SuperTekBoy

Last week was a big week for Exchange. Microsoft released its first cumulative update for Exchange 2019 as well as cumulative updates for Exchange 2016 and 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2019 Cumulative Update 1 (VLSC)| KB4471391

Exchange 2016 Cumulative Update 12 | KB4471392 | UM Language Pack

Exchange 2013 Cumulative Update 22 | KB4345836 | UM Language Pack

Exchange 2010 SP3 Rollup 26 | KB4487052 (released February)

Exchange 2010 SP3 Rollup 25 | KB4468742 (released January)

Only 325 days left for Exchange 2010

Here is a quick reminder that extended support for Exchange 2010 is coming to an end. After January 14th, 2020, no further technical support or updates will be available. This includes security, bug and time zone updates.

Unfortunately, there is no direct path to Exchange 2019 from 2010. If you do plan to stay on-prem you will need to migrate to either 2013 or 2016 (I’d recommend 2016 as 2013 is now in extended support). From there you can migrate to 2019. Alternatively, you can migrate to Office 365.

For more information about the Exchange 2010 life-cycle check out the Exchange Team blog.

So, what’s new in these Cumulative Updates?

Push notifications are one type of notification a developer can leverage in their application to add value. An example of a push notification might be the notification of new mail on a mobile device.

In this series of cumulative updates, the Exchange Team has changed the way it initiates push notifications through Exchange Web Services. This is in direct response to a security flaw where an attacker could intercept push notifications to gain access to credentials streamed via NTLM. These cumulative updates mitigate this attack by removing these credentials from the stream. Microsoft documents this resolution in KB4490060.

After applying this cumulative update, Microsoft recommends forcing the computer account to change its password by using either the Reset-ComputerMachinePassword cmdlet or, NETDOM. In addition, Microsoft recommends every organization review its user password expiration policies.

In further response to the security flaw, Microsoft is reducing the number of rights Exchange has in Active Directory when operating in a shared permission model.

In a shared permission model, Exchange administrators have the ability to create security principals in Active Directory and mail-enable those security principals. This includes the ability to create a new user as you are creating a mailbox, or, the ability to remove a user when you remove a mailbox. This also extends to tasks such as being able to create a distribution group, or, modify distribution group members.

In a split permission model, the Exchange administrator is restricted from these tasks and can only mail-enable, or, mail-disable existing objects (e.g. users, groups or contacts) that were created by an administrator with Active Directory rights.

Going forward the shared permission model will have fewer Active Directory rights, but that does not mean reduced functionality for Exchange administrators.