SuperTekBoy

Practical Help for Exchange & Office 365

Exchange News

Office 365 for IT Pros (2024 Edition) released

By Leave a Comment

Share
Tweet
Share
Reddit
Print
Office 365 for IT Pros 2024 Edition

I am happy to announce the release of the 2024 edition of Office 365 for IT Pros. This is the 10th edition of the book, and I am humbled to have been a part of it since the 8th edition. It is an honor to continue the legacy of what Tony Redmond, Paul Cunningham, and Michael Van Horenbeeck started 10 years ago.

This book is a must for anyone working in the Office 365 space, and I am not just saying that because I am an author. Prior to being an author, I was a reader, starting with the very first edition, published back in 2015, up to the seventh edition.

The reason I state this book is a must is because, as an IT professional, I find it increasingly difficult to wrap my arms around all the additions and changes occurring in Office 365. This book (originally consuming as a reader and now an author) helps me keep up a handle on everything going on in Office 365. I think it will help you too.

[Read more…] about Office 365 for IT Pros (2024 Edition) released

RunAs Radio #880 – Dealing with Vulnerable Exchange Servers

By Leave a Comment

Share
Tweet
Share
Reddit
Print

On April 4th, I had the great pleasure of being a guest on RunAs Radio. I joined host Richard Campbell to discuss vulnerable Exchange Servers; including:

Runas Radio #880 - Dealing with Vulnerable Exchange Servers with Gareth Gudger
[Read more…] about RunAs Radio #880 – Dealing with Vulnerable Exchange Servers

8 MEC sessions every Exchange admin should see (2022 Edition)

By Leave a Comment

Share
Tweet
Share
Reddit
Print

Microsoft Exchange Conference (or MEC for short) was an in-person event last held in 2014 in Austin, Texas. In 2015, Microsoft rolled MEC, as well as a number of other conferences, such as TechEd, into the mega-conference that is Microsoft Ignite.

This year Microsoft brought MEC back as a free 2-day virtual event. This virtual MEC was by no means a shadow of its former self. With 59 sessions dedicated to Microsoft Exchange and its adjacent technologies, this digital experience was substantial. Microsoft reports around 4,000 people attended MEC this year. Hopefully, with Microsoft switching Ignite this year to a hybrid experience, the next MEC will be in-person. (Fingers crossed)

At 59 sessions, here are the top 8 sessions I think every Exchange admin should watch.

Tip: I have included extensive notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes.”

MEC 2022 - Getting Ready for Basic Auth Deprecation in Exchange Online(watch video)

Getting Ready for Basic Auth Deprecation in Exchange Online
In this session, Greg Taylor discusses the roadmap for basic authentication, all the great work done so far, and how organizations can opt to keep basic auth until December. Topics include:

  • Organizations leveraging basic auth are more suspectible to compromise (1:10 mins)
  • 99%+ of password spray attacks use legacy auth
  • 97%+ of credential stuffing use legacy auth
  • 60% of users re-use passwords
  • 921 password attacks every second (almost double last year
  • 50 million password attacks launched every day (Q4 2021)
  • Beginning October 1st, basic auth will be disabled for: (2:54 mins)
    • POP
    • IMAP
    • EWS
    • MAPI
    • RPC
    • OAB
    • ActiveSync
    • Exchange Online Remote PowerShell
  • Basic authentication will remain enabled for: (3:40 mins)
    • Autodiscover
    • SMTP AUTH
  • Organizations can opt-out or request an extension for basic auth through December 31st, 2022. (4:10 mins)
  • Why Microsoft is disabling basic auth (5:53 mins)
  • How Microsoft analyzes basic auth usage (8:43 mins)
  • What the usage data revealed (11:55 mins)
    • 70 million people using basic auth across 4 million tenants
    • 10 million MAPI users made 60 million basic auth request per day
    • 1.5 million POP users made 80 million basic auth request per day
    • ActiveSync, Outlook and EWS primary drivers of basic auth
    • 1/3rd basic auth comes from tenants with more than 10k users (1% of tenants)
    • 1/3rd basic auth comes from tenants with less than 100 users (90% of tenants)
  • Suspicious usage impacting metrics (21:45 mins)
    • Set-CASMailbox blocks a user after they have authenticated successfully
    • Auth policies block basic auth prior to the user authentication attempt
  • Deprecating basic auth timeline (30:10 mins)
  • Tactics to eliminate basic auth (37:20 mins)
    • Message Center versus Service Health Dashboard (incl. tenant usage statistics)
    • 0.05% of tenants re-enabled basic auth with self help diagnostics
    • Disabling basic auth for 48 hours in some tenants (1-3% of tenants re-enabled)
    • Enabling OAuth2 in tenants
  • Apple partnership to switch iOS devices using ActiveSync to OAuth2 automatically (40:52 mins)
    • Requires iOS 15.6+
    • 1 million iOS devices migrated to OAuth
    • Show more session notes
    Show less session notes
    MEC 2022 - Microsoft Exchange Tips and Trick(watch video)

