Category: Exchange 2013

Exchange 2013

IIS Crypto the best tool to configure SSL/TLS cipher suites

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Features

– Single click to secure your website using best practices
– Create custom templates that can be saved and run on multiple servers
– Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
– Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
– Enable TLS 1.1 and 1.2
– Enable forward secrecy
– Reorder cipher suites
– Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
– Site scanner to test your configuration
– Command line version

Screenshot1

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

SSL3.0 Enabled after install Exchange 2013 Cumulative update

After installing a cumalitive update on Exchange 2013 SSL3.0 is weer enabled.

With the following script you can disable SSL3.0

DisableSSL3.0.ps1:
$keyPathRoot = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”;
$keyPath = $keyPathRoot + “\SSL 3.0\Server”;
if (!(Test-Path $keyPath))
{
New-Item -path $keyPathRoot”\SSL 3.0″ -ItemType key -Name “Server” -Force;
}
Set-ItemProperty -path $keyPath -name “Enabled” -value 0x0 -Type DWORD -Force;

Thnx Andy David for the tip Smile

Configure your Exchange 2013 server with Configure-Echange2013.ps1 Updated to V3.2

Updated to V3.2

Change List:

# V1.0 Begin
# V1.1 Added Some New Options 12-10-2014
# V1.2 Added Hyper-V Best Practise & NTFS Partition Offset
# V1.3 Added KB2995145 .NET Framework 4.5 garbage collector heap Fix
# V1.4 Added Set Minimum Disk Space Warning level (180GB Default CU6 200GB CU5)
# V1.5 Added Some new features
# V1.6 Changed the Layout & Add Move Arbitration Mailbox
# V1.7 Added PST Export & KB2990117
# V1.8 Added Full backup, Database in GB and Mailbox Size in GB Export CSV
# V1.9 Added Outlook AnyWhere & SafetyNetHoldTime
# V2.0 Added Check DatacenterActivationMode, Get-DatabaseAvailabilityGroupNetwork, Add Static Route, Disable Replation Network on DAG, Database Copies Per Volume (AutoReseed)
# V2.1 Added Edge Subscription
# V2.2 Added Check Transaction Log Growth
# V2.3 Changed the Menu to Submenu’s
# V2.4 Added Check Database White Space
# V2.5 Added MAPI HTTP External URL
# V2.6 Fixed OWA Virtual URL & HTTP URL
# V2.7 Added Fixes & Mountpoints & Changed Set Minimum Disk Space Warning Level from REG to GlobalOverride
# V2.8 Maintaince Added
# V2.9 Set Power to Highperformance
# V3.0 Check of Microsoft.Exchange.Management.PowerShell.SnapIn is loaded
# V3.1 Added Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com & Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
# V3.2 VMware Best Practises & Fixed soms things

Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

Exchange Updates installing slow on Windows Server 2012 R2

For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is:

“%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”

Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output.

Cumulative Update 12 for Exchange Server 2013

Exchange team released CU12 for Exchange 2013

Issues that this cumulative update fixes:

KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes

Important notice about certificate expiration for Exchange 2013 Hybrid customers

If you’re running Exchange 2013 and you’ve configured a hybrid deployment with Office 365, this post contains important information that might impact you. Please evaluate this information and take any necessary action before April 15, 2016.

On April 15 2016, the Office 365 TLS certificate will be renewed. This certificate is used by Office 365 to provide TLS encryption between Office 365 and external SMTP servers. The new certificate, which will help improve the security of mail sent to and from Office 365, will be issued by a new Certificate Authority and it will have a new Issuer and Subject.

This change has the potential to stop hybrid mailflow between Office 365 and your on-premises Exchange servers if one of the following conditions applies to you:

  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or lower.
  • You’ve upgraded the Exchange 2013 servers that handle hybrid mailflow to Exchange 2013 CU9 or higher. However, since upgrading to CU9, you HAVE NOTre-run the Hybrid Configuration wizard (either from the Exchange Admin Center or via the direct download link).

If one of the previous conditions applies to your organization, hybrid mailflow between Office 365 and your organization will stop working after April 15, 2016unless you complete the steps below.

Note: This only affects hybrid mailflow. Regular mailflow and TLS encryption is NOT affected.

