From f5ac415e9ebdc5efa6146ab70c36ce6d6d4a2167 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Fri, 13 Oct 2023 08:20:07 -0500 Subject: [PATCH 1/2] Add CodeFormatter check for curly quotes --- .build/CodeFormatter.ps1 | 2 + .../CheckContainsCurlyQuotes.ps1 | 51 +++++++++++++++++++ .vscode/settings.json | 4 +- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 .build/CodeFormatterChecks/CheckContainsCurlyQuotes.ps1 diff --git a/.build/CodeFormatter.ps1 b/.build/CodeFormatter.ps1 index 1e47bc4c06..b1de5815ca 100644 --- a/.build/CodeFormatter.ps1 +++ b/.build/CodeFormatter.ps1 @@ -14,6 +14,7 @@ param( Set-StrictMode -Version Latest . $PSScriptRoot\Load-Module.ps1 +. $PSScriptRoot\CodeFormatterChecks\CheckContainsCurlyQuotes.ps1 . $PSScriptRoot\CodeFormatterChecks\CheckFileHasNewlineAtEndOfFile.ps1 . $PSScriptRoot\CodeFormatterChecks\CheckMarkdownFileHasNoBOM.ps1 . $PSScriptRoot\CodeFormatterChecks\CheckMultipleEmptyLines.ps1 @@ -69,6 +70,7 @@ foreach ($fileInfo in $filesToCheck) { $errorCount += (CheckScriptFileHasComplianceHeader $fileInfo $Save) ? 1 : 0 $errorCount += (CheckKeywordCasing $fileInfo $Save) ? 1 : 0 $errorCount += (CheckMultipleEmptyLines $fileInfo $Save) ? 1 : 0 + $errorCount += (CheckContainsCurlyQuotes $fileInfo $Save) ? 1 : 0 # This one is tricky. It returns $true or $false like the others, but in the case # of an error, we also want to get the diff output. Piping to Out-Host from within diff --git a/.build/CodeFormatterChecks/CheckContainsCurlyQuotes.ps1 b/.build/CodeFormatterChecks/CheckContainsCurlyQuotes.ps1 new file mode 100644 index 0000000000..6a12f32e1c --- /dev/null +++ b/.build/CodeFormatterChecks/CheckContainsCurlyQuotes.ps1 @@ -0,0 +1,51 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +function CheckContainsCurlyQuotes { + [CmdletBinding()] + [OutputType([boolean])] + param ( + [Parameter()] + [System.IO.FileInfo] + $FileInfo, + + [Parameter()] + [boolean] + $Save + ) + + # Skip this file + if ($FileInfo.FullName -eq "$PSScriptRoot\CheckContainsCurlyQuotes.ps1") { + return $false + } + + $curlyQuotes = $FileInfo | Select-String "‘|’|`“|`”" + if ($curlyQuotes) { + $content = Get-Content -Path $FileInfo.FullName -Raw + if ($Save) { + try { + $content = $content -replace "‘", "'" + $content = $content -replace "’", "'" + $content = $content -replace "`“", '"' + $content = $content -replace "`”", '"' + if ($FileInfo.Extension -eq ".ps1") { + Set-Content -Path $FileInfo.FullName -Value $content.TrimEnd() -Encoding utf8BOM + } else { + Set-Content -Path $FileInfo.FullName -Value $content.TrimEnd() -Encoding utf8NoBOM + } + + Write-Host "Saved with curly quotes replaced: $($FileInfo.FullName)" + $false + } catch { + Write-Warning "Failed to save with curly quotes replaced: $($FileInfo.FullName). Error: $_" + $true + } + } else { + Write-Warning "File contains curly quotes: $($FileInfo.FullName)" + $curlyQuotes | Out-Host + $true + } + } else { + $false + } +} diff --git a/.vscode/settings.json b/.vscode/settings.json index 708421d8a9..c4c62ce7d9 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -32,5 +32,7 @@ "internal-terms": false // Disable the `internal-terms` dictionary }, "cSpell.caseSensitive": true, - "editor.detectIndentation": false + "editor.detectIndentation": false, + "editor.unicodeHighlight.includeComments": true, + "editor.unicodeHighlight.nonBasicASCII": true } \ No newline at end of file From ef12467c0941befd5e3660629a42b3fb9cd81b8f Mon Sep 17 00:00:00 2001 From: Bill Long Date: Mon, 23 Oct 2023 12:41:09 -0500 Subject: [PATCH 2/2] Fix curly quotes --- Calendar/Get-RBASummary.ps1 | 2 +- .../ManagedAvailabilityTroubleshooter.ps1 | 2 +- Retention/Get-MRMDetails.ps1 | 2 +- Security/README.md | 4 ++-- .../ErrorContext/Test-FailedSearchFoundation.ps1 | 6 +++--- Setup/Tests/SetupLogReviewer.Tests.ps1 | 6 +++--- docs/Admin/MonitorExchangeAuthCertificate.md | 2 +- .../HealthChecker/RPCMinConnectionTimeoutCheck.md | 3 +-- docs/Diagnostics/HealthChecker/SMBv1Check.md | 5 ++--- docs/Emerging-Issues.md | 4 ++-- docs/Security/CVE-2023-23397/index.md | 14 +++++++------- docs/Security/EOMT.md | 4 ++-- docs/Security/Extended-Protection.md | 10 +++++----- 13 files changed, 31 insertions(+), 33 deletions(-) diff --git a/Calendar/Get-RBASummary.ps1 b/Calendar/Get-RBASummary.ps1 index 02d1134f2a..6b246aff16 100644 --- a/Calendar/Get-RBASummary.ps1 +++ b/Calendar/Get-RBASummary.ps1 @@ -243,7 +243,7 @@ function RBAProcessingValidation { -and $RbaSettings.AllBookInPolicy -eq $false ` -and $RbaSettings.RequestInPolicy.Count -eq 0 ` -and $RbaSettings.AllRequestInPolicy -eq $false ) { - Write-Host -ForegroundColor Red "`r`n Error: The RBA isn’t configured to process items. No RBA processing of Meeting Requests will occur." + Write-Host -ForegroundColor Red "`r`n Error: The RBA isn't configured to