    Microsoft Exchange Tips and Tricks
    In this session, Scott Schnoll shares his top Exchange tips and tricks. Topics include:

    • Exchange Server codebase (2:43 mins)
      • Exchange Server major releases and cumulative updates were historically forks of the Exchange Online code. This could introduce code not applicable to Exchange on-prem or introduce bugs.
      • Exchange Online and Exchange Server now have separate codebases
      • Exchange Online features are ported and fully validated in Exchange Server when desired
      • Separate codebase means less changes for on-prem customers and less chance of update regression
      • Exchange Server team retroactively cleaning up code that only applies to Exchange Online
    • Current Exchange landscape (6:10 mins)
      • Most customers still on Exchange 2013 or 2016
      • Over a 2-week period 500,000 Exchange Servers submitted analytics to Microsoft.
      • 100,000 running Exchange 2019
      • 50,000 running Exchange 2010
      • Few thousand running Exchange 2007
    • Customers struggle to stay on latest cumulative update
    • 25% on latest CU
    • 44% on N-1 CU
    • 7% on N-2 CU
    • 24% on unsupported CUs
  • Customers struggle to stay on latest security update
    • 13% of Ex13 CU23 on the latest SU
    • 33% of Ex16 CU22 on the latest SU
    • 50% of Ex16 CU23 on the latest SU
    • 65% of Ex19 CU11 on the latest SU
    • 50% of Ex19 CU12 on the latest SU
  • Changes to cumulative updates (CU) (9:43 mins)
    • Changed release cadence of CUs from quarterly to semi-annual
    • Release dates targeted for April and September but ultimately driven by quality
  • Changes to security updates (SU) (11:05 mins)
    • Available as both a MSP and self-extracting EXE package
    • Self-extracting EXE package automatically elevates with administrative rights.
    • EXE added to address issue where MSP file was not run with elevated permissions which resulted in installations issues.
  • Exchange Support (12:27 mins)
    • The Extended Security Update Program will only be available to Exchange 2016 and 2019
    • Exchange 2013 customers should migrate to Exchange 2019 before end of support (April 11th, 2023)
    • Exchange vNext will leverage the Modern Lifecycle Policy which moves away from major product releases by keeping Exchange Server on a continuous update cadence (same as M365 Apps).
  • Updating Exchange Servers (15:05 mins)
  • Exchange 2019 preferred architecture (20:25 mins)
    • Each preferred architecture is specific to a version of Exchange
    • Up to 48 physical processor cores
    • Up to 256 GB RAM
    • Battery backed write cache
    • Leverage the MetaCache DB with SSDs
    • Scale-out versus scale-up
    • Use physical rather than virtual servers
  • Updates to the Exchange 2019 Sizing Calc (24:50 mins)
  • What “Check for updates” in the setup wizard does (26:17 mins)
  • Updated Exchange Management Pack for SCOM (28:00 mins)
  • Exchange Server Bug Bounty Program (29:25 mins)
    • Up to $26k awarded per bounty
    • $127k awarded in bounties
  • Windows Server 2022 support for Exchange 2019 (30:37 mins)
    • TLS 1.3 support for Exchange in H2 2023
    • Supported Exchange versions can leverage Windows Server 2022 DCs
  • Changes to antivirus exclusions on Exchange (33:30 mins)
  • Modern auth will be native to Exchange 2019 (35:15 mins)
  • Custom configs (e.g., changes to web.config) will be preserved during updates (38:00 mins)
  • Changes to the Hybrid Configuration Wizard (37:05 mins)
    • HCW will allow admins to pick which steps to perform or skip
    • HCW will support a what-if function so admins can see what the HCW will change
    • Scheduled for H1 2023
  • Exchange Online (41:10 mins)
    • 300k server
    • 175 datacenters
    • 210 network POPs
    • 1.4 EB of data
    • 42 trillion items
    • 7.3 billion mailboxes
    • Daily Stats
    • 9.2 billion messages
    • 2.4 billion spam blocked
    • 1.9 trillion items read/opened
  • Exchange Online Recent Updates (42:35 mins)
    • MRM Retention Tags, MRM Retention Policies, and Journal rules moved to Microsoft Purview
    • Changes to Tenant Allow/Block Lists (TABL)
    • Custom email notifications and policy tips added to DLP policies
    • 42 new sensitivity labels added to protect credentials
  • Exchange Online Coming Soon (46:50 mins)
    • Exchange Online PowerShell v3 module will be GA on September 20th, 2022.
    • Ability to block sender, URL, or attachment while submitting to Microsoft for analysis
    • Configure label to apply S/MIME automatically (expected October 2022)
  • Dashboard for on-prem Exchange Servers in a hybrid environment (51:08 mins)
    • Identifies Exchange Servers that are behind on CUs, SUs, or are out of support
    • Currently in private preview.
  • Exchange Online Retirements (52:40 mins)
    • Exchange Online PowerShell Module v1 retires on Dec 31st, 2022
    • Classic Exchange Admin Center going away on Jan 2023
    • Replace action going away on Anti-Malware policies. Any existing policies will be converted to Block action instead. This work is currently in progress.
    • Redirect messages in the Anti-Malware policy will only be available for the Monitor action.
    • Basic authentication going away
    Show more session notes
    Show less session notes
    (watch video)

