Tag Archives: Exchange 2013

Microsoft Exchange 2013–2016-2019 Security Vulnerability (URGENT)

CVE-2019-0586 | Microsoft Exchange Memory Corruption Vulnerability

image

Yesterday Microsoft has published an KB article about a security threat to Exchange 2013-2016 and 2019.

The article mentions CU10-CU11 for Exchange 2016, CU21 for Exchange 2013 and RTM version of Exchange 2019 as well.

I spoke to Microsoft of whether this issue affects earlier CU versions for Exchange and they confirmed it

 

image

Vulnerability details:

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

 

Download link:

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

 

Hosted Exchange 2013 Tenant setup step by step

 

Starting with Exchange 2013 Hosted .. this is a brief article about how to setup Tenants correctly step by step

1- Create OU

Create New-ADOrganizationalUnit -Name Test10 -Path ou=test10,OU=ExchHosting,DC=lab,DC=com

clip_image001[6]

2- Set OU’s UPN

set-adforest -identity exch01.lab.com -UPNSuffixes @{add=”test10.com”}

clip_image002[6]

Moving to Exchange Management Shell

3- create accepted domain on Exch

New-AcceptedDomain -Name “test10” -DomainName test10.com -DomainType:authoritative

clip_image003[6]

clip_image004[6]

4- Create address book

New-GlobalAddressList -Name “test10 – GAL” -ConditionalCustomAttribute1 “test10” -IncludedRecipients MailboxUsers -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image005[6]

Note:

Address books once created is virtually separated (That means you don’t have to do anything to separate Address books unless you want them to see each other)

https://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx

clip_image006[6]

  1. If needed then create All Rooms Address List

New-AddressList -Name “Test10 – All Rooms” -RecipientFilter “(CustomAttribute1 -eq ‘test10’) -and (RecipientDisplayType -eq ‘ConferenceRoomMailbox’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image007[6]

6- And time to create All Users Address List

New-AddressList -Name “Test10 – All Users” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘User’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image008[6]

7- The All Contacts Address List

New-AddressList -Name “Test10 – All Contacts” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘Contact’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image009[6]

8-The All Groups Address List

New-AddressList -Name “Test10 – All Groups” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘Group’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image010[6]

9-Now for something quite useful: Offline Address Book

New-OfflineAddressBook -Name “Test10” -AddressLists “Test10 – GAL”

clip_image011[6]

  1. Mail address policy

New-EmailAddressPolicy -Name “Test10 – EAP” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com” -IncludedRecipients “AllRecipients” -ConditionalCustomAttribute1 “Test10” -EnabledEmailAddressTemplates “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”,”smtp:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}m@test10.com” -EnabledPrimarySMTPAddressTemplate “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”

clip_image012[6]

Set current enabled mail in the test10 organization’s smtp address to test.com

Set-EmailAddressPolicy -Identity “Test10 – EAP” -EnabledPrimarySMTPAddressTemplate “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”

clip_image013[6]

If you’re connected from the Normal Exchange management shell you’ll normally get an error stating that users don’t exist on your Active Directory which is normal since the session you’re connected to is connected to the top forest users and can’t see the address book that’s isolated from other tenants.

clip_image014[6]

You will need to open Powershell (not Exchange management Shell) and use the following cmdlet

Let’s connect to exchange, but before we have to add one of our Organization test10 users to the Organization Management Group in order to be able to administer his organization

$cred = get-credential

$Session = New-PSSession -Authentication basic -Credential $cred -ConnectionUri https://mr.moh10ly.website/PowerShell/ -ConfigurationName Microsoft.Exchange -AllowRedirection

Import-PSSession $Session

clip_image015[6]

clip_image016[6]

clip_image017[6]

11- Address book policy

Now we need to create the Address Book Policy

New-AddressBookPolicy -Name “Test10” -AddressLists “Test10 – All Users”, “Test10 – All Contacts”, “Test10 – All Groups” -GlobalAddressList “Test10 – GAL” -OfflineAddressBook “Test10” -RoomList “Test10 – All Rooms”

clip_image018[6]

12- Optional

New-Mailbox -Name ‘Test10 Conference Room 1’ -Alias ‘test10_conference’ -OrganizationalUnit ‘ou=test10,OU=ExchHosting,DC=lab,DC=com’ -UserPrincipalName ‘test10conf1@test10.com’ -SamAccountName ‘test10_conference’ -FirstName ‘Conference’ -LastName ‘Room 1’ -AddressBookPolicy ‘Test10’ -Room

clip_image019[6]

To mark this conference room for the tenant test10 I’ll have to use this cmdlet otherwise it won’t show in the address book of test 10

Set-Mailbox test10_conference -CustomAttribute1 ‘Test10’

clip_image020[6]

Set calendar settings for the conference room we have just created as following

Set-CalendarProcessing -Identity test10_conference -AutomateProcessing AutoAccept -DeleteComments $true -AddOrganizerToSubject $true -AllowConflicts $false

clip_image021[6]

13- Create mailboxes

$c = Get-Credential

New-Mailbox -Name ‘Mohammed Test’ -Alias ‘test10_mohammed’ -OrganizationalUnit ‘ou=test10,OU=ExchHosting,DC=lab,DC=com’ -UserPrincipalName ‘mohammed@test10.com’ -SamAccountName ‘test10_mohammed’ -FirstName ‘Mohammed’ -LastName ‘HAmada’ -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy ‘Test10’

clip_image022[6]

Now once I use this script the user will be created and you’ll be able to see In from the ECP

clip_image023[6]

But you won’t be able to see the user in the address book of the tenant since we didn’t apply the tenant which this user belongs to

clip_image024[6]

To do so we’ll have to use the following CMDLET

Set-Mailbox arthas@test10.com -CustomAttribute1 “Test10”

clip_image025[6]

clip_image026[7]