Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6

On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.

A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).

The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.

Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).

When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.

.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.

Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.

The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.

KB articles that describe the fixes, features and information in each release are available as follows:

Version

Build

KB Article

Download

UMLP

Schema Changes

Exchange 2016 CU6

15.1.1034.26

KB4012108

Download

UMLP

Yes

Exchange 2013 CU17

15.0.1320.4

KB4012114

Download

UMLP

No

Source: jaapwesselius

RVTools 3.9.3 vSphere 6.5 Supported

Version Info

Version 3.9.3 (March, 2017)

  • Bug fix: unhandled exception in decrypt function solved

Version 3.9.2 (February, 2017)

  • Migrated RVTools to use .NET Framework version 4
  • Migrated RVTools to use NPOI 2.1.3.1
  • Support for vSphere 6.5
  • Improved logon performance
  • RVTools will no longer write messages to the Windows eventlog
  • All VM related tab pages now have a new column: OS according to the VMware Tools
  • All tab pages now have a new column: VI SDK Server
  • All tab pages column vCenter UUID renamed to VI SDK UUID
  • vInfo tab page: new column VI SDK API version
  • Export to Excel will now use xlsx format
  • Export to Excel all columns are now auto sized
  • Excel worksheet names will use same name as the tab page names
  • Annotations fields can now be excluded! See preference window
  • vPartition tab page new column: Consumed MB
  • vHealth _replica directories are excluded for zombie checks
  • *_sesparse.vmdk files are excluded for zombie checks
  • New tab page with license information
  • New PasswordEncryption application added with which you can encrypt your password
  • RVTools command line interface accepts now encrypted passwords
  • Bug fix: URL Link to online version info issue solved.

http://www.robware.net/rvtools/

Staying up-to-date with Windows Server updates for Remote Desktop Services (RDS)

Microsoft Remote Desktop Team get customer enquiries asking which RDS updates are available for a particular Windows Server platform; or when providing support we need to verify if certain hotfixes and servicing rollups are installed on the customers’ servers. To make it easier for customers and ourselves, we regularly revise KB articles that list all of the available updates specific to Remote Desktop services for each Windows Server release: