Category: Uncategorized

Home / Category: Uncategorized

Three years ago I wrote a document titled “Removing Exchange’s ability to impact Tier 0 and Tier 1” that was distributed internally at Microsoft as well as to dozens of Microsoft customers as part of Cybersecurity services delivered through Microsoft Consulting Services (MCS).

I had always intended to get this document published publicly, but for one reason or another, it never happened. With KB4490059 being released in response to @_dirkjan‘s #PriveExchange vulnerability, I’ve decided it’s beyond time to just share it here on my blog. KB4490059 is a step in the right direction. You can add these mitigations on top of it for even further protections, or perhaps find a more compelling reason to switch to the Active Directory Split Permissions model.

Removing Exchange’s ability to impact Tier 0 and Tier 1

Exchange is tightly integrated with Active Directory. When Exchange is installed, the Active Directory Schema is extended, and several highly privileged groups are created. These privileged groups are granted rights to a large number of objects within Active Directory.  A compromised Exchange Server can easily lead to complete control of Tier 1, and in many instances Tier 0.

For more information on the Tier model, see “Securing Privileged Access”.

In Exchange 2010 and later, there are two options for mitigating this risk. Both should be evaluated carefully before implementation. It is only necessary to implement one of these two options.

Mitigation Option 1 – Implement the Active Directory Split Permissions Model

Starting with Exchange 2010, there are three Permissions Models available. Of the three, the Active Directory Split Permissions Model, is the only one that can mitigate this risk without additional modifications to Active Directory. Because this model does not allow Exchange to modify security principles (i.e. create/delete/reset password) or group membership (i.e. add members to security groups that may grant access to other systems), compromise of an Exchange Server is contained to the Exchange environment when running under this permissions model.

This permissions model isn’t for everyone. You should carefully consider the impact switching to Active Directory Split Permissions may have on your organization. It may require a significant change in user provisioning, business practices, or workflows that revolve around Exchange. It is also important to note that while this permissions model is fully supported by the Exchange Product Group, it does not receive the same level of testing as the default Shared Permissions model.

If you’ve determined that the Active Directory Split Permissions Model is right for your organization, you can switch to it by running the following setup command:

setup.com /PrepareAD /ActiveDirectorySplitPermissions:true

For more information on configuring split permissions, see “Configure Exchange 2010 for Split Permissions”.

Implementing the Active Directory Split Permissions model both removes Exchange from Tier 0, placing it in Tier 1, and reduces potential impact to Tier 1.

Mitigation Option 2 – Reduce privileges granted to Exchange in Active Directory

If your organization needs to use the default Shared Permissions Model, the RBAC Split Permissions Model, or still has legacy versions of Exchange present, modifications to permissions in Active Directory are required to mitigate this risk.

To remove Exchange’s potential to impact to Tier 0, permissions granted to Exchange’s privileged groups must be removed from the Access Control List (ACL) on the following groups and their members in all domains within the Active Directory Forest Exchange has been installed in, to include any nested groups and members of those nested groups.

  • Enterprise Admins
  • Domain Admins
  • Schema Admin
  • BUILTIN\Administrators
  • Account Operators
  • Backup Operators
  • Print Operators
  • Server Operators
  • Domain Controllers
  • Read-only Domain Controllers
  • Group Policy Creators Owners
  • Cryptographic Operators
  • Other Delegated Groups

With the exception of the last 3 entries above, these groups should already be protected by AdminSDHolder, which prevents them from inheriting permissions that would allow Exchange’s privileged groups (Exchange Trusted Subsystem, Exchange Windows Permissions, Organization Management, etc.) to take control of them. Members of these groups should have the same protection. However, since Account Operators, Backup Operators, Print Operators, and Server Operators, can be excluded from AdminSDHolder protection, it is worthwhile to take the extra step of removing Exchange’s permission to all of the above groups (if present).

Because the permissions are inherited, the easiest way to accomplish this, is to place all Tier 0 users and groups into the same OU, block inheritance on that OU, and restrict permissions on the ACL for that OU. Full Control (GenericAll), Write (GenericWrite), Modify Permissions (WriteDacl), Write Member (WriteMember), and Change Password (note that Change Password permissions should NOT be removed from “Everyone” or “SELF”), are the permissions that should be removed from any object that should not have the ability to manipulate Tier 0 OUs/users/groups. In most cases the entire security principal can be removed from the Tier 0 OUs/users/groups.

