Exchange Server Vulnerability Could Allow Remote Code Execution

Unfortunately, there seems to be another vulnerability in Exchange Server WebReady Document Viewing feature, this time with the third-party code Oracle Outside In libraries.

This security update resolves publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server.

The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App.

The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

This security update is rated Critical for all supported editions of Exchange Server 2007 and 2010!

For more information and to download the update, please see Microsoft Security Bulletin MS12-080 - Critical

Exchange Server 2010 SP2 Update Rollup 5 v2 Released

Similar to what happened with Update Rollup 4, this one was released a few weeks ago but was almost immediately withdrawn due to a bug that affected DAGs...

Now version 2 has been released. For a full description of this RU, please check KB2785908  and to download it click here.

As with every RU or SP, Microsoft has updated the useful Exchange Server and Update Rollups Build Numbers wiki page.

I haven’t applied it on my lab yet, but will let you know as soon as I do.

Mailbox Size Increases when Transitioning to Exchange 2013

If you are transitioning from Exchange 2007/2010 to Exchange 2013, we will see that the reported size of the mailboxes will increase around 30 to 40%! Don’t be alarmed just yet. The actual space used by the mailbox database will not increase by 30% as this only refers to the attribution of space used by each individual mailbox.

Basically, Exchange 2013 now includes in the mailbox size attribute all the properties of items in a mailbox, thus providing a more accurate calculation of space taken by items in a mailbox and, therefore, the whole mailbox itself.

The problem with this is that, during a migration, users might exceed their mailbox quota when their mailbox is moved to Exchange 2013 and be prevented from sending and/or receiving e-mails...

So, in order to prevent this from happening, I suggest increasing everyone’s mailbox quota by 40% prior to their move. You can either do this at the mailbox database level if your users are using the database quotas, or individually on a per-user basis.

For example, if you want to increase by 40% the ProhibitSendQuota value for all users that are not using the database quota defaults, you can use the following cmdlet:

Get-Mailbox -ResultSize Unlimited -Filter {UseDatabaseQuotaDefaults -eq $False} | Where {$_.ProhibitSendQuota -ne "unlimited"} | ForEach {Set-Mailbox $_ -ProhibitSendQuota "$($($_.ProhibitSendQuota).Value.ToMB() * 1.4)MB" -WhatIf}

However, don’t forget to set the IssueWarningQuota or ProhibitSendReceiveQuota if you are using them! Note that this is not the best method as users might end up with a quota of 1523MB for example when the ideal value would be 1500MB...

Exchange 2013 Visio Stencil

Microsoft has recently released the new Visio Stencil for the entire Office 2013 suite. It contains more than 300 icons (servers, applications and services), mainly focused around Lync, SharePoint, and Exchange technologies and features.

To download it, please go here.

RPC Client Access Throttling Logging

By default, you have to use PerfMon counters to see how often throttling is occurring for RPC connections.

However, there is a way to have this information "properly" logged. To achieve this, modify the Microsoft.Exchange.RpcClientAccess.Service.exe.config file located in \Program File\Microsoft\Exchange Server\V14\Bin and add Throttling to the LoggingTag string so it looks like this:

<add key=”LoggingTag” value=”ConnectDisconnect, Logon, Failures, ApplicationData, Warnings, Throttling”/>

Now restart the RPC Client Access service and you will see this information in logs created in the “\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access” folder. When throttling happens, you will usually find the keyword “exceeded”.

This way, you can easily see when RPC Throttling kicks in, what it is doing and why!

Office 365 Portal Login Error on Mobile Devices

Since early this week that whenever I try to login to an Office 365 “wave 15” tenant on a mobile device I get the following error message:

I have tried from an Android mobile phone and iPad, always with the same result...

I know for a fact that Microsoft is looking into this at the moment.

As a workaround, if you go to:

  • https://mail.office365.com

  • https://tenant_domain.sharepoint.com

you will be able to login directly to OWA or SharePoint. However, this from an iPad as from my android phone I get the error: “the page contains too many server redirects”...