How to keep hybrid mail flowing (MUST be completed before 4/15/2016)
Let the new Hybrid Configuration wizard do it for you

You can use the latest Hybrid Configuration wizard (HCW) to configure your Exchange 2013 servers to work with the new TLS certificate. Just follow these steps:

  1. If the Exchange 2013 servers handling hybrid mailflow are running Exchange 2013 CU8 or lower, follow the instructions in Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the new HCW application and run the wizard following the instructions here .

Note: For information on which releases of Exchange are supported with Office 365, see Hybrid deployment prerequisites.

Manual update

If you can’t upgrade Exchange 2013 to latest cumulative update right now (although we would like to remind you of our support policy), you can manually configure your servers to work with the new TLS certificate. On each Exchange 2013 server that’s used for hybrid mailflow, open the Exchange Management Shell, and run the following commands:

$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like “*<I>*”}

Set-ReceiveConnector -Identity $rc.Identity -TlsDomainCapabilities “mail.protection.outlook.com:AcceptCloudServicesMail

http://blogs.technet.com/b/exchange/archive/2016/02/19/important-notice-about-certificate-expiration-for-exchange-2013-hybrid-customers.aspx

Microsoft Exchange Server User Monitor For Exchange 2013 and 2016

        Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work.
        Administrators can view details on server resource utilization as reported through server-side tracing. This tool works with Microsoft Exchange Server 2013 and 2016.
        The tool is provided as-is. At this time, there are no updates or patches planned for future release. No formal support is provided for the tool. Some minimal support may be provided by Microsoft but not all reported issues will be able to be addressed or resolved.

        Exchange Server User Monitor

      On .NET Framework 4.6.1 and Exchange Skype4B Lync compatibility

      We wanted to post a quick note to call out that since yesterday, the .NET Framework 4.6.1 has been made a recommended update on WU (Windows Update).

      As we have already stated in the Exchange Supportability Matrix, at this time, this version of .NET framework is not supported by Exchange. In fact, we know of some issues if it is installed.

      We are working with the .NET team to ensure that Exchange customers have a smooth transition to .NET Framework 4.6.1, but in the meantime, delay this particular .NET update on your Exchange servers (information on how this can be accomplished can be found in the KB article 3133990, How to temporarily block the installation of the .NET Framework 4.6.1).

      http://blogs.technet.com/b/exchange/archive/2016/02/10/on-net-framework-4-6-1-and-exchange-compatibility.aspx.

      As a result of this recommendation from the Exchange team, the Skype for Business team is recommending the same course of action for Lync/Skype for Business servers.

      Please follow the guidance located here to block the installation: 3133990, How to temporarily block the installation of the .NET Framework 4.6.1).

      Exchange Analyzer is a great tool for every Exchange Admin

      Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 organization and reports on compliance with best practices.

      Exchange Analyzer is a community project, and is currently a beta release seeking feedback and results from real world environments.

      To read the latest information about Exchange Analyzer click here to visit the project’s ReadMe on Github. More information can also be found in the Exchange Analyzer Wiki.

      Installation Instructions

      1. Download the latest Zip file

      2. Extract or copy the following files and folders to a computer that has the Exchange 2013 or 2016 management shell installed. For example, place all of the files and folders in a C:\Scripts\ExchangeAnalyzer folder.

        • Run-ExchangeAnalyzer.ps1
        • \Data
        • \Modules
        • \Tests

        3. Copy the folders in the \Modules folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\

        4. Open a new Exchange Management Shell

        Important Note: if you are updating your copy of Exchange Analyzer please make sure you copy the updated module in step 3.

        Running Exchange Analyzer

        To run the Exchange Analyzer open an Exchange management shell, navigate to the folder with the script files (e.g. C:\Scripts\ExchangeAnalyzer) and run:

        Interpreting Results

        Exchange Analyzer produces a HTML report with a simple “Passed/Failed” indicator and a list of passed and/or failed objects. Links to more info are provided to assist you with further interpretation of the report.

        Feedback and Questions

        Before submitting feedback or questions please review the Exchange Analyzer FAQ.

        You can help with bug fixes by submitting issues on Github. If you would like to contribute fixes or other code please review theExchange Analyzer Wiki.

        You can also send email to feedback@exchangeanalyzer.com.

        Change Log

        14/01/2016 – v0.1.0-Beta.1

        • First public beta release

        28/01/2016 – v0.1.1-Beta.2

        • Second beta release. Details of changes are here.

        image

        Translate »