Exchange 2010-2016 Security Fixes

Microsoft released security updates to fix a remote code execution vulnerability in
Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

Source

Important update for Azure Active Directory Connect – Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 – Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don’t use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

  • If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
  • If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
  • It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

Expta

EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6

On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.

A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).

The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.

Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).

When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.

.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.

Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.

The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.

KB articles that describe the fixes, features and information in each release are available as follows:

Version

Build

KB Article

Download

UMLP

Schema Changes

Exchange 2016 CU6

15.1.1034.26

KB4012108

Download

UMLP

Yes

Exchange 2013 CU17

15.0.1320.4

KB4012114

Download

UMLP

No

Source: jaapwesselius

New MVA learning paths for IT pros

Learn about the new paths for IT pros:

  • PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
  • PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
  • Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
  • DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
  • Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
  • Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
  • Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.

Exchange 2007 reaches end of life on April 11

On April 11, 2017, Exchange Server 2007 will reach End of Life. If you haven’t already begun your migration from Exchange 2007 to Office 365 or Exchange 2016, you need to start planning now.

End of life means that Microsoft will no longer provide the following for Exchange 2007:

  • Free or paid assisted support (including custom support agreements)
  • Bug fixes for issues that are discovered and that may impact the stability and usability of the server
  • Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches
  • Time zone updates

Your installation of Exchange 2007 will continue to run after this date. However, because of the changes listed above, we strongly recommend that you migrate from Exchange 2007 as soon as possible.

To learn about your options for migrating from Exchange 2007 to Office 365 or a newer version of Exchange Server, check out Exchange 2007 End of Life Roadmap.

Fix “Already Used” status VMware Horizon View

When linked-clone desktops are not cleanly logged off and the “Refresh on logoff” policy is used, VMware Horizon View marks the desktop as “Already used” and blocks other users from accessing the machine.

This “Already Used” state is a default VMware security feature which prevents other users from accessing the previous user’s data and allows a VMware Horizon View administrator to investigate potential problems with the desktop.

The VMware Horizon View desktop can also go into the “Already Used” state if a virtual machine is powered on on another ESXi host in the cluster in response to an HA event, or if it was shut down without reporting to the broker that the user had logged out.

The problem with this “Already Used” state is that the default within VMware Horizon View waits until a View Administrator actually does something to resolve the issue.

To resolve the “Already Used” issue, you can

  • Refresh or delete the desktop through teh VMware Horizon View Administrator console (this is a manual action)
  • Set an LDAP attribute pae-DirtyVMPolicy in the VMware Horizon View ADAM database under OU=Server Groups,DC=vdi, DC=vmware, DC=int
    • pae-DirtyVMPolicy=0 – This is the default behavior of leaving the desktop in the error state and not available for use.
    • pae-DirtyVMPolicy=1 – This allows desktops that were not cleanly logged off to be available without being refreshed. The desktop is available in the pool for another user.
    • pae-DirtyVMPolicy=2 – This setting will automatically refresh a desktop in the “already used” state and make it available again in the pool.

I prefer to set the pae-DirtyVMPolicy to 2 so “Already Used” situations will be automatically resolved by VMware Horizon View.

Changing the pae-DirtyVMPolicy needs to be done for each pool.

Manual method of setting the pae-DirtyVMPolicy value:

  • Start the ADSI Edit utility on your VMware Horizon View Connection Server host. Go to Start > Programs > ADAM > ADAM ADSI Edit.
  • Select or type a Distinguished Name or connect to DC=vdi, DC=vmware, DC=int.
  • Select or type a domain or server to localhost:389.
  • Locate the OU=Server Groups for editing.
  • Under the Server Groups OU, double-click CN=pool_name. This opens the properties of the CN.
  • Click the pae-DirtyVmPolicy attribute and click Edit.
  • Set the pae-DirtyVmPolicy attribute

PowerCLI method of setting the pae-DirtyVMPolicy value:

  • Create a function “Set-DirtyVMPolicy”

function Set-DirtyVmPolicy([string]$desktopid, [int]$policy) {
     $pool = [ADSI](“LDAP://localhost:389/cn=” + $desktopid + “,ou=server groups,dc=vdi,dc=vmware,dc=int”)
     $pool.put(“pae-DirtyVmPolicy”, $policy )
     $pool.setinfo()
     }

  • Run the function on the desktop pool

Set-DirtyVMPolicy -desktopid <yourdesktoppoolid> -policy 2

AlreadyUsed

References: Ituda & TheFinalByte

Mobile security is more important than ever!!!

The most used device these days is a mobile phone. Malware/Spyware/Hacking is everywhere, anytime,anywhere See: Update: Lookout re-airing on 60 Minutes

Some latest news about Mobile Security Alerts:

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Soo what can you do about it:

Install Security app on your device: So i installed the free version of lookout on my phone.

unnamed

It works great so far: Testing it.

MS16-108: Security update for Exchange Server 2007/2010/2013/2016

Summary

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In Libraries that are built into Exchange Server. This issue might occur if an attacker sends an email message with a specially crafted attachment to a vulnerable Exchange Server computer. To learn more about this vulnerability, see Microsoft Security Bulletin MS16-108.

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions.

  • 3184736 MS16-108: Description of the security update for Exchange Server 2016 and Exchange Server 2013: September 13, 2016
  • 3184728 MS16-108: Update Rollup 15 for Exchange Server 2010 Service Pack 3: September 13, 2016
  • 3184711 MS16-108: Update Rollup 21 for Exchange Server 2007 Service Pack 3: September 13, 2016

Security Bulletin: iOS “Pegasus” Malware and iOS 9.3.5 Security Update

On Aug. 25, 2016,  Apple announced updates to address security vulnerabilities in iOS version 9.3.4 and earlier. The affected components include the iOS kernel and WebKit.

The vulnerabilities can result in jailbreak, remote code execution, and memory corruption.  Security researchers at Lookout, Inc. have identified a high risk malware application, called “Pegasus”, that uses the vulnerabilities to compromise user devices.

MobileIron recommends that users update to iOS version 9.3.5 or later to obtain the necessary security patches. The security researchers have confirmed that the iOS patches prevent the vulnerabilities from being exploited.

Three vulnerabilities were patched in iOS 9.3.5.  The vulnerabilities are referred to collectively as “Trident”.  The reported CVE identifiers include:

  • CVE-2016-4655: An application may be able to disclose kernel memory.
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution.

Detection of Pegasus Jailbreak:

According to the security researchers at Lookout, EMM vendors cannot currently detect the Pegasus jailbreak. At this time, the only known method to detect Pegasus is to use products from Lookout.

Source: http://blaud.com/blog/pegasus-malware-ios-9-3-5-security-update_lookout_mobileiron

Very Important: Security update KB3159398 will break Group Policy

There is a known issue with the MS16-072/KB3163622 patch. This update will break GPO’s with faulty rights. Examples: Drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).

2. If you are using security filtering (WMI), add the Domain Computers group with read permission.