Microsoft states that Exchange 2010 and 2013 are secure out of the box. With this they mean that every traffic coming in and out of Exchange is one way or another encrypted with security protocols. Whether this is web traffic or specific for SMTP. Even IMAP and POP are enabled with mandatory encryption (although the … Continue reading "Checking security protocols and ciphers on your Exchange servers"
This week Microsoft release a patch for Windows 7/Windows Server 2008 R2 and up that fixed a critical remote execution bug, see MS15-034 and CVE-2015-1635 for more info. Unfortunately the patch was reversed engineered and now an exploit is available. This was detected and described by ISC SANS. They added Denial of Service (DoS) as possible impact, … Continue reading "IIS Exploit can reboot your Windows Server; install patch KB3042553 ASAP"
I’ve written about Pass-the-Hash (PtH) attacks before. Today, I’m writing on the cleanup mechanisms to remove lingering password(hashe)s from Windows, that Microsoft has introduced with Windows 8.1 and Windows Server 2012 R2. These mechanisms help protect against Pass-the-Hash (PtH) attacks.
Introduction In my spare time I like to test software/appliances that I work with, for security flaws. Since the heartbleed bug has made news headlines around the world, I take extra measures to secure everything that needs SSL to work. NOTE: Kemp has released a firmware that patches the Hearbleed vulnerability. Please download it and … Continue reading "KEMP LoadMaster vs IIS 8.0 ARR: a note on security"
Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012. Note: This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012. The situation … Continue reading "KnowledgeBase: A hotfix is available that records more information in event ID 5125 for an OCSP response"
Most Exchange admins probably know (or should know ) the permission model since Exchange 2010 is Role Based Access Control, RBAC for short. With it, you can regulate quite granularly what admins and end-user are able to do, without the hassles of Access Control Lists (ACLs). However, it recently became clear that it might be … Continue reading "Exchange RBAC might be more granular than you think"
2013/10/17: Added support statement by Microsoft below Just today I was curious how the Apple biometric convenience solution TouchID on the iPhone 5s would impact password policies enforced by Exchange ActiveSync(EAS). I frequently run into complaints from Android users who previously used a Pattern Lock instead of a PIN to unlock their phones. When my … Continue reading "Apple iPhone 5s TouchID and Exchange ActiveSync (updated)"
Now that iOS 7 available, it might be interesting to know how to block this version. In the past there were some issues with the Exchange ActiveSync implementation in specific iOS DeviceOS versions (read this and this). Please note that I did not encountered or heard of any ActiveSync issues with iOS 7, but it … Continue reading "Blocking iOS 7 in Exchange 2010 & 2013 (updated)"
A while back, Microsoft enabled the long awaited 2-factor authentication feature for Microsoft Accounts and released a code generator for Windows Phone. But a little know fact is that this app can also be used for the Google Account Two-factor authentication. See the screenshots below on how to do this: Go to the right corner … Continue reading "How to use the Microsoft Authenticator WP app with Google"
This blog post is something I intended to write for a while now, because it is a question that i get asked a lot. On which Exchange server roles do you need to install the Exchange malware protection software, be it the now no longer for sale Forefront Protection for Exchange or similar products from … Continue reading "Exchange and malware protection"