful if you wish to have a guided process over 14 days rather than immediately. It also provides additional MFA protection to privileged administrative actions in your tenant.

Source Practical365

read more
Exchange 2019

Microsoft Exchange Servers Targeted by New PowerShell Backdoors


Security researchers have discovered a pair of brand-new Microsoft PowerShell vulnerabilities following an attack on a Microsoft Exchange server. While the attacks are from last year, it seems the responsible group used a new method.

According to Palo Alto’s Unit 42 security team, a threat group called xHunt is responsible for the attack. This group has been known to target organizations in Kuwait, including a 2018 breach of the country’s government system.

A newer attack that occurred around August 22, 2019 shows the group has a new way of breaching targets. Specifically, two new PowerShell backdoors were used. One has been dubbed “TriFive” and other is called “Snugy.”

“Both of the backdoors installed on the compromised Exchange server of a Kuwait government organization used covert channels for C2 communications, specifically DNS tunneling and an email-based channel using drafts in the Deleted Items folder of a compromised email account,” say researchers from the Palo Alto team.

How it Happened

While last year’s attack has been discovered, researchers are not clear how the group succeeded in accessing a Microsoft Exchange server. The attack was reported over a year after it happened when an organization found suspicious commands though the Internet Information Services (IIS) process w3w.exe.

On the server, the team says it “did discover two scheduled tasks created by the threat actor well before the dates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the actors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had access to the server prior to the logs.”

Two scheduled tasks “ResolutionHosts” and “ResolutionsHosts” were used in c:\Windows\System32\Tasks\Microsoft\Windows\WDI to persistently run PowerShell scripts every 30 minutes and every five minutes.

“The scripts were stored in two separate folders on the system, which is likely an attempt to avoid both backdoors being discovered and removed,” add the researchers.

Source Winbuzzer

read more
Exchange 2019

Microsoft: ‘Expect a bumpy ride’. These are 2019’s top 10 tech challenges


Microsoft president Brad Smith reckons the tech sector could be in for a “bumpy ride” in 2019, with new US national privacy regulation, an ongoing trade war with China, a US resistant to diplomatic responses to hacking and election meddling, and regulatory responses to artificial intelligence.

Key changes that could broadly affect the tech sector include a proposal by the Department of Commerce in November to add artificial intelligence to its controlled exports schedule due to their importance to national security.

Smith, who’s also Microsoft’s chief legal counsel, says across both sides of American politics there is “greater appreciation of China’s momentum in artificial intelligence and other technology and heightened concern about its economic and national security implications”.

Smith doesn’t mention Donald Trump but notes the “steady wave of US tariff increases on Chinese imports” that the US President hoped would boost Chinese purchases of American products, though not necessarily technology products.

Last year Apple CEO Tim Cook called for regulation of internet companies, while Facebook CEO Mark Zuckerberg grew to accept that new rules will come. Smith writes that last year saw broadening acceptance among tech leaders of the need for some regulation.

But what type of regulation could the US introduce? Smith points to a paper from Democrat Senator Mark Warner from Virginia. The paper proposes a duty on social-media platforms like Facebook to, in Smith’s words, “determine the origin of accounts or posts, identify bogus accounts and notify users when bots are spreading information”.

“Warner has played a steady leadership role on the Senate Intelligence Committee, and the coming months will likely put added spotlight on these ideas,” writes Smith.

He’s also upbeat about the prospect for national privacy legislation, thanks to California’s new privacy laws. The laws, considered the toughest in the nation, allow customers to request companies stop collecting and selling personal data.

“Look to the next few months for the spread of privacy legislation to several other state capitals, all of which will set the stage for an even bigger debate on Capitol Hill,” writes Smith.

Smith called French President Emanuel Macron’s effort to find a diplomatic solution to state-sponsored hacking and election meddling “last year’s biggest step” to address these attacks on democracy.

Smith notes that Macron’s Paris Call signatories included all EU members and 27 of 29 NATO allies, but not the US. “The New Year brings a new opportunity to bring everyone together,” he writes.

He also expects lawmakers to debate artificial intelligence in early 2019. In December, Smith outlined why Microsoft’s believed new laws are immediately required to regulate the use of facial-recognition technologies.

“The early months of 2019 will see the legislative focus in the US shift to state capitals, with the issue likely to move to Washington, DC before the year ends,” he writes.

“In the EU, authorities are monitoring facial recognition and other biometric techniques under the GDPR, and the European Commission has started reviewing the ethical issues more broadly. Globally, this is an issue that’s just getting started.”

read more