SuperTekBoy

Practical Help for Exchange & Office 365

Sysadmin Today #78: Talking Tech with Gareth Gudger

By Leave a Comment

8 Shares
Share
Tweet
Share
Reddit
Print

On July 19th, I had the great pleasure of being a guest on SysAdmin Today. I joined host Paul Joyner to discuss several hot topics for Exchange and Office 365; including:

  • Introductions
  • Overview of Microsoft MVP Program
  • Getting out of the patching and server management business
  • Updated Hybrid Configuration Wizard (v17)
  • Keeping an Exchange server on-prem for secure mail relay
  • GUI for restoring deleted mail for users
  • Reply-all storm protection
  • Support for DANE / DNSSEC
  • New defaults for SMTP Auth
  • Deprecation and deadline extension for basic auth
  • Getting all users to multi-factor authentication
Sysadmin Today #78 - Talking Tech with Gareth Gudger
[Read more…] about Sysadmin Today #78: Talking Tech with Gareth Gudger

URL Impersonation – Homoglyph attacks

By Leave a Comment

15 Shares
Share
Tweet
Share
Reddit
Print

A homoglyph is when a glyph (or character) from one character set looks identical to that of another character set. For example, the lower-case letter “а” from the Cyrillic alphabet appears to be identical to the lower-case letter “a” from the Latin alphabet.

While seemingly identical to the human eye, they are very different for a computer. Pasting a string that contains each of these characters into a web browser will take you to very different places.

Homoglyphs are frequently used in URL impersonation attacks because their substitution is indistinguishable to the human eye.

Homoglyphs are also more effective than other forms of impersonation, such as replacing lowercase “m” with “rn,” which can look almost identical in some fonts—for example, arnazon.com versus amazon.com. Or impersonation that preys on common misspellings—for instance, micosoft.com

So just how identical can a homoglyph attack be? In the next section, we will explore an example.

Note: To keep everyone safe, we have used screenshots for all impersonated domains.

Creating a homoglyph

To create an impersonated domain, we are going to use the Homoglyph Attack Generator at irongeek.com. From this page, we first need to type in the domain we want to impersonate. I am going to use supertekboy.com.

The generator then allows us to swap out each letter with a letter from another character set. The first two rows are the Latin character set in upper and lower case. However, several other character sets, including Cyrillic, are included.

Homoglyph attack generator

Using the generator, we can switch one or more letters with those from a different character set. Let’s change the Latin letter “e” for the Cyrillic letter “e” (Unicode 435). This gives us the output below. Can you tell the difference?

Impersonation attack of SuperTekBoy using Homoglyphs

If you were to click that link or cut and paste the URL into a browser, you would be redirected to the following URL.

Impersonation attack of SuperTekBoy using Homoglyphs Translated

Were a bad actor to register this redirected domain, they could use it as a launchpad for any number of attacks, such as delivering a malicious payload, social engineering, or password capture. (I believe some domain registrars are blocking these types of domains).

[Read more…] about URL Impersonation – Homoglyph attacks

Hybrid Configuration Service may be limited

By 1 Comment

20 Shares
Share
Tweet
Share
Reddit
Print

When running the Hybrid Configuration Wizard, you may receive the following error on the credential page.

Hybrid Configuration Service may be limited - Exchange Online
Hybrid Configuration Service may be limited

This error is the result of an out of date hybrid configuration wizard. In the screenshot above, we are using version 16.0.3149.4. At the time of writing, the current version is 17.0.4554.0.

Despite the historically self-updating nature of the hybrid configuration wizard, users on older versions will need to uninstall and then reinstall version 17 from the portal. However, once installed, version 17 will check for updates on launch.

The new wizard contains several significant changes, including smaller bug fixes and enhancements.

The first is that the wizard will no longer create or require a federation trust in some Exchange environments. If the wizard detects the presence of Exchange 2010, the federation trust will be created. However, if the on-premises environment only includes Exchange 2013 or newer, the federation trust is skipped. This means that domain proof is not required, which skips the need to create DNS TXT records as part of the wizard.

Second, the wizard also vastly improves how it reports OAuth errors if enablement fails during the execution of the wizard. Detailed OAuth failure messages are now reported in the HCW logs, which will help significantly with troubleshooting.

[Read more…] about Hybrid Configuration Service may be limited

Exchange Cumulative Updates (June 2020)

By 2 Comments

6 Shares
Share
Tweet
Share
Reddit
Print
Exchange 2019 CU6

This week was a big week for Exchange. Microsoft released its sixth cumulative update for Exchange 2019 as well as a cumulative update for Exchange 2016. At the time of writing, there is no cumulative update for Exchange 2013.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange Logo Mini

Exchange 2019 Cumulative Update 6 (VLSC)| KB4556415

Exchange 2013 Cumulative Update 9

Exchange 2016 Cumulative Update 17 | KB4556414 | UM Language Pack

So, what’s new in these Cumulative Updates?

In this series of cumulative updates, Microsoft added thirteen new blocked file types for use with the OWA Mailbox Policy. The additions included several scripting extensions, including many python file types such as .py, .pyc, and .pyo. For a full list of the new extensions, check the following article.

These cumulative updates also correct an issue when using the Restore-RecoverableItems command in a pipe. We covered the cloud-exclusive GUI version of this command in an article earlier this week. Be sure to check it out.

Companies leveraging Hybrid Modern Authentication will also want to take note of these updates as they fix unexpected authentication prompts during certificate rollovers.

Customers leveraging Edge Transport will also want to take note as these updates resolve a situation where Edge Transport servers may become unresponsive due to deadlock in the shadow redundancy manager.

For a full list of all fixes, be sure to check out the KBs KB4556415 and KB4556414.

