Exchange 2010-2016 Security Fixes

Ex2013 LogoMicrosoft released security updates to fix a remote code execution vulnerability in Exchange Server. The related knowledge base article is KB4018588.

More information is contained in the following Common Vulnerabilities and Exposures articles:

  • CVE-2017-8521 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
  • CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability

Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:

As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.

The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.

MS17-015: Security Fix for Exchange 2013 SP1+CU14 & 2016 CU3

Ex2013 LogoMicrosoft published security fixes for the issue described in bulletin MS17-105. Fixes have been released for the following product levels:

You are reading it correctly: the later Cumulative Updates are not affected. Earlier builds will not receive a security fix, as support is provided up to N-2 generation builds. Reason for Exchange 2013 SP1 being in there is that Service Packs are on a different support scheme.

Note that this Rollup or security fix replaces MS16-108 (kb3184736) – you can install MS13-105 over installations containing this security fix (no need to uninstall it first).

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0” (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

Comparing Active Directory Permissions

Every now and then you might be required to compare Active Directory account permissions. When it concerns one or few accounts, you could do the manual side-by-side comparison using Active Directory and Computers. However, when you need to check multiple accounts this task becomes tedious.

Now you could follow the practice laid out by Exchange fellow Andy Grogan here,  generating permissions output using Quest Active Roles and comparing the textual output with a comparison utility like WinMerge or WinDiff. But you can also perform this comparison using PowerShell’s Compare-Object cmdlet, which I’ll show you here.

For this task we’re going to use the Quest AD extensions (Active Roles), which you can download here. Install these extensions on a domain-joined system where PowerShell is already installed. After installation, start the ActiveRoles Management Shell and enter the following, where IdA and IdB are the Identities of the objects you want to compare:

$a= Get-QadPermission <IdA> -Inherited -SchemaDefault
$b= Get-QadPermission <IdB> -Inherited –SchemaDefault

Now $a and $b contain the permission sets of both objects. Next, we’re going to utilize compare-object to compare these two sets. When we use Compare-Object $a $b you get the following output:


Not quite helpful this output but it isn’t unexpected. Since we’re comparing two object sets compare-object generates a result with objects. We can make this more readable by specifying the PassThru parameter so we can post-process these objects, like displaying certain fields using the Format-Table cmdlet, e.g.

Compare-Object $a $b -PassThru | ft SideIndicator,AccountName,Rights,Source,ApplyTo


Presto! The SideIndicator  is included to see in which set the attribute is contained, e.g. “<=” means the element is contained in the 1st specified (reference) object and “=>” means its is contained in the 2nd (difference) object.

If you want to include equal objects in the output as well, add the IncludeEqual parameter to the Compare-Object cmdlet.

SSL client compatibility

Exchange fellow Jetze Mellema blogged (in Dutch) about a useful online check, which will allow you to check your current client – computer or smartphone – against a set of certificates from different vendors. The short – and more memorable and mobile friendly – URL for this test is as follows:

The creator, SSL reseller FairSSL, also keep a total overview, which is located at Note that the table’s titles are hard to read, but when hovering above the cells the corresponding product will be displayed.

Exchange Server 2010 Architecture poster

Finally, the long awaited Exchange Server 2010 Architecture Poster is here!

This is similar to the Exchange 2007 Component Architecture poster and contains the architecture highlights and feature set of Microsoft Exchange Server 2010. This architecture poster is additional to the already published Microsoft Exchange Server 2010 Transport Server Role Architecture Diagrams which you could already get here.

You can download the Microsoft Exchange Server 2010 Architecture poster here.

Exchange 2010 Role Based Access Control

Those who are about to switch to Exchange 2010 from Exchange 2007 will encounter major changes (and challenges) in the Exchange permissions model.  For those still on Exchange 2003 (or earlier ..), changes are more or less the same.

Exchange 2007

Before we dive into Exchange 2010 we’ll have a quick look at how permissions and delegations are managed in Exchange 2007. In Exchange 2007 we get the following security groups out of the box:

  • Exchange Organization Administrators;
  • Exchange Recipient Administrators;
  • Exchange Server Administrators;
  • Exchange View Only Administrators;
  • Exchange Public Folder Administrators.

That seems limited and very task oriented. Memberships are managed using the Exchange Management Console or through the cmdlets Add-ExchangeAdministrator, Get-ExchangeAdministrator en Remove-ExchangeAdministrator. Also, by default, Recipient Administrators get permissions on all recipients within the Exchange organization. Domain or OU delegations are possible, but require a little additional configuration (see

Exchange 2010

Here comes Exchange 2010. New in Exchange is management of delegation and permissions through the so called Role Based Access Control model, shortened to RBAC. RBAC is partially configurable through the RBAC User Editor (Exchange Management Console > Toolbox) or fully using cmdlets. The RBAC model is based on three pillars, Who, What and Where.


The Who (not the band) determines which user (in RBAC users are represented by mailboxes) or group (Universal Security Group) receives permissions. This information is stored in Role Groups, which can be managed through the RoleGroup and RoleGroupMember cmdlets.

To create a new Role Group we use the New-RoleGroup, like:
New-RoleGroup “UM Pincode Resetter” –Roles “Reset UM Pin”

Users or groups can be added directly to the Role Group at creation time, or can be added by using the Add-RoleGroupMember, like:
Add-RoleGroupMember “UM Pincode Resetter” –Member Angelique

To manage a Role Group, one has to be a member of the Organization Management Role Group or be the manager of the Role Group as determined by the ManagedBy attribute. Pay attention, members of the Organization Management Role Group manage the Organization Management Role Group. You could create a situation where nobody is able to manage anything.

