MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Cumulative Update 2 for Exchange Server 2016

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed Support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please seeEnabling BitLocker on Exchange Servers.

SHA-2 Support for Self-Signed Certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folder Resolved

The issue reported in KB3161916 has been resolved.

 

This cumulative update fixes the following issues:

This cumulative update also fixes the issues that are described in the KB 3160339 MS16-079: Security update for Microsoft Exchange: June 14, 2016 and KB 3134844 Cumulative Update 1 for Exchange Server 2016

Microsoft Knowledge Base articles.
This update also includes new daylight saving time (DST) updates for Exchange Server 2016. For more information about DST, go to Daylight Saving Time Help and Support Center.

Download: https://www.microsoft.com/en-us/download/details.aspx?id=52968

SSL3.0 Enabled after install Exchange 2013 Cumulative update

After installing a cumalitive update on Exchange 2013 SSL3.0 is weer enabled.

With the following script you can disable SSL3.0

DisableSSL3.0.ps1:
$keyPathRoot = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”;
$keyPath = $keyPathRoot + “\SSL 3.0\Server”;
if (!(Test-Path $keyPath))
{
New-Item -path $keyPathRoot”\SSL 3.0″ -ItemType key -Name “Server” -Force;
}
Set-ItemProperty -path $keyPath -name “Enabled” -value 0x0 -Type DWORD -Force;

Thnx Andy David for the tip Smile

Configure your Exchange 2016 server with Configure-Echange2016.ps1

The Script is based on my Configure Exchange 2013 Script Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

At this moment there is only v1.0 so now new features.

You can download this script here:
https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2016-0e3c8288

Configure your Exchange 2013 server with Configure-Echange2013.ps1 Updated to V3.2

Updated to V3.2

Change List:

# V1.0 Begin
# V1.1 Added Some New Options 12-10-2014
# V1.2 Added Hyper-V Best Practise & NTFS Partition Offset
# V1.3 Added KB2995145 .NET Framework 4.5 garbage collector heap Fix
# V1.4 Added Set Minimum Disk Space Warning level (180GB Default CU6 200GB CU5)
# V1.5 Added Some new features
# V1.6 Changed the Layout & Add Move Arbitration Mailbox
# V1.7 Added PST Export & KB2990117
# V1.8 Added Full backup, Database in GB and Mailbox Size in GB Export CSV
# V1.9 Added Outlook AnyWhere & SafetyNetHoldTime
# V2.0 Added Check DatacenterActivationMode, Get-DatabaseAvailabilityGroupNetwork, Add Static Route, Disable Replation Network on DAG, Database Copies Per Volume (AutoReseed)
# V2.1 Added Edge Subscription
# V2.2 Added Check Transaction Log Growth
# V2.3 Changed the Menu to Submenu’s
# V2.4 Added Check Database White Space
# V2.5 Added MAPI HTTP External URL
# V2.6 Fixed OWA Virtual URL & HTTP URL
# V2.7 Added Fixes & Mountpoints & Changed Set Minimum Disk Space Warning Level from REG to GlobalOverride
# V2.8 Maintaince Added
# V2.9 Set Power to Highperformance
# V3.0 Check of Microsoft.Exchange.Management.PowerShell.SnapIn is loaded
# V3.1 Added Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com & Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
# V3.2 VMware Best Practises & Fixed soms things

Download: https://gallery.technet.microsoft.com/scriptcenter/Configure-Exchange-2013-e0ffb2a6

Exchange Updates installing slow on Windows Server 2012 R2

For customers who are running Exchange on Windows Server 2012 R2, we want to make certain you are aware of a condition which can substantially increase the amount of time it takes to install Exchange Updates on this OS. Working with the .Net team, we have discovered that systems which have applied Windows Update KB3097966 can take 50% more time to install Exchange. The .Net team is working on a resolution to this and will include a fix in a future product update. In the meantime, customers who have deployed this Windows update can take a one-time action on their server before installing Exchange or a Cumulative Update to bring installation time back to normal. This procedure needs to be done once on every Exchange server running Windows Server 2012 R2. The command to execute is:

“%windir%\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update”

Errors and warnings encountered running this command can be safely ignored provided the final exit status code of 0 is reported in the output.

Cumulative Update 12 for Exchange Server 2013

Exchange team released CU12 for Exchange 2013

Issues that this cumulative update fixes:

KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes

Important notice about certificate expiration for Exchange 2013 Hybrid customers

If you’re running Exchange 2013 and you’ve configured a hybrid deployment with Office 365, this post contains important information that might impact you. Please evaluate this information and take any necessary action before April 15, 2016.