I will update this post when I get more new on this.

Exchange 2013 Data Loss Prevention

Data Loss Prevention [DLP] is a system designed to detect a potential data breach/leakage incident in a timely manner and prevent it. When this happens, sensitive data such as personal/company information, credit card details, social security numbers, etc., is disclosed to unauthorized users either with malicious intent or by mistake. This has always been an important matter for most companies as the loss of sensitive data can be very damaging for a business. For many years now, there have been both software and hardware solutions that monitor data while:

• in-use: end-user actions such as copying data to USB or printing it for example;

• in-motion: network communications like e-mail, web traffic, Instant Messaging, etc.;

• at-rest: data stored in file shares or on users’ drives.

Up until now, Exchange Administrators had to rely on 3rd-party solutions to achieve this, but some solutions would cause more harm than good and user productivity would suffer. With Exchange 2013, Microsoft now makes it possible to enforce compliance requirements for such data and control how it is used in e-mail. DLP is the new feature that allows administrators to manage sensitive data in Exchange!

To read the full article, please go to MSExchange.org - Exchange 2013 Data Loss Prevention.

Default Junk E-Mail folder moved to a subfolder of Journal

A while back got a user saying he wasn’t receiving some e-mails. Straight away I asked for an example and searched the Message Tracking Logs for the e-mail, only to confirm it had been delivered.

Luckily for me, my search revealed something really useful too:
 

RunspaceId : b1156ba1-602e-434f-97c2-14822536234c

Timestamp : 05/11/2012 08:48:23

ClientIp :

ClientHostname : xxxxxxx

ServerIp :

ServerHostname : xxxxxxx

SourceContext : 08CE8549B7FC9C12;2012-11-05T08:48:23.828Z;0

ConnectorId :

Source : STOREDRIVER

EventId : DELIVER

InternalMessageId : 4039958

MessageId : <210c68f5fb76da439a65309fd835991f0c7ce3 data-blogger-escaped-nat10exc01="nat10exc01">
Recipients : { xxxxxxx@domain.com }
RecipientStatus : {Junk E-mail}
TotalBytes : 20527
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : RE: Wednesday
Sender : xxxxxxx@external.domain.com
ReturnPath : xxxxxxx@ external.domain.com
MessageInfo : 2012-11-05T08:48:23.000Z;SRV=xxxxxxx.domain.com:TOTAL=0;SRV=xxxxx.domain.com:TOTAL=0
MessageLatency : 00:00:00.9060000
MessageLatencyType : EndToEnd
EventData : {[MailboxDatabaseName, mdb33], [DatabaseHealth, -1]}

The e-mail was delivered to the Junk E-mail folder (look at RecipientStatus)! :) Ok, job done! Not exactly... When I went to the user’s mailbox to check a couple of e-mails to see if they were actually Spam, I couldn’t find the Junk E-mail folder! For some strange reason, it got moved to inside the Notes folder!...

So, how do we move it back?! If you try to move any of the default folders like Inbox, Deleted Items, etc., you will simply receive an error message.
The only way to move these is to use MFCMapi:
1. Download MFCMAPI
2. Launch MFCMAPI
3. Go to Session -> Logon and Display Store Table
4. Select the outlook profile of the user and double-click “Mailbox - User Name”
5. Expand “Root Container”
6. Expand “Top of Information Store”
7. Locate Junk E-mail, right click it and select Copy
8. Highlight “Top of Information Store”, right click it and select Paste
9. Click OK
10. Check “COPY_SUBFOLDERS” and “FOLDER_MOVE” and click OK

Hope this helps!

iOS 6 issues with Exchange - Update

This is an update post of the iOS 6 issues with Exchange post from early October.

Looks like Apple has released an update for iOS 6 (available via iTunes and wirelessly) which supposedly fixes the issues of this OS with Microsoft Exchange meetings!

