ADV190007 | Guidance for PrivExchange Elevation of Privilege Vulnerability


Exchange on-prem only
Security Advisory
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could attempt to impersonate any other user of the Exchange server. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
A planned update is in development. If you determine that your system is at high risk then you should evaluate the proposed workaround.
After installing the update you can undo the above action with this command:
New-ThrottlingPolicy AllUsersEWSSubscriptionBlockPolicy


for more about ThrottlingPolicy

How to

Run the following command to create throttling policy

New-ThrottlingPolicy -Name NoEwsSubscriptions -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0

Then create white list for adding user who had a problem in EWS subscription

New-ThrottlingPolicy -Name AllowEwsSubscriptions -ThrottlingPolicyScope Regular -EwsMaxSubscriptions 5000

Assign users to the white list policy

Set-Mailbox User1 -ThrottlingPolicy AllowEwsSubscriptions


From <>

Please read well

  • The issue described in the Blog post: Abusing Exchange: One API call away from Domain Admin only affects OnPrem deployments. Exchange Online is not affected.
  • The attack scenario described in the blog referenced above requires NTLM. Systems that have disabled NTLM are not affected.
  • ttackers cannot compromise a Domain Admin account if an OnPrem deployment follows Microsoft’s security best practice guidance and has implemented Active Directory Split Permissions. For more information on using Active Directory Split Permissions with Exchange, see Understanding split permissions: Exchange 2013 Help.
    This document refers to Exchange Server 2013, but the same model can be used for later versions of Exchange Server.



    about this EWS Subscription throttling workaround:

    A customer’s risk assessment must weigh the protections gained by the workaround as compared to the possible unwanted side effects of the workaround. The following are possible side effects of the EWS Subscription throttling policy:

    This workaround may be disruptive to Outlook for Mac, Skype for Business Client, and Apple Mail Clients, causing them to not function properly. Importantly, the throttling policy won’t block Autodiscover and Free/Busy requests. The EWS throttling policy will also negatively impact LOB and other third-party Applications that require EWS Notifications. A second policy can be created to whitelist trusted accounts.


    From <>






Display Exchange Online mailbox information with Office 365 PowerShell

Exchange online powershell
Microsoft online Exchange powershell
Microsoft online Exchange powershell

Display microsoft Exchange Online mailbox information with Office 365 PowerShell

Display Exchange Online mailbox information with Office 365 PowerShell

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic –AllowRedirection
Import-PSSession $Session
Remove-PSSession $Session

Display Microsoft Exchange Online mailbox information with Office 365 PowerShell
Continue reading

Alert: Exchange Health Set

Alert: Exchange Health Set

Alert: Exchange Health Set

Source: pcrs0119 – ActiveSync.Protocol


Last modified by: System

Last modified time: 1/17/2017 8:28:50 AM Alert description: ActiveSync is failing on Mailbox server server name.

Incident start time: 1/17/2017 5:28:35 AM


Last failed result:

Failing Component – EAS

Failure Reason – Unknown Reason: QuotaExceeded


Exception: System.Net.WebException: Error occurred:


Invoke-MonitoringProbe -Identity:”ActiveSync.Protocol\ActiveSyncDeepTestProbe” -Server:servername | fl

  1. Open the Exchange Management Shell, and run the following command to retrieve the details of the health set that issued the alert:
  2. Get-ServerHealth <server name> | ?{$_.HealthSetName -eq "<health set name>"}

    For example, to retrieve the ActiveSync health set details about, run the following command:

    Get-ServerHealth | ?{$_.HealthSetName -eq "ActiveSync"}

  3. Review the command output to determine which monitor reported the error. The AlertValue value for the monitor that issued the alert will be Unhealthy.
  4. Rerun the associated probe for the monitor that’s in an unhealthy state. Refer to the table in the Explanation section to find the associated probe. To do this, run the following command:
  5. Invoke-MonitoringProbe <health set name>\<probe name> -Server <server name> | Format-List

    For example, assume that the failing monitor is ActiveSyncCTPMonitor. The probe associated with that monitor is ActiveSyncCTPProbe. To run this probe on, run the following command:

    Invoke-MonitoringProbe ActiveSync\ActiveSyncCTPProbe -Server | Format-List

  6. In the command output, review the “Result” section of the probe. If the value is succeeded, the issue was a transient error, and it no longer exists. Otherwise, refer to the recovery steps outlined in the following sections.


Troubleshooting ActiveSync Health Set

The command didn’t work and you have the failure message then

ActiveSyncDeepTestMonitor and ActiveSyncSelfTestMonitor Recovery Actions

This monitor alert is typically issued on Mailbox servers. To perform recovery actions, follow these steps:

  1. Start IIS Manager, and then connect to the server that is reporting the issue. Click Application Pools, and then recycle the ActiveSync application pool that’s named MSExchangeSyncAppPool.
  2. Rerun the associated probe as shown in step 2c in the Verifying the issue section.
  3. If the issue still exists, recycle the entire IIS service by using the IISReset utility.
  4. Rerun the associated probe as shown in step 2c in the Verifying the issue section.


DSNs and NDRs in Exchange 2013

DSNs and NDRs in Exchange 2013

Common enhanced status codes

Continue reading

Exchange Server Patching

Exchange Server Patching

As we’ve mentioned before, you must patch Exchange 2007 to the very latest Service Pack and Update Rollup before you attempt to do anything with Exchange 2013.

Download and install these patches from here:









    Preparing server for ex2013

    Server prerequisites

    Install the following

    Windows Server 2012 R2 and Windows Server 2012 prerequisites

    Mailbox client access server Roles

    Open PowerShell

    Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation


    Then restart

    After installing feature

    Install the following

    Unified Communications Managed API 4.0 Runtime


    Edge transport Role

    Install-WindowsFeature ADLDS



    Preparing the domain

    Permissions required:

    Your login id must have following group membership:

             Domain Admins

             Schema Admins

             Enterprise Admins

            Organization management if any (2010/2007) exchange org exist.


    Open power shell run the following command

    Install-windowsfeature RSAT-ADDS

    First extract the installation files

    Choose directory to extract



    Prepare the schema

    Then open command Prompt

    Go to the location of the installation file

    setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms


    setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /OrganizationName:PGesco



    setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms


    Check the following before installation

    The replication

    Go to cmd and run the command “repadmin /replsum” and check for error

    If replication is fine we can continue


    Installing EX2013Sp1

    Run the setup.exe and you will see the below screen



    Choose the Roles and un check the automatic roles and feature

    Malware protection

    Readiness check


    Installation starts




    Moving mailboxes from 2007 to 2013

    First create database




Grand permission for on prem public folder or shared mailbox to office 365 users

First create universal group and add users to the group the mail enable it

With the following command from the exchange PowerShell

Enable-DistributionGroup -Identity “groupName”

After its enabled

Run the following command

send on behalf off

(run the command from the exchange powershell)

Set-MailPublicFolder “\publicfoldername” -GrantSendOnBehalfTo “Groupname”

send as

For the send as go to properties of the distribution  group from the ECP schange link then go to delivery options

Add the group