ADV190007 | Guidance for PrivExchange Elevation of Privilege Vulnerability

Aside

Exchange on-prem only
Security Advisory
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround.
After installing the update you can undo the above action with this command:
New-ThrottlingPolicy AllUsersEWSSubscriptionBlockPolicy

Guidance for “PrivExchange” Elevation of Privilege Vulnerability

for more about ThrottlingPolicy

ThrottlingPolicy

How to

Run the following command to create throttling policy

New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

Then create white list for adding user who had a problem in EWS subscription

New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

Assign users to the white list policy

Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions

From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

Please read well

The issue described in the Blog post: Abusing Exchange: One API call away from Domain Admin only affects OnPrem deployments. Exchange Online is not affected.
The attack scenario described in the blog referenced above requires NTLM. Systems that have disabled NTLM are not affected.
ttackers cannot compromise a Domain Admin account if an OnPrem deployment follows Microsoft’s security best practice guidance and has implemented Active Directory Split Permissions. For more information on using Active Directory Split Permissions with Exchange, see Understanding split permissions: Exchange 2013 Help.

Note:
This document refers to Exchange Server 2013, but the same model can be used for later versions of Exchange Server.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>
Note:
about this EWS Subscription throttling workaround:
A customer’s risk assessment must weigh the protections gained by the workaround as compared to the possible unwanted side effects of the workaround. The following are possible side effects of the EWS Subscription throttling policy:
This workaround may be disruptive to Outlook for Mac, Skype for Business Client, and Apple Mail Clients, causing them to not function properly. Importantly, the throttling policy won’t block Autodiscover and Free/Busy requests. The EWS throttling policy will also negatively impact LOB and other third-party Applications that require EWS Notifications. A second policy can be created to whitelist trusted accounts.

From <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv190007>

Display Exchange Online mailbox information with Office 365 PowerShell

Posted on March 27, 2017 by kazaki82

Exchange online powershell
Microsoft online Exchange powershell
Microsoft online Exchange powershell

Display microsoft Exchange Online mailbox information with Office 365 PowerShell

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection

Import-PSSession $Session

Remove-PSSession $Session

Display Microsoft Exchange Online mailbox information with Office 365 PowerShell
Continue reading →

Alert: Exchange Health Set

Posted on January 18, 2017 by kazaki82

Alert: Exchange Health Set

Source: pcrs0119 – ActiveSync.Protocol

Path: pcrs0119.PGESCo.com;pcrs0119.PGESCo.com

Last modified by: System

Last modified time: 1/17/2017 8:28:50 AM Alert description: ActiveSync is failing on Mailbox server server name.

Incident start time: 1/17/2017 5:28:35 AM

Last failed result:

Failing Component – EAS

Failure Reason – Unknown Reason: QuotaExceeded

Exception: System.Net.WebException: Error occurred:

Invoke-MonitoringProbe -Identity:”ActiveSync.Protocol\ActiveSyncDeepTestProbe” -Server:servername | fl

Open the Exchange Management Shell, and run the following command to retrieve the details of the health set that issued the alert:

Get-ServerHealth <server name> | ?{$_.HealthSetName -eq "<health set name>"}

For example, to retrieve the ActiveSync health set details about server1.contoso.com, run the following command:

Get-ServerHealth server1.contoso.com | ?{$_.HealthSetName -eq "ActiveSync"}

Review the command output to determine which monitor reported the error. The AlertValue value for the monitor that issued the alert will be Unhealthy.
Rerun the associated probe for the monitor that’s in an unhealthy state. Refer to the table in the Explanation section to find the associated probe. To do this, run the following command:

Invoke-MonitoringProbe <health set name>\<probe name> -Server <server name> | Format-List

For example, assume that the failing monitor is ActiveSyncCTPMonitor. The probe associated with that monitor is ActiveSyncCTPProbe. To run this probe on server1.contoso.com, run the following command:

Invoke-MonitoringProbe ActiveSync\ActiveSyncCTPProbe -Server server1.contoso.com | Format-List

In the command output, review the “Result” section of the probe. If the value is succeeded, the issue was a transient error, and it no longer exists. Otherwise, refer to the recovery steps outlined in the following sections.

Table: https://technet.microsoft.com/en-us/library/ms.exch.scom.activesync(v=exchg.150).aspx#EXP

Troubleshooting ActiveSync Health Set

The command didn’t work and you have the failure message then

ActiveSyncDeepTestMonitor and ActiveSyncSelfTestMonitor Recovery Actions

This monitor alert is typically issued on Mailbox servers. To perform recovery actions, follow these steps:

Start IIS Manager, and then connect to the server that is reporting the issue. Click Application Pools, and then recycle the ActiveSync application pool that’s named MSExchangeSyncAppPool.
Rerun the associated probe as shown in step 2c in the Verifying the issue section.

If the issue still exists, recycle the entire IIS service by using the IISReset utility.

Rerun the associated probe as shown in step 2c in the Verifying the issue section.

Ref: https://technet.microsoft.com/en-us/library/ms.exch.scom.activesync(v=exchg.150).aspx

DSNs and NDRs in Exchange 2013

Posted on December 1, 2016 by kazaki82

DSNs and NDRs in Exchange 2013

https://technet.microsoft.com/en-us/library/bb232118(v=exchg.150).aspx

Common enhanced status codes

Continue reading →

Exchange Server Patching

Posted on September 29, 2016 by kazaki82

Exchange Server Patching

As we’ve mentioned before, you must patch Exchange 2007 to the very latest Service Pack and Update Rollup before you attempt to do anything with Exchange 2013.

Download and install these patches from here:

Exchange Server 2007 Service Pack 3
Exchange Server 2007 SP3 Update Rollup 10

Continue

Preparing server for ex2013

Server prerequisites

Install the following

Windows Server 2012 R2 and Windows Server 2012 prerequisites

Mailbox client access server Roles

Open PowerShell

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Then restart

After installing feature

Install the following

Unified Communications Managed API 4.0 Runtime

http://technet.microsoft.com/en-us/library/bb691354(v=exchg.150).aspx

Edge transport Role
```
Install-WindowsFeature ADLDS
```
Preparing the domain

Permissions required:

Your login id must have following group membership:

         Domain Admins

Schema Admins

Enterprise Admins

        Organization management if any (2010/2007) exchange org exist.

Open power shell run the following command

Install-windowsfeature RSAT-ADDS

First extract the installation files

Choose directory to extract

Prepare the schema

Then open command Prompt

Go to the location of the installation file

setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

PrepareAD

setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:PGesco

PrepareDomain

setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms

Restart

Check the following before installation

The replication

Go to cmd and run the command “repadmin /replsum” and check for error

If replication is fine we can continue

Installing EX2013Sp1

Run the setup.exe and you will see the below screen

Choose the Roles and un check the automatic roles and feature

Malware protection

Readiness check

Installation starts

Moving mailboxes from 2007 to 2013

First create database