“This update contains improvements and bug fixes, including:

• Fixes a bug that prevents iPhone 5 from installing software updates wirelessly over the air;

• Fixes a bug where horizontal lines may be displayed across the keyboard;

• Fixes an issue that could cause camera flash to not go off;

• Improves reliability of iPhone 5 and iPod touch (5th generation) when connected to encrypted WPA2 Wi-Fi networks;

• Resolves an issue that prevents iPhone from using the cellular network in some instances;

• Consolidated the Use Cellular Data switch for iTunes Match;

• Fixes a Passcode Lock bug which sometimes allowed access to Passbook pass details from lock screen;

• Fixes a bug affecting Exchange meetings”

You can find details regarding this update here.

Exchange Server 2013 RTM Now Available

And here it is! The release-to-manufacturing [RTM] version of Exchange 2013 is now available for evaluation here!   :)

Lync Server 2013 RTM

You will be pleased to know that the RTM version of Lync Server 2013 is now available for a free 180-Day evaluation!

 

Download the Latest Version

Exchange 2013 DAG CreateCluster() Failed Error

So far I have encountered the following problem in two completely separate Exchange 2013 Preview environments when creating a Database Availability Group [DAG].

Started by creating a simple DAG without any problems, only specifying its IP address and letting Exchange decide which server to use as the Witness Server. However, whenever I tried to add any of the mailbox servers to this DAG, I would get the following error:

 

Note the "CreateCluster() failed with 0x5. Error: Access is denied" part of the error message.

If we look at the dagtask log mentioned in the error above, we will see all the tasks Exchange performs when adding a server to the DAG and where it failed:

[2012-10-26T18:23:18] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseStart, ePhaseSeverity = ClusterSetupPhaseInformational, dwPercentComplete = 94, szObjectName = DAG1 in organizational unit CN=Computers,DC=letsexchange,DC=com, dwStatus = 0x0 )

[2012-10-26T18:23:18] ClusterSetupProgressCallback( eSetupPhase = ClusterSetupPhaseConfigureClusterAccount, ePhaseType = ClusterSetupPhaseEnd, ePhaseSeverity = ClusterSetupPhaseFatal, dwPercentComplete = 94, szObjectName = DAG1 in organizational unit CN=Computers,DC=letsexchange,DC=com, dwStatus = 0x5 )

When dwStatus is 0x0, it means “success” but 0x5 means “access denied” just like the error we received in the Shell.

After some troubleshooting, I found out that the DAG’s Cluster Name Object [CNO] wasn’t created properly! There were two problems with the CNO:

1. The Exchange Trusted Subsystem universal security group didn’t have Full Access permissions to it;

2. The CNO was enabled in Active Directory:

After assigning full control to DAG1 AD object to the Exchange Trusted Subsystem and then disabling it, everything worked just fine:

 
For more information: Pre-stage the Cluster Network Object for a Database Availability Group

Hope this helps!

Wiped Mobile Devices Can Still Access Mailbox

When you wipe a mobile device that has a partnership with your Exchange environment, it might still be able to re-establish a connection and access the mailbox it had configured for 24 hours. This is the same as what happens with Outlook Web App and similar to when you disable an Active Directory account and the user can still use Outlook to access his/hers mailbox for up to 2 hours.

The solution to immediately prevent access to the mailbox after issuing a wipe is to:

1. Disable the mailbox;

2. Set a Send Prohibit Quota of 0KB;

3. Move the mailbox to another database.

If this is a mailbox in Office 365, then disable the protocols using the Set-CASMailbox cmdlet!

Exchange 2013 Beta Exams

Microsoft Exchange Server 2013 MCSE Beta Exams are now open for registration for Microsoft Learning Subject Matter Experts (SMEs):

• Beta exam – 71-341: Core Solutions of Microsoft Exchange Server 2013 Customer Preview
• Beta exam – 71-342: Advanced Solutions of Microsoft Exchange Server 2013 Customer Preview

The beta exam period will run from October 19th to November 8th 2012 and is based on Exchange 2013 Customer Preview. The live exams testing Exchange 2013 RTM will be released around January 2013.