    Deep Dive on Hybrid Mail Flow
    In this session, Hien Nguyen takes a deep dive into hybrid mail flow tackling topics such as message attribution, configurations that could impact hybrid mail flow from being stamped as internal, and advanced routing topics such as other tenants being able to bypass your MX records. Topics include:

    • The Challenge (2:28)
      • Making two separate Exchange environments (Exchange Online and On-prem) appear as one.
      • We want this, so it is seamless for the user and provides minimal (if any) impact on the business.
      • We implement this with the Hybrid Configuration Wizard
    • The Solution (3:11)
      • MRS moves mailboxes maintaining the existing Outlook profiles and OSTs
      • Organization relationships to allow for free/busy, OWA redirection, and Mail Tips
      • Trusted mail flow between Exchange Online and on-prem
    • Concepts (3:45)
      • The difference between internal mail is that it is authenticated (external is anonymous)
      • Mail can be authenticated when sent via Outlook, SMTP Auth, or a secure connector.
      • Physical location does not matter when it comes to authenticating mail
    • Internal vs. External (4:50)
      • On-prem Recipient <> EXO recipient should always be marked as internal
      • If not, the messages can be externally tagged, subject to spam and phishing policies, messaging to distribution lists can fail, incorrect OOF, and problems booking resources
      • We can track if a message is considered internal (authenticated) or external (anonymous) via message headers using the X-MS-Exchange-Organization-AuthAs attribute
    • SCENARIO: On-prem to Office 365 (6:40)
      • For mail to be processed as INTERNAL
        • Tenant.mail.onmicrosoft.com must be an accepted domain on-prem
        • Send Connector in Exchange On-Prem must be set to CloudServicesMailEnabled = $true
        • Inbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
          • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
        • Exchange On-Prem copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers.
        • Exchange Online copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers.
    • DEMO: On-prem to Office 365 (9:42)
      • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
      • This will export these messages as EML files that you can open (be careful with sensitive data)
      • Email sent as Amy (On-Prem) to Hien (EXO) is delivered as INTERNAL
      • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and MS-Exchange-CrossPremises
    • DEMO: On-prem to Office 365 (16:00)
      • Changing the CloudServicesMailEnabled = $false on the on-prem send connector
      • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
    • DEMO: On-prem to Office 365 (19:15)
      • Changing the CloudServiceMailEnabled = $false on the Exchange Online inbound connector
      • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
    • Message Attribution (24:00)
      • EXO is a shared service, and mailboxes from different companies can sit on any database, server, and infrastructure
      • Message attribution is how Exchange Online determines which tenant the message belongs to
      • If the certificate subject name, sending IP, or sender domain matches an accepted domain
        • The email is attributed to the tenant with the accepted domain
        • X-MS-Exchange-Organization-MessageDirectionality = ORIGINATING
      • If origination fails (no matching certificate, sending IP, sender domain) and recipient domain matches an accepted domain
        • The email is attributed to the tenant with the accepted domain
        • X-MS-Exchange-Organization-MessageDirectionality = INCOMING
      • If message attribution fails, it sends a non-delivery report to the sender.