Take note that a Role Group is nothing else but a Universal Security Group with a special flag indicating the USG is a Role Group. In Active Directory, Role Groups are located in the Microsoft Exchange Security Groups OU.


The What decides what permissions are assigned by creating sets of cmdlets and parameters. This information is stored in RBAC’s Management Roles which can be managed through the ManagementRole and ManagementRoleEntry cmdlets.

Of itself, Exchange 2010 knows about 65 Management Roles, which can be queries using:

The permissions of a Management Role can be retrieved through the Get-ManagementRole (Roles attribute) or through the Get-ManagementRoleEntry cmdlet:
Get-ManagementRoleEntry “UM Mailboxes\*”

What we see are all cmdlets and parameters available to the Management Role “UM Mailboxes”.

When creating our own Management Role, we need to specify an existing Management Role, the so called parent:
New-ManagementRole –Name “Reset UM Pin” –Parent “UM Mailboxes”

Be advised only custom Management Roles can be removed and all permissions of a Management Role should be removed before the Management Role itself can be removed. By specifying the recurse parameter in the Remove-ManagementRole cmdlet you can perform cascaded deletes of custom Management Roles with a parent-child relationship.

After creating the custom Management Role with initial settings taken from the parent, we can start adding or removing permissions. Be advised that Management Roles require at least one Management Role Entry. Also, in order for Set cmdlets to work, you should allow the Get counterparts, so we will start by removing all ManagementRoleEntry items but one:
Get-ManagementRoleEntry “Reset UM Pin\*” | where { $ –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Next, we can add custom permissions using Add-ManagementRoleEntry:
Add-ManagementRoleEntry “Reset UM Pin\Set-UMMailboxPIN” –Parameters “Identity,Pin,PinExpired,LockedOut”

What might be helpful is that Get-ManagementRoleEntry can be used to retrieve all Management Roles which are allowed to execute certain cmdlets with what parameters, e.g.:
Get-ManagementRoleEntry “*\*” | where { $_.Name –eq “Set-User” }

Where determines the scope, which can be anything from a certain group of users, a server or an Active Directory site to an Organizational Unit or complete organization. RBAC has two types of scopes. First are Implicit scopes, which are scopes defined by the default Management Roles, e.g. Organization, MyGAL, Self, MyDistributionGroups, OrganizationConfig and None. Second type are Explicit scopes, which are predefined or custom scopes.

To view the scopes of a Management Role use the Get-ManagementRole, e.g.:
Get-ManagementRole “UM Mailboxes” | fl *scope*

As we can see, a Management Role has four scopes:

  • Recipient Read Scope: Which AD recipient objects one can read from;
  • Recipient Write Scope: Which AD recipient objects one can write to;
  • Configuration Read Scope: Which AD configuration objects one can read from;
  • Configuration Write Scope: Which AD configuration objects one can write to.

As said earlier, new Management Role entries must be based on an existing Management Role. At creation time the new Management Role will inherit (i.e. copy settings) the original scopes from the parent, after which they can be changed. Also, remember that the Write scope must be equal or smaller than the Read scope; you need to be able to Get things before you can Set things.

To create a custom scope use the New-ManagementScope cmdlet with one of the following, mutually exclusive, filters:

  • RecipientRestrictionFilter to filter Recipients. You can optionally specify the root using the RecipientRoot, otherwise it will apply to the whole organization;
  • ServerRestrictionFilter to filter Server objects;
  • ServerList to filter server names.

New-ManagementScope –Name “NL Site” –ServerRestrictionFilter {ServerSite –eq “NL”}
New-ManagementScope –Name “Staff Secretaresses” –RecipientRoot “domain.local/Staff” –RecipientRestrictionFilter {
memberofgroup -eq “cn=Secretaries,ou=Users,dc=domain,dc=local” }

Regarding the possibilities of filtering Exchange 2010 refers to Exchange 2007 documentation, see For more background information on scopes, see


After defining the Who, What and Where we can start combining these elements by using Role Assignments. A Role Assignment is the link between a Role Group and a Management Role, with additional attributes like Recipient and Configuration Scopes.

Existing Role Assignments of a Role Group can be retrieved using Get-RoleGroup, e.g.:
Get-RoleGroup “UM management” | fl

The attribute RoleAssignment contains the current Role Assignments. All Role Assignments can be queried using Get-ManagementRoleAssignment, e.g.:
Get-ManagementRoleAssignment “UM Mailboxes-UM Management” | fl

As we can see, Microsoft used a combination of the ManagementRole and RoleGroup names to label Role Assignments. This is good practice and makes it easier to understand – and remember – which Role Assignment affects which Management Role and Role Group.

Using New-ManagementRoleAssignment we can assign a ManagementRole to a Role Group or other USG, a policy (more on this perhaps in another article) or user (mailbox), e.g.
New-ManagementRoleAssignment –Name “Reset UM Pin-UM Pincode Resetter” –Role “Reset UM Pin” -SecurityGroup “UM Pincode Resetter” –CustomRecipientWriteScope “Staff Secretaresses”


The Exchange 2010 and RBAC model create new opportunities for customers. Large companies, who probably already have complex delegation models in-place, will like the more fine grained controls to support business requirements. Their challenge lies in converting their existing model to the new designed RBAC model. For smaller customers the default set of roles, groups, scopes and assignments might appear overwhelming at first, but eventually be found an asset as it supports least privilege security model and get rid of the (Exchange) Adminsistrators surplus.