Microsoft Exchange and Active Directory Blog
Some Active Directory features cannot be defined for organizational units but only for AD groups. One example of this is Fine Grained Password Policies. If you still want to apply such features to all users of an organizational unit, simply create a group with all users who are stored in the OU. This group is also called a shadow group. ... Read more
In order to continue to guarantee the security of Exchange Online, Microsoft is gradually starting to block old Exchange Server versions. The new system, which is now being introduced gradually, is called the "Transport-based Enforcement System" and has three functions: Reporting, throttling and blocking. In the first stage, administrators are informed that old Exchange Server versions are present in the company. Read more
The Outlook vulnerability CVE-2023-23397 is currently being actively exploited. This is particularly critical as exploitation is possible without user interaction. By exploiting the vulnerability, attackers can obtain NTLM hashes of the user and possibly use them for subsequent attacks. To exploit the vulnerability, it is sufficient to send a prepared e-mail or a calendar invitation to the user ... Read more
Microsoft has released new security updates for Exchange Server 2013, 2016 and 2019. This is likely to be the last security update for Exchange 2013, as support for Exchange 2013 ends on 11.04.2023. The March update for Exchange also fixes the problem with the crashing EWS Web Application Pool in IIS. Applications that use EWS should therefore ... Read more
Service accounts for starting Windows services or scheduled tasks are often configured with the "password never expires" attribute and then used for years. Often such service accounts are also alienated for a specific purpose and used on many servers for a wide variety of tasks. Service accounts with far-reaching authorizations and passwords that never expire then make it easier for ... Read more
Microsoft has updated the recommendations for exclusions for virus scanners on Exchange Server: Specifically, contrary to the original recommendation, these directories and processes should no longer be excluded from the virus scanner: Existing exclusions for virus scanners should therefore be adjusted. The script from Paul Cunningham, which creates a list of all exclusions, is suitable for new Exchange installations: Unfortunately, ... Read more
The "Windows Extended Protection" security feature was introduced with a security update in August 2022 for Exchange Server 2013, 2016 and 2019 and protects against man in the middle (MitM) attacks. In small organizations where there is only a single Exchange Server, without load balancers and web application firewalls, Windows Extended Protection can be activated quite easily. In ... Read more
Microsoft has released new security updates for Exchange 2013, 2016 and 2019. A total of 4 vulnerabilities classified as important have been fixed. Details on the closed vulnerabilities can be found here: As you can see, all 4 vulnerabilities are Remote Code Execution vulnerabilities, so the updates should be installed as soon as possible. Here it goes ... Read more
Anyone who has made several Exchange servers highly available via a load balancer uses NTLM for the authentication of Outlook users by default. With a few adjustments, however, Kerberos can also be used for authentication. Compared to NTLM, Kerberos reduces the number of logins compared to the Active Directory, which can lead to better speed. Kerberos is also ... Read more
During the migration from Exchange 2016 to Exchange 2019, I encountered the problem that Outlook constantly asks for username and password. A connection via Outlook to Exchange could no longer be established as soon as the DNS entry (or the load balancer) was switched to the new Exchange 2019 servers. However, OWA and ActiveSync worked without any problems. In ... Read more