For more details on the upcoming Exchange 2013 certifications: 70-341 and 70-342

Exchange 2013 RTM

Today the Exchange engineering team signed off the Release to Manufacturing (RTM) build of the new Exchange 2013. This means the coding and testing phase of the project is complete and they are now focused on releasing the new Exchange via multiple distribution channels. General availability is planned for the first quarter of 2013.

In addition to Exchange, the new Office, SharePoint, and Lync have also reached RTM.

Source: EHLO

iOS 6 Issues with Exchange

There have been some reports that iOS 6 is not working properly for many Exchange users... Apparently there are two issues:

Push E-mail

Push delivery of e-mail does not work, meaning users have to manually check for e-mails. It seems that this issue is not carrier or device specific and rebooting or reconfiguring the Exchange accounts only “fixes” the issue temporarily.

Meetings

This second issue happens when users decline a meeting invitation from an iOS 6 device. Instead of simply sending a notification to the meeting organizer, iOS 6 sends meeting cancellation notices to the entire group of attendees, cancelling the invitation for everyone!

In the environment where I work, we don’t seem to be experiencing any of these issues. Initially I asked colleagues if they were having any problems with push e-mail and they were all working fine (I believe our ServiceDesk has not received any calls regarding this yet – we have 651 devices on iOS 6 so far).

As to the second issue, I tested it three times with different users and with the new iPad, iPhone 4S and iPhone 5 and couldn’t replicate the issue...

However, this seems to be affecting many, many Exchange 2007/2010 organizations out there, so please be aware of this and test it!

UPDATE: The Exchange Team has just published a post on this: iOS6 devices erroneously take ownership of meetings!

UPDATE 2: looks like Apple has released an update for iOS 6 (available via iTunes and wirelessly) which supposedly fixes the issues of this OS with Microsoft Exchange meetings! More information here.

List Litigation Hold Users and Size

A feature introduced in Exchange 2010 RTM and that is being used more and more it Litigation Hold. It is used during a lawsuit, investigation or similar events to preserve mailbox items from inadvertent or purposeful modification or deletion by the user (or someone with access to the mailbox) and from automated deletion by retention policies. Until the hold is removed, deleted items are not purged from the mailbox database and if a mailbox item is modified, a copy of the original item is also retained. These are returned in Discovery searches performed when the mailbox is on Litigation Hold. Any retention policies applicable to the mailbox don't need to be suspended. Because messages continue to be deleted as expected (except from the Recoverable Items\Purges folder!), users may not notice they're on Litigation Hold.

 

To check if there are any users in your organization currently enabled for Litigation Hold, simply run the following cmdlet:

Get-Mailbox -ResultSize Unlimited -Filter {LitigationHoldEnabled -eq $True}

If you want to check the Recoverable Items folder size for all mailboxes on Litigation Hold, i.e. how many data is being held by Litigation Hold, use the following cmdlet:

Get-Mailbox -ResultSize Unlimited -Filter {LitigationHoldEnabled -eq $True} | Get-MailboxFolderStatistics –FolderScope RecoverableItems | FT Identity, FolderAndSubfolderSize

 

Or if you simply want to check a single mailbox:

Get-MailboxFolderStatistics <user> -FolderScope RecoverableItems | Select Identity, FolderAndSubfolderSize

Hope this helps!

How to Determine Continuous Replication Mode (Block Mode or File Mode)?

In Exchange 2007 and 2010, Continuous Replication operates by shipping copies of the logs created by the active database copy to the passive database copies. With Exchange 2010 SP1, this is known as Continuous Replication - File Mode as the log file is only copied once it is full (1MB). But SP1 introduces a new form of continuous replication known as Continuous Replication - Block Mode. In block mode, when an update is written to the active database log file it is immediately copied to the passive mailbox copies, thus reducing the latency between the time a change is made on the active copy and the time that same change is replicated to a passive copy. This way, if a failure occurs on the active copy, the passive copies will have been updated with most or all of the latest updates.