On April 15 2016, the Office 365 TLS certificate will be renewed. This certificate is used by Office 365 to provide TLS encryption between Office 365 and external SMTP servers. The new certificate, which will help improve the security of mail sent to and from Office 365, will be issued by a new Certificate Authority and it will have a new Issuer and Subject.

This change has the potential to stop hybrid mailflow between Office 365 and your on-premises Exchange servers if one of the following conditions applies to you:

  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or lower.
  • You’ve upgraded the Exchange 2013 servers that handle hybrid mailflow to Exchange 2013 CU9 or higher. However, since upgrading to CU9, you HAVE NOTre-run the Hybrid Configuration wizard (either from the Exchange Admin Center or via the direct download link).

If one of the previous conditions applies to your organization, hybrid mailflow between Office 365 and your organization will stop working after April 15, 2016unless you complete the steps below.

Note: This only affects hybrid mailflow. Regular mailflow and TLS encryption is NOT affected.

How to keep hybrid mail flowing (MUST be completed before 4/15/2016)
Let the new Hybrid Configuration wizard do it for you

You can use the latest Hybrid Configuration wizard (HCW) to configure your Exchange 2013 servers to work with the new TLS certificate. Just follow these steps:

  1. If the Exchange 2013 servers handling hybrid mailflow are running Exchange 2013 CU8 or lower, follow the instructions in Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the new HCW application and run the wizard following the instructions here .

Note: For information on which releases of Exchange are supported with Office 365, see Hybrid deployment prerequisites.

Manual update

If you can’t upgrade Exchange 2013 to latest cumulative update right now (although we would like to remind you of our support policy), you can manually configure your servers to work with the new TLS certificate. On each Exchange 2013 server that’s used for hybrid mailflow, open the Exchange Management Shell, and run the following commands:

$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like “*<I>*”}

Set-ReceiveConnector -Identity $rc.Identity -TlsDomainCapabilities “mail.protection.outlook.com:AcceptCloudServicesMail

http://blogs.technet.com/b/exchange/archive/2016/02/19/important-notice-about-certificate-expiration-for-exchange-2013-hybrid-customers.aspx

Microsoft Exchange Server User Monitor For Exchange 2013 and 2016

        Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work.
        Administrators can view details on server resource utilization as reported through server-side tracing. This tool works with Microsoft Exchange Server 2013 and 2016.
        The tool is provided as-is. At this time, there are no updates or patches planned for future release. No formal support is provided for the tool. Some minimal support may be provided by Microsoft but not all reported issues will be able to be addressed or resolved.

        Exchange Server User Monitor

      Exchange Analyzer is a great tool for every Exchange Admin

      Exchange Analyzer is a PowerShell tool that scans an Exchange Server 2013 or 2016 organization and reports on compliance with best practices.

      Exchange Analyzer is a community project, and is currently a beta release seeking feedback and results from real world environments.

      To read the latest information about Exchange Analyzer click here to visit the project’s ReadMe on Github. More information can also be found in the Exchange Analyzer Wiki.

      Installation Instructions

      1. Download the latest Zip file

      2. Extract or copy the following files and folders to a computer that has the Exchange 2013 or 2016 management shell installed. For example, place all of the files and folders in a C:\Scripts\ExchangeAnalyzer folder.

        • Run-ExchangeAnalyzer.ps1
        • \Data
        • \Modules
        • \Tests

        3. Copy the folders in the \Modules folder to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\

        4. Open a new Exchange Management Shell

        Important Note: if you are updating your copy of Exchange Analyzer please make sure you copy the updated module in step 3.

        Running Exchange Analyzer

        To run the Exchange Analyzer open an Exchange management shell, navigate to the folder with the script files (e.g. C:\Scripts\ExchangeAnalyzer) and run:

        Interpreting Results

        Exchange Analyzer produces a HTML report with a simple “Passed/Failed” indicator and a list of passed and/or failed objects. Links to more info are provided to assist you with further interpretation of the report.

        Feedback and Questions

        Before submitting feedback or questions please review the Exchange Analyzer FAQ.

        You can help with bug fixes by submitting issues on Github. If you would like to contribute fixes or other code please review theExchange Analyzer Wiki.

        You can also send email to feedback@exchangeanalyzer.com.

        Change Log

        14/01/2016 – v0.1.0-Beta.1

        • First public beta release

        28/01/2016 – v0.1.1-Beta.2

        • Second beta release. Details of changes are here.

        image