[Read more…] about Exchange Cumulative Updates (June 2020)

Exchange Online Updates (June 2020)

By Leave a Comment

6 Shares
Share
Tweet
Share
Reddit
Print

Recover deleted mail using the new Exchange Admin Center in Office 365

In the last quarterly update, we covered the new Exchange Admin Center in Office 365. Exclusive to the new admin center is the ability to recover deleted items back into a user’s mailbox. This process has been available using PowerShell for some time.

Recover deleted email items for a user in Office 365 B

Keep in mind you can only recover up to the limit of your single item recovery policy. By default, this is 14 days in Office 365, but can be increased to 30 days (although you will need to set this ahead of time).

You can read more about how to recover deleted items in the following article.

Preventing Reply-All Storms in Exchange Online

Microsoft has added a new feature to combat reply-all storms. These storms are particularly prevalent when numerous people execute a reply-all to a massive distribution list.

Reply-All Storm Protection in Exchange Online

Microsoft’s initial reply-all protection will block replies to an email thread for 4 hours if it detects more than ten reply-all messages within 60 minutes to a thread with over 5,000 recipients.

The eleventh sender will receive a non-delivery report titled Reply-All Storm Protection with the reason the message was blocked.

[Read more…] about Exchange Online Updates (June 2020)

Recover deleted email using the new Exchange Admin Center

By Leave a Comment

31 Shares
Share
Tweet
Share
Reddit
Print

The PowerShell command to recover deleted email for a user have been around for some time. However, these PowerShell commands now have a graphical interface in the new Exchange Admin Center.

In this article, we explore how to recover deleted email for a user. But first, there are some permission prerequisites.

Assigning your admin account recovery permissions

Before we can restore mail for a user we need permission to do so. The permission in question is the Mailbox Import / Export permission. By default, no one is assigned this permission in Exchange.

Log onto the Exchange Admin Center and navigate to Permissions > Admin Roles.

At this point, we have two options. We can either assign the Mailbox Import / Export role to an existing role group (such as Organization Management) or, we can create a new role group. Let’s do the latter.

Click the New button (). This launches the new role group dialog.

Creating a new role group for Mailbox Import Export

Type a Name and Description for your role. In our example, we went with Email Recovery Role.

If needed select a custom write scope, or, leave at default. The default scope allows the role holder to apply these permissions to the entire organization. You can define a custom write scope to limit the scope of this permission. For example, the scope could be limited to a specific business unit or group of users. This is particularly useful if you need to delegate this role.

Under Roles click the Add button ().

Double-click Mailbox Import Export and click Ok.

Under Members click the Add button ().

Double-click each administrator you want to assign this role and click Ok.

Click Save.

Note: Once the role group is created it can take up to one hour for the permissions to take effect.

[Read more…] about Recover deleted email using the new Exchange Admin Center

How to continue a failed Exchange uninstall

By Leave a Comment

4 Shares
Share
Tweet
Share
Reddit
Print

If you receive an error during an uninstall that is never a good thing. But what happens when you clear the error and Exchange is in a partially uninstalled state. Restarting the uninstall from Control Panel > Programs and Features may result in an error like this.

An incomplete installation was detected - Run setup to complete Exchange installation
An incomplete installation was detected. Run setup to complete Exchange installation.

To uninstall you are going to need the Exchange installation ISO. Once you have the ISO mounted open an elevated command prompt and change to the ISO drive letter (e.g. “cd D:”). Then run the following command.

D:\> setup.exe /mode:uninstall

The mode parameter allows you to specify the installation method. In our case, we specify we want to perform an uninstall. You can read about the various parameters in the following article.

The Exchange uninstall will then pick up where it left off. In my case, the Exchange installation failed during the removal of the Transport Services. The Mailbox and Client Access roles had already been successfully removed, so that is where it picked back up.

Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup
Mailbox role: Mailbox service
Mailbox role: Unified Messaging service
Mailbox role: Client Access service
Mailbox role: Transport service
Client Access role: Front End Transport service
Client Access role: Client Access Front End service
Languages

Performing Microsoft Exchange Server Prerequisite Check

   Configuring Prerequisites                            COMPLETED
   Prerequisite Analysis                                COMPLETED

Configuration Microsoft Exchange Serve

   Preparing Setup                                      COMPLETED
   Mailbox role: Transport Services                     COMPLETED
   Client Access role: Front End Transport service      COMPLETED
   Client Access role: Client Access Front End service  COMPLETED
   Languages                                            COMPLETED
   Stopping Services                                    COMPLETED
   Removing Exchange Files                              COMPLETED
   Restoring Services                                   COMPLETED
   Finalizing Setup                                     COMPLETED

The Exchange Server setup operation completed successfully.

With the uninstall of Exchange complete you can now continue with the remainder of your decommission process.

Twitter

Have you seen this issue before? What did you do to fix it? Drop a comment below or join the conversation on Twitter @SuperTekBoy

Cannot connect to the Remote Procedure Call service – Microsoft Exchange

By Leave a Comment

19 Shares
Share
Tweet
Share
Reddit
Print

When accessing the certificates from a remote Exchange Server via the Exchange Admin Center you may receive the following error.

Cannot connect to the remote procedure call service on the server B
Cannot connect to the remote procedure call service on the server named <server name>. Verify that a valid computer name was used and the Microsoft Exchange Service Host service is started.

What makes this error difficult to troubleshoot are the other areas of remote management (such as managing the virtual directories of another server) work as expected.

This error also occurs in the Exchange Management Shell when running the Get-ExchangeCertificate command.

 C:\> Get-ExchangeCertificate -Server EX16-02

Cannot connect to the remote procedure call service on the server named EX16-02. Verify that a valid computer name was used and the Microsoft Exchange Service Host service is started.
[Read more…] about Cannot connect to the Remote Procedure Call service – Microsoft Exchange