    • SCENARIO: Office 365 to on-prem (30:52)
      • For mail to be processed as INTERNAL
        • An accepted domain must exist in Exchange Online
        • Outbound connector in Exchange Online must be set to CloudServiceMailEnabled = $true
          • In the GUI, the checkbox is “Retain internal Exchange email headers (recommended).”
        • Receive connector for Exchange On-Prem must have TLSDomainCapabilities:{mail.protection.outlook.com:AcceptedCloudServicesMail}
        • Exchange Online copies the X-MS-Exchange-Organization headers to new X-MS-Exchange-CrossPremises headers
        • Exchange On-Prem will offer SMTP command XOORG to Exchange Online
        • Exchange Online sets MAILFROM domain in XOORG command to one of Exchange On-Prem’s accepted domains
        • Exchange On-Prem copies the X-MS-Exchange-CrossPremises headers back to X-MS-Exchange-Organization headers
    • DEMO: Office 365 to On-Prem (33:45)
      • Configure pipeline tracing for a sender – Get-TransportService | Set-TransportService -PipelineTracingEnabled $true -PipelineTracingPath C:\Trace -PipelineTracingAddress <sender address>
      • This will export these messages as EML files that you can open (be careful with sensitive data)
      • Email sent as Hien (EXO) to Amy (On-Prem) is delivered as INTERNAL
      • Pipeline trace export at C:\Trace, which shows the headers being copied between X-MS-Exchange-Organization and X-MS-Exchange-CrossPremises
    • DEMO: Office 365 to On-Prem (36:55)
      • Nulling out the TLSDomainCapabilities on the on-prem receive connector
      • Switches X-MS-Exchange-Organization-AuthAs headers are missing (not copied from X-MS-Exchange-CrossPremises)
    • DEMO: Office 365 to On-Prem (39:36)
      • Changing the CloudServiceMailEnabled = $false on the Exchange Online outbound connector
      • Switches X-MS-Exchange-Organization-AuthAs to ANONYMOUS
    • Securing the gaps (44:20)
      • When MX is pointed on-prem
      • When MX is pointed to EXO
        • SCENARIO 3: Other tenants can send mail directly to your hybrid smart host (e.g., hybrid.domain.com)
      • If another tenant sends directly to your hybrid smart host (on-prem), the mail is considered EXTERNAL because the X-MS-Exchange-CrossPremises (XOORG) will be missing.
    • SCENARIO 1: Prevent EXO Direct Delivery when MX is pointed on-prem (48:50)
      • Create a new inbound partner connector
      • Specify all sender domains (*)
      • RequireTLS = $true
      • RestrictDomainsToCertificate = $true
      • TlsSenderCertificateName = Can be whatever you want it to be (e.g., blocknonmx.domain.com)
      • New-InboundConnector -Name “Block Non MX Record Delivery” -ConnectType Partner -SenderDomains * RequireTls:$true -RestrictDomainsToCertificate:$true -TlsSenderCertificateName blocknonmx.domain.com
    • SCENARIO 2: Prevent On-Prem Direct Delivery when MX is pointed to EXO (49:20)
      • Create a transport rule
      • Sender is located Outside the organization
      • Reject the message with explanation “You are not allowed to send directly. Use MX.”
      • Except if message header includes “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
    • SCENARIO 3: Prevent On-Prem Direct Delivery when MX is pointed on-prem (50:39)
      • Create a transport rule
      • Sender is located Outside the organization
      • Reject the message with explanation “You are not allowed to send directly. Use MX.”
      • Except if message includes:
        • Header “X-OriginatorOrg” with “<domain>.mail.onmicrosoft.com” or “<domain>.onmicrosoft.com” or “<domains.com>”
        • Sender IP address is “<1.1.1.1>”
        • Header “Received” matches “<1.1.1.1>”
  • Q&A (55:05)
    • Show more session notes
    Show less session notes
    [Read more…] about 8 MEC sessions every Exchange admin should see (2022 Edition)