To remove Exchange’s potential to impact Tier 1, a similar approach to the above must be taken.  Exchange’s permissions on the ACLs of users and groups with privileged access to Tier 1 assets.

Because the permissions are inherited, the easiest way to accomplish this, is to place all Tier 1 privileged users and groups into the same OU, block inheritance on that OU, and restrict permissions on the ACL for that OU. Full Control (GenericAll), Write (GenericWrite), Modify Permissions (WriteDACLl), and Write Member (WriteMember), are the permissions that should be removed from any object that should not have the ability to manipulate Tier 1 privileged users/groups. In most cases the entire security principal can be removed from the ACL on the Tier 1 OUs/users/groups.

For example, Exchange should not have permissions to an account or group that grants privileged access to a SQL server.

Privileged accounts and groups should NOT be mail enabled. Therefore removing Exchange’s permissions from them should have no negative impact on operations.  If an account with, or a group used to grant privileged access to, any system, regardless of what tier it resides in, has been mail enabled, privileges should either by removed, or they should be mail disabled. Either way, it may be necessary to create unprivileged accounts/groups for mail use, or non-mail enabled accounts/groups for privileged access use, in order to avoid disruptions.

This approach is not tested by the Exchange Product Group. Failure to exercise caution when implementing this approach could result in damage to the Exchange environment.

Additional Considerations

Service Packs and Cumulative Updates in Exchange often include Schema updates to Active Directory. Because Schema extensions and Active Directory preparation require Schema Admins and Enterprise Admins privileges, this portion of updating Exchange is a Tier 0 operation. Schema extensions and Active Directory preparation must be performed from a Tier 0 Privileged Access Workstation (PAW).

Schema extension and Active Directory preparation performed during an update to Exchange may overwrite some Exchange related settings in Active Directory. It is recommended that permissions on Tier 0 and Tier 1 set according to the guidance above are validated after every Exchange update install.

How fitting that 7 years after I started this blog I would relaunch it on a new platform (more on that to come). I know there’s been a lot of times it’s been neglected over the years due to my work/travel schedule, but that’s changing now.  I’d like to thank anyone and everyone who’s stuck with me reading it over the years.  I’ve got a bunch of new stuff planned, so stay tuned!

Exchange 2016 SP1 to run on Linux!

April 1, 2016 | Uncategorized | No Comments

Ever since last month’s announcement that Microsoft SQL Server will be coming to Linux, quiet rumors have been floating around that some of Microsoft’s other Enterprise Products, such as Exchange Server, may follow suit. With this week’s announcement at the Build conference about the popular Linux shell “BASH” coming to Windows, I decided it was time to see what the Exchange team has planned for Linux, if anything. Today I caught up with a member of the Exchange team that wishes to remain anonymous to get the inside scoop on Exchange 2016 SP1 and support for installing it on Linux!

FixTheExchange: Are there any plans to make Exchange run on Linux?

Microsoft Spokesperson: Originally, no.  We started thinking about it after the Azure team released the Azure Cloud Switch, which is based entirely on Linux. Then when the SQL team announced their product would run on Linux by mid-2017, we knew we had to take the idea more seriously.

FixTheExchange: Does this mean Exchange will run on SQL when it arrives on Linux?

Microsoft Spokesperson: No! Why does everyone keep asking if Exchange will run on SQL?  SQL can’t keep up with us! It’ll still run on ESE, we’ll just be bringing ESE over to Linux along with the rest of our code.

FixTheExchange: Why Linux?

Microsoft Spokesperson: If you think about it, it makes sense. The Office team has made Outlook and the rest of the Office Suite available across several platforms. Outlook on the Web works on browsers across multiple platforms. If our client side is cross-platform, why shouldn’t the servers they connect to them be?

FixTheExchange: When will Exchange be available on Linux?

Microsoft Spokesperson: When it’s ready. 😉 Just kidding, it’s already there. We’ve started testing it in Office 365, just like we would any other new feature for Exchange.

FixTheExchange: Wow, that was quick! What about On-premises?

