Critical vulnerability in HPE Integrated Lights-out 4 (iLO 4) 2.53 and previous versions

I wrote a script to do a simple ILO upgrade.

Download the latest firmware HERE

Download HPE Powershell module HERE

Find-HPiLO XXX.XXX.XXX.XXX-(Subnet Mask) | Where {$_.FWRI -lt 2.54 -AND $_.PN -like “*iLO 4*”} | Select -ExpandProperty HOSTNAME | Out-File c:\temp\ilo4.txt
$server = get-content c:\temp\ilo4.txt
$username = “Administrator”
$ilocreds = read-host “Please enter your password”
Update-HPiLOFirmware -Server $server -username $username -password $ilocreds  -Location X:\HP\ILO\ilo4_254.bin

Exchange 2010-2016 Security Fixes

Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Source

Exchange Server 2016 online training courses now available

Microsoft announced the release of four new edX online training courses for Microsoft Exchange Server 2016. If you plan to implement Exchange Server 2016 or Exchange Online, or if you want to make sure that your implementation was done right, the Exchange Server 2016 online training courses are for you.

Course offerings include:

Each Exchange course is targeted to the IT professional audience, with hands-on labs that reinforce student learning. Students are graded on completing each module, as well as on module assessment exams and a final course exam. A Certificate can be earned by completing each course with a passing grade. Courses are self-paced, allowing IT professionals to build Exchange skills at their own pace as their schedules permit.

The first course, CLD208.1x: Microsoft Exchange Server 2016 Infrastructure, is free. The remaining three courses are for-fee courses at $49 USD per course.

edX is a massive open online course (MOOC) provider that was developed by MIT and Harvard University. The Microsoft Learning Experiences team has created a wide range of online training courses for edX, and these four Exchange courses are the team’s latest Office releases. They are the first of seven courses that cover the core skills an Exchange administrator needs to proficiently design, implement and manage an Exchange 2016 and Exchange Online implementation.

Source

CPU usage is high when you use RPC over HTTP protocol in Windows 8.1 or Windows Server 2012 R2

Consider the following scenario that takes Microsoft Exchange Server 2013 as an example:

  • The Mailbox server role is enabled in Exchange Server 2013.
  • Exchange mailboxes use extended MAPI to communicate with the Exchange Server.
  • The extended MAPI uses Microsoft RPC over HTTP (remote procedure call over HTTP) protocol.
  • Many clients (such as mobile devices) are dropping connections to the Exchange Server.

In this scenario, the CPU usage on the Exchange server may reach 100 percent.\

Hotfix: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3041832&kbln=en-US

Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6

On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.

A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).

The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.

Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).

When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.

.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.

Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.

The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.

KB articles that describe the fixes, features and information in each release are available as follows:

Version

Build

KB Article

Download

UMLP

Schema Changes

Exchange 2016 CU6

15.1.1034.26

KB4012108

Download

UMLP

Yes

Exchange 2013 CU17

15.0.1320.4

KB4012114

Download

UMLP

No

Source: jaapwesselius

New MVA learning paths for IT pros

Learn about the new paths for IT pros:

  • PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
  • PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
  • Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
  • DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
  • Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
  • Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
  • Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.

CleanUp Old Active Sync Devices

Overview older than 30 Days:
Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} | out-gridview

Delete active sync devices older then 30 days

Get-MobileDevice | Get-MobileDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)} |  Remove-MobileDevice -Confirm:$false

Some handy URL for SQL Maintenance

2 Handy SQL Scripts

ForceDatabaseOffline:
USE master
GO
ALTER DATABASE YourDatabaseName
SET OFFLINE WITH ROLLBACK IMMEDIATE
GO

ShowOpenConnections:
SELECT
    DB_NAME(dbid) as DBName,
    COUNT(dbid) as NumberOfConnections,
    loginame as LoginName
FROM
    sys.sysprocesses
WHERE
    dbid > 0
GROUP BY
    dbid, loginame
;

The Tool that is love is SP_Blitz
httpv://www.youtube.com/watch?v=5QAL9itupMA

Do need to do some SQL Maintenance, i have for you some handy URLs:
https://ola.hallengren.com/
https://www.brentozar.com/

Windows ADK 1703 and Windows 10 Creators Update 1703

Introduction

Microsoft have released both Windows 10 version 1703 and ADK 1703 last week, one is on MSDN the other on Microsoft’s download site.

Download the media

Two Know Issues:
OSD – App-V tools are missing in ADK 1703 when being installed on Windows Server 2016 (sometimes)

OS Deployment – Installing ADK 1703 on Windows Server 2016 could fail