    Exchange H1 2022 Cumulative Updates and eliminating the last on-prem Exchange Server (maybe)

    By 8 Comments

    Share
    Tweet
    Share
    Reddit
    Print
    Exchange 2019 CU12 Setup Screen

    Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the H1 2022 cumulative updates, be sure to grab the security updates released in May.

    While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.

    The security updates (SUs) are now available as self-extracting executables, which means they will automatically elevate with administrative rights. However, the MSP delivery method requires admins to manually instruct the update to run with administrative rights. If admins missed this step, the security update could apply incorrectly, causing an outage in Exchange. The MSP delivery method is still available via the Microsoft update catalog, should admins prefer it. However, the EXE delivery method is better for admins wanting to install the security update manually. Note that this does not change the delivery method for cumulative updates–that remains the same.

    If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.

    The updates are as follows:

    Exchange Logo Mini

    Exchange 2019 Cumulative Update 12 | KB5011156 | May 2022 Security Update

    Exchange 2013 Cumulative Update 9

    Exchange 2016 Cumulative Update 23 | KB5011155 | May 2022 Security Update

    Exchange 2013 Cumulative Update 9

    Exchange 2013 May 2022 Security Update | KB5014260

    Eliminating the last on-prem Exchange server (maybe)

    Most organizations that leverage Exchange Online (and other Office 365 workloads) will synchronize their identities from on-premises to the cloud. This way, organizations can have a single set of credentials (username and password) for both on-prem and cloud workloads. This makes it significantly easier for users to consume resources regardless of where they are housed.

    For Exchange Online, this model requires recipient management to be performed against the on-premises directory and then synchronized to the cloud. The challenge was that this previously required an Exchange server to be available on-premises to perform these actions.

    With Exchange 2019 CU12, Microsoft made a number of advancements to the Exchange 2019 management tools. The Exchange 2019 management tools can now be used for recipient management without an on-premises Exchange server. If you were only keeping an Exchange server around for recipient management, you can now shut it down.

    There are, however, some limitations.

    The first is that the Management Tools are PowerShell only. Once you eliminate the last Exchange server, you will no longer have a GUI. This means your administrators and helpdesk must be comfortable with PowerShell. However, third-party products do exist to provide a GUI (such as this one from Steve Goodman).

    The second is the loss of RBAC (“Role-Based Access Controls“) on-premises. As a result, only domain admins or members of the “Recipient Management EMT” security group will be able to manage Exchange Online recipient attributes.

    Note: The Add-PermissionForEMT.ps1 script creates the Recipient Management EMT security group.

    The third is that auditing and logging recipient management tasks are no longer captured. So, if you need to track who made a change to a mailbox, such as changing an email address, this will not be a fit for your organization.

    The fourth is that Microsoft is still testing this in complex scenarios, such as multi-forest, multi-domain, and multi-tenant. Therefore, it might be best to hold off on shutting down Exchange for complex environments until Microsoft provides more support messaging for these scenarios.

    Lastly, is if you use Exchange on-prem for mail relay. The benefit of using Exchange on-prem is it allows firewall administrators to lock down outbound SMTP to a known set of internal IPs. In addition, device and application owners do not need to worry about the relay requirements of Office 365. They can simply use an on-premises Exchange server for mail relay. Exchange Server then leverages a forced TLS connection to Office 365.

    To eliminate the last Exchange server, you must use the Exchange 2019 CU12 management tools from a domain-joined workstation.