However, Block Mode is only active when continuous replication is up-to-date in file mode. The Log Copier component monitors the copy and replay queue lengths of databases as transaction logs are generated and takes care of transitioning into and out of block mode automatically.

To determine if continuous replication is operating in block mode or file mode, use the following cmdlet:

Get-Counter -ComputerName <<DAG_Member_Name>> -Counter “\MSExchange Replication(*)\Continuous replication - block mode Active”

The output will be something similar to:

Timestamp                 CounterSamples

---------                 --------------

04/09/2012 11:39:46       \\MBX1\\msexchange replication(mdb31)\continuous replication - block mode active : 1

                          \\ MBX1\\msexchange replication(mdb32)\continuous replication - block mode active : 1

                          \\ MBX1\\msexchange replication(mdb33)\continuous replication - block mode active : 0

Here, the “1” means that block mode is active while a “0” means it is not. However, note that your active databases will always show “0”, we are just interested in the passive copies!

Mailboxes Quarantined due to Troubleshoot-DatabaseSpace.ps1 Script

Exchange 2010 SP1 added a new script called Troubleshoot-DatabaseSpace.ps1 that is used to detect excessive growth of database and log drive volumes. This script can be run manually by administrators but if you have Microsoft System Center Operations Manager (SCOM) 2007 it is run automatically every 15 minutes.

This script performs the following actions:

1. Track log generation rate for the highest log generators (mailboxes) per database. This helps determine which users are logging too heavily and potentially causing space issues;

2. Track available disk space for both database and log files. If either of these is within a configurable threshold of being full (25% by default), further action must is taken;

3. Track log generation rate. If it appears that the disk is going to run out of space within the value specified by the HourThreshold parameter (12 hours by default and based on the log generation rate), further action is taken;

4. If all of the above conditions are fulfilled, the script determines the list of top 25 users who accessed the database during the last 1 hour period. The script then quarantines the top high-usage mailboxes for 6 hours, during which they will not have access to e-mail;

5. If the troubleshooter is unsuccessful at dropping the log generation rate to below the threshold level, it will write out events that translate into health model alerts. At this point, the script removes the database from provisioning by running the Set-MailboxDatabase cmdlet with the ExcludeFromProvisioning parameter set to $True against the specified database;

When mailboxes are quarantined, you will see entries in the Registry of the mailbox server hosting that database/mailbox in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\"server_name"\Private-"DB.Guid"\"Mailbox_Guid"

To check the events logged by this script go to the mailbox server you want to check and then Event Viewer -> Application and Services Logs -> Microsoft-Exchange-Troubleshooters/Operational. Note that if you run the script manually through the Shell it will not produce any output - you have to check the Event Viewer.

If you run the script manually without any parameters or if you have SCOM running this script automatically, then it will use default values specified in the StoreTSConstants.ps1 script located in the same folder. This is where you can customize the 25% threshold, for example, if it is not ideal for your environment:

   # The percentage of disk space for the EDB file at which we should start quarantining users.

   $PercentEdbFreeSpaceDefaultThreshold = 25

   # The percentage of disk space for the logs at which we should start quarantining users.

   $PercentLogFreeSpaceDefaultThreshold = 25

   # The percentage of disk space for the EDB file at which we are at alert levels.

   $PercentEdbFreeSpaceAlertThreshold = 16

   # The percentage of disk space for the EDB file at which we are at critical levels.

   $PercentEdbFreeSpaceCriticalThreshold = 8

   #The number of hours we can wait before running out of space.

   $HourDefaultThreshold = 12

In order for mailboxes to be quarantined, the –Quarantine parameter must be passed to the script, which the SCOM monitor uses by default. Because the Exchange Management Pack is sealed, you can’t change this...