Microsoft Spokesperson: We couldn’t let the SQL team beat us to it. Our ability to roll changes out quickly in Office 365 really gives us the advantage. We’ll have it ready for on-premises by Service Pack 1, so 4th quarter of 2016.

FixTheExchange: Will there be support for mixing Exchange running on Windows and Exchange running on Linux in the same DAG?

Microsoft Spokesperson: Seriously? Do you think we’re some sort of fools? No. We don’t support mixing versions of Windows in the same DAG, why would we support completely different operating systems within the same DAG?

FixTheExchange: You know it had to be asked… How will Exchange be administered when running on Linux?

Microsoft Spokesperson: We’re working on porting the Exchange Management Shell over to BASH. With the Windows team adopting BASH, you should be able to administer Exchange from either a Windows or Linux desktop.

FixTheExchange: What about PowerShell?

Microsoft Spokesperson: We’re not abandoning PowerShell, just giving administrators more options.

FixTheExchange: Looks like we’re out of time… thanks for sharing this exciting information!

 

You heard it here first folks, not to be outdone by the SQL team, Exchange will reach Linux first!

 

 

Changing my focus in 2016.

January 5, 2016 | Uncategorized | No Comments

I’ve always had two passions throughout my IT career, Messaging, and Security. I tend to change my focus from one to the other every few years. For the past couple years as a Premier Field Engineer, I was fortunate enough to be able to leverage both of my passions, however Messaging was my primary focus. Yesterday was my first day back to work in 2016. It was also the start of a new role for me at Microsoft. I am now a Cybersecurity Architect, and with that my primary focus changes to Security once again.  This means you’ll probably see a little more Security focused content on my blog from now on. Even though Security is now my main focus, my Messaging skills are in demand with my new role, so I’ll still get to leverage both my passions.  I’m looking forward to helping customers be more secure in 2016!

 

This week I was helping a customer figure out why their Windows 8.1 with Outlook 2013 clients couldn’t connect to Exchange 2010 over Outlook Anywhere with Smartcard Authentication, but their Windows 7 with Outlook 2010 clients could.  After a couple days of looking at network traces on firewalls, Process Explorer, and Process Monitor on several clients, we finally figured it out. Keep reading for more details on symptoms, cause, and resolution.

Symptoms
Outlook Profile creation either fails after a single PIN prompt with a message stating that encrypted communication with the Exchange Server could not be established, or profile creation never progresses past the first stage with repeated PIN prompts.

Additionally, using the “Test E-mail AutoConfiguration” feature in Outlook (CTRL + Right Click on the Outlook icon in the system tray) returns error 0x80090014 on the log tab for Autodiscover. (Note: If no profiles exist on the problem computer, you can open Outlook without creating a profile to access this functionality).​

 

Cause
0x80090014 = NTE_BAD_PROV_TYPE, “Invalid provider type specified”. This occurs when an application tries to use a Cryptographic Service Provider (CSP) that Windows isn’t aware of. This may be the result of the version of Windows not supporting a CSP, or Smartcard Middleware not properly installing a 3rd Party CSP required by the certificate on the Smartcard.

 

Resolution
Verify that the version of Windows you are running supports the CSP used by the certificate on your Smartcard, and that any 3rd Party CSPs/Middleware required by your certificate are installed and properly functioning.

 

You can see the available CSPs by viewing the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Providers

 

In this case, the customer had 3rd Party (ActivIdentity’s ActivClient) Middleware installed. We found that version 7.x was installed on the Windows 8.1/Outlook 2013 clients that couldn’t connect, and version 6.2.9200 on the Windows 7/Outlook 2010 clients that were able to connect.

 

We found that the non-functioning clients were missing the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Defaults\Provider\ActivClient Cryptographic Service Provider

They were also missing a DLL identified by one of the values under that key:
C:\Program Files\ActiveIdentity\ActivClient\accsp.dll

 

Without that registry key and DLL, Windows couldn’t find the CSP from the certificate we selected on our Smartcard when prompted, which is why we saw the 0x80090014 error.

 

Updating to the latest 7.x version we could find did not resolve this issue. We had to uninstall 7.x and install 6.2.9200 (WARNING! This requires an account with local administrative privileges that is allowed to logon with username and password! After the required reboot to uninstall the 7.x version, you will not be able to logon with a Smartcard. You must install the working 6.2.9200 version in order to use Smartcard logon again.)