    • For those using Exchange 2019 for recipient management, you will need to run /PrepareAllDomains from the Exchange 2019 CU12 ISO and install the Exchange 2019 CU12 management tools on a domain-joined workstation. If upgrading from CU9 or earlier, you will need to do a schema upgrade.
    • For those maintaining older management servers, such as Exchange 2013 or 2016, you must upgrade your schema to Exchange 2019 CU12. You do not, however, need to deploy an Exchange 2019 server. Once your schema is upgraded, you can install the Exchange 2019 CU12 management tools on a domain-joined workstation.
    • For those in a greenfield environment, you simply need to extend your schema to Exchange 2019 CU12 and then deploy the Exchange 2019 CU12 management tools on a domain-joined workstation.

    Once you have the management tools installed and have confirmed they meet the needs of your organization, you can then determine whether you can eliminate your last on-prem Exchange server. For more information on that process, including the steps to make that happen, check the following article: Manage recipients in Exchange Server 2019 Hybrid environments

    [Read more…] about Exchange H1 2022 Cumulative Updates and eliminating the last on-prem Exchange Server (maybe)

    RunAs Radio #818 – Email Transport Security

    By Leave a Comment

    Share
    Tweet
    Share
    Reddit
    Print

    On February 15th, I had the great pleasure of being a guest on RunAs Radio. I joined host Richard Campbell to discuss email transport security; including:

    Gareth on Runas Radio #818 - Email Transport Security with Gareth Gudger

    Opinion change: Since recording, I think that even if the MTA-STS TXT record was victim to a man-in-the-middle attack it probably would not be much of an issue. If the bad actor changed the ID in the TXT it would simply tell the sender to pull a new policy from a website the recipient owns and controls. As mentioned in the podcast, I believe DANE is the more secure solution. Be sure to consult with your security team about which solution best suits the needs of your organization.

    [Read more…] about RunAs Radio #818 – Email Transport Security

    Exchange September Cumulative Updates and the new Emergency Mitigation Service

    By 2 Comments

    Share
    Tweet
    Share
    Reddit
    Print
    Exchange 2016 CU22 Emergency Mitigation Service

    Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the September cumulative updates, be sure to grab the security updates released in October.

    While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.

    A security update was not released for Exchange 2010. The latest update for Exchange 2010 is still Rollup 32 (March 2nd, 2021). Keep in mind that Exchange 2010 was out of support as of October 13th, 2020.

    If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.

    The updates are as follows:

    Exchange Logo Mini

    Exchange 2019 Cumulative Update 11 | KB5005334 | October Security Update

    Exchange 2013 Cumulative Update 9

    Exchange 2016 Cumulative Update 22 | KB5005333 | October Security Update

    Exchange 2013 Cumulative Update 9

    Exchange 2013 October Security Update | KB5007011

    The new Microsoft Exchange Emergency Mitigation Service

    As a response to the HAFNIUM exploits the Exchange team developed a new Exchange Emergency Mitigation service to be included with Exchange Server. Emergency Mitigation is a new Windows service that is deployed by the Exchange Server setup utility.

    Microsoft Exchange Emergency Mitigation Service

    It is effectively a built-in version of the previously released standalone Emergency Online Mitigation Tool (EOMT) that administrators could run on-demand. The standalone tool was a way for administrators to apply interim remediation until they could apply the needed patches.

    In much the same way the Emergency Mitigation Service checks the Office Config Service (OCS) for new mitigation XMLs every hour. It then applies the interim remediation specified in the XML file. The mitigation service can apply the following three actions.

    • Block malicious patterns in HTTP requests via the IIS URL rewrite service
    • Disable vulnerable Exchange services
    • Disable vulnerable App Pools in IIS

    Should you accidentally undo any mitigations, restart the Emergency Mitigation Service on the Exchange Server. Within 10 minutes the service will check OCS for the latest XML and reapply any mitigations.

    At the time of writing, only a test XML file exists at the Office Config Service for heartbeat purposes. That said, your Exchange Server now requires an outbound connection to https://officeclient.microsoft.com to access these mitigation XML files. To verify Exchange can reach the Office Config Service, you can leverage the Test-MitigationServiceConnectivity.ps1 script located in the Exchange scripts folder.

    Once you apply a cumulative or security update that addresses the vulnerability, you will need to manually undo any actions taken by the Emergency Mitigation Service.

    [Read more…] about Exchange September Cumulative Updates and the new Emergency Mitigation Service
    Toggle Dark Mode
    Toggle Font Size