So, if 25% is too high for your environment, you can change the value by updating the StoreTSConstants.ps1 script across all your mailbox servers or, ultimately, simply disable the SCOM monitors that run this script:

• KHI: Failed to execute Troubleshoot-DatabaseSpace.ps1

• KHI:The database copy is low on database volume space and continues to grow. The volume has reached critical levels 8% free.

• KHI:The database copy is low on database volume space and continues to grow. The volume has reached error levels under 16% free.

• KHI:The database copy is low on database volume space and continues to grow. The volume is under 25% free.

Resubmit Messages in Queues

There might come a time where you experience a problem with you Hub/Edge Transport servers, Mailbox servers or e-mail gateway and messages are stuck in Queues. Once you resolve the issue, you can either wait a few minutes for Exchange to resubmit the e-mails or you can manually resubmit them to the Submission queue for the categorizer to reprocess as long as they have the following status:

·         Mailbox delivery queues or remote delivery queues that have the status of Retry. The messages in the queues must not be in the Suspended state;

·         Messages in the Unreachable queue that aren't in the Suspended state;

·         Messages in the poison message queue.

 

 

To manually resubmit messages, you can use the following methods (examples below):

·         Use the Retry-Queue cmdlet with the -Resubmit parameter;

·         Export the messages to .eml message files and resubmit them by placing them in the Replay directory;

·         Use Queue Viewer or the Resume-Message cmdlet to resubmit the messages in the poison message queue. You can’t use the Retry-Queue with the -Resubmit parameter cmdlet to resubmit messages in the Poison Queues.

 

 

By using the –Resubmit parameter, messages are forced to be resubmitted through the Categorizer for a new delivery attempt. If you do not use the –Resubmit parameter, the delivery queue will try to connect to the next hop immediately without resubmitting the messages through the Categorizer.

 

 

Let’s look at a few examples:

1. To export a copy of a message (so you can put it into the Replay directory) that has an InternalMessageID of 1234 that's located in the remote delivery queue for the domain MSExchange.org on the server HUB01 to the path C:\MSExchange Export\export.eml:

Export-Message HUB01\MSExchange.org\1234 -Path “C:\MSExchange Export\export.eml”

2. To resubmit all the messages in the 62306 delivery queue of the HUB01 server, use the following cmdlet (you can’t use the EMC):

Retry-Queue “HUB01\62306” -Resubmit $True

3. To resubmit all the messages in all delivery queues of server HUB01 that have a status of Retry (again, you can’t use the EMC):

Retry-Queue –Server “HUB01” -Filter {Status -eq "Retry"} -Resubmit $True

4. To resubmit all messages located in the Unreachable queue of server HUB01, use the following cmdlet (again, you can’t use the EMC):

Retry-Queue “HUB01\Unreachable” -Resubmit $True

5. Let’s force a connection attempt for all queues that are holding messages for the domain msexhange.org, have a status of Retry and are located on the server HUB01:

Retry-Queue –Server “HUB01” -Filter {NextHopDomain -eq “msexchange.org” -and Status -eq “Retry”}

 

6. To resubmit messages in the Poison Queues, you have to resume the messages. As I mentioned previously, the Poison Queue cannot be resubmitted by using the Retry-Queue cmdlet with the -Resubmit parameter.

Remember that the Poison Queue contains messages that are determined to be harmful to the Exchange system after a server failure. They may also be victims of a poorly written agent that crashed the Exchange server while it was processing them. If you're unsure of the safety of the messages in the poison message queue, you should export them to files so you can examine them.

 

Using the Exchange Management Console to resume messages in the Poison Queue:

1.       In the EMC click Toolbox;

2.       Open the Queue Viewer tool;

3.       In Queue Viewer, click the Queues tab;

4.       Click the Poison Queue and select View Messages;

5.       Select one or more messages from the list, right-click them and select Resume.

 

To use the Shell you must first determine the identity of the message to be resumed. This example will show the identity of all messages in the poison queue:

Get-Message -Queue “Poison” | Select Identity

 

Now you can use the identity to resume the message. For example, let’s resume the message with an identity value of 123:

Resume-Message 123