 

After downgrading the Middleware to a version that included the necessary registry entries and DLL file, the Windows 8.1 w/ Outlook 2013 clients were able to successfully connect to Exchange over Outlook Anywhere with Smartcard Authentication.

A month in advance of the Ignite Conference, an anonymous source within the Exchange Product Group tells us Exchange 2016 is being built on, and will run entirely inside of, Minecraft.  Check out my exlusive interview below!

 

FixTheExchange: Why Minecraft?!

Anonymous Exchange Product Group Person: We were really excited when Microsoft bought Minecraft. We'd seen how a few players had built working Word Processors and even Hard Drives inside of Minecraft, and thought it would be fun to build the next version of Exchange entirely inside of Minecraft. With the improvments to Managed Availability we've made since introducing it in Exchange 2013, Exchange practically runs itself.  Systems Administrators are getting bored, we wanted to make Exchange fun and challenging again.  We also thought that by building it entirely within Minecraft, we might attract a younger generation of coders to join our team, keeping Exchange fresh and exciting for years to come.

FixTheExchange: What challenges did you face building such a complex product within Minecraft?

Anonymous Exchange Product Group Person: It was slow going at first.  We weren't quite sure how to go about things.  We tried to build the first version on "Survival Mode", which is the default mode.  It took a really long time to gather the materials needed, and our hard work kept getting blown up by "Creepers".  One of our developers almost quit when a Creeper blew him up along with a section of the new Transport Pipeline that he'd been working on for days.  We ended up starting over on "Creative Mode" after that, and things went a lot smoother from then on.

FixTheExchange: What about Office 365, doesn't everything start there before going On-Premises now?

Anonymous Exchange Product Group Person: Yes! We haven't changed that.  In fact Office 365 is literally built in the clouds!  We built it near the block limit.  When you enter the Exchange 2016 Minecraft world, Office 365 can be seen looming everywhere above you at all times.  Hybrid is even easier than ever, you just build a ramp from your on-premises deployment on the ground up to Office 365 in the clouds.  The ramp contains 2 minecart tracks, 1 for inbound traffic and 1 for outbound.

FixTheExchange: How will you administer it?

Anonymouse Exchange Product Group Person: That's the fun part!  For example, if you want to provision a mailbox for a person, you have to actually build them a mailbox, the same way you'd build a house if you were playing Minecraft.

FixTheExchange: What's your favorite new feature?

Anonymous Exchange Product Group Person: Hololens integration!  It's an incredibly immersive experience.  Imagine sitting in your datacenter, you put on your Hololens, and your instantly transported into your Exchange 2016 environment.

FixTheExchange: Sounds awesome!  When will it be released?

Anonymous Exchange Product Group Person: When it's ready.

There you have it, you heard it here first!

Exchange 2013 CU7, Exchange 2010 SP3 RU8,  Exchange 2007 SP3 RU15, and UM Language Packs for CU7, were all released yesterday.  These include important security fixes for vulnerabilities outlined in MS14-075.

There have been reports of RU8 breaking Outlook connectivity.  Because of this, RU8 is being recalled, so expect an RU8v2.  For more information, see the Exchange Team blog post that was updated today.

2014 Black Friday/Cyber Monday Deals

November 24, 2014 | Uncategorized | No Comments

The Holiday shopping season is upon us, and retailers are posting their Black Friday and Cyber Monday deals already.  I refuse to go participate in the madness that is Black Friday, and prefer ordering things online anyway, so I usually participate in Cyber Monday, if I even participate at all.   In recent years, many retailers have made a lot of deals available online for not only Cyber Monday, but for Black Friday as well.  Several even have deals available the entire week of Thanksgiving.  I'll add to this list as they come to me.

Microsoft Store

The Microsoft Store has a phone, a tablet, a laptop, and headphones, all available right now.  They also have a list that includes everything from Surface tablets and Xbox Ones to 3D Printers that will go on sale starting Thangsgiving.

Shop 2014 Black Friday Deals

Their Cyber Monday deals page is up, but currently doesn't list what deals we can expect, it just says "coming soon".

Shop 2014 Cyber Monday Deals

VMware
Save 30% on VMware Fusion 7 or VMware Fusion 7 Professional