process items. No RBA processing of Meeting Requests will occur." Write-Host -ForegroundColor Red "Consider configuring the properties below to process all requests. (Default is null, True, null, False, null, True)." Write-Host Write-Host "`t RequestOutOfPolicy: {$($RbaSettings.RequestOutOfPolicy)}" diff --git a/Diagnostics/ManagedAvailabilityTroubleshooter/ManagedAvailabilityTroubleshooter.ps1 b/Diagnostics/ManagedAvailabilityTroubleshooter/ManagedAvailabilityTroubleshooter.ps1 index 16148f2ce0..ec924354d7 100644 --- a/Diagnostics/ManagedAvailabilityTroubleshooter/ManagedAvailabilityTroubleshooter.ps1 +++ b/Diagnostics/ManagedAvailabilityTroubleshooter/ManagedAvailabilityTroubleshooter.ps1 @@ -564,7 +564,7 @@ function CheckIfThisCanBeAKnownIssueUsingMonitor { } if ($ServiceHealthMSExchangeReplEndpointPossibleDNSissue) { Write-Host -foreground yellow "ServiceHealthMSExchangeReplEndpointMonitor is failing due to missing DNS entry." - Write-Host -foreground yellow "Make sure that the 'Register this connection’s addresses in DNS' property is selected on the network adapter" + Write-Host -foreground yellow "Make sure that the 'Register this connection's addresses in DNS' property is selected on the network adapter" Write-Host -foreground yellow "https://support.microsoft.com/en-us/kb/2969070" $Script:foundIssue = $true; return; } diff --git a/Retention/Get-MRMDetails.ps1 b/Retention/Get-MRMDetails.ps1 index 5f2b465877..fdaa7d7a63 100644 --- a/Retention/Get-MRMDetails.ps1 +++ b/Retention/Get-MRMDetails.ps1 @@ -28,7 +28,7 @@ function funcRetentionProperties { $Tags = $Tags | Add-Member @{OctetRetentionIDAsSeenInMFCMAPI = "" } -PassThru foreach ($t in $Tags) { #Convert each GUID to the Octet version that is seen in MFCMAPI's Properties - $t.OctetRetentionIDAsSeenInMFCMAPI = [System.String]::Join("", ($t.RetentionId.ToByteArray() | ForEach-Object { $_.ToString(‘x2’) })).ToUpper() + $t.OctetRetentionIDAsSeenInMFCMAPI = [System.String]::Join("", ($t.RetentionId.ToByteArray() | ForEach-Object { $_.ToString('x2') })).ToUpper() } $Tags | Select-Object * | Export-Clixml "$Mailbox - MRM Retention Policies for entire Tenant.xml" diff --git a/Security/README.md b/Security/README.md index 5040f4e70a..4bdd8eb60b 100644 --- a/Security/README.md +++ b/Security/README.md @@ -82,7 +82,7 @@ This will run the default mode which does the following: 3. Applies the URL rewrite mitigation **(only if vulnerable)**. 4. Runs the Microsoft Safety Scanner in "Quick Scan" mode **(vulnerable or not)**. -**Question**: What if I run a full scan and it’s affecting the resources of my servers? +**Question**: What if I run a full scan and it's affecting the resources of my servers? **Answer**: You can terminate the process of the scan by running the following command in an Administrative PowerShell session. @@ -98,7 +98,7 @@ This will run the default mode which does the following: * Malware scan of the Exchange Server via the Microsoft Safety Scanner * Attempt to reverse any changes made by identified threats. #### ExchangeMitigations.ps1: -* Does mitigations for all 4 CVE’s - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858. +* Does mitigations for all 4 CVE's - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858. * Some of the mitigation methods impact Exchange functionality. * Does not do any scanning for existing compromise or exploitation. * Does not take response actions to existing active identified threats. diff --git a/Setup/SetupLogReviewer/Checks/ErrorContext/Test-FailedSearchFoundation.ps1 b/Setup/SetupLogReviewer/Checks/ErrorContext/Test-FailedSearchFoundation.ps1 index 4c5ce0b661..965aff4b38 100644 --- a/Setup/SetupLogReviewer/Checks/ErrorContext/Test-FailedSearchFoundation.ps1 +++ b/Setup/SetupLogReviewer/Checks/ErrorContext/Test-FailedSearchFoundation.ps1 @@ -25,7 +25,7 @@ function Test-FailedSearchFoundation { "- Uninstall the Search Foundation", " 1. Remove all SubFolders under C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis", " 2. Open Powershell as Administrator and navigate to the folder C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Installer", - " 3. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" + " 3. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" " 4. Run Setup again." ) return @@ -46,8 +46,8 @@ function Test-FailedSearchFoundation { " 1. Stop the Microsoft Exchange Search and Microsoft Exchange Search Host Controller services.", " 2. Remove all SubFolders under C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data\Nodes\Fsis", " 3. Open Powershell as Administrator and navigate to the folder C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Installer", - " 4. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" - " 5. Now install the Search Foundation with this command: .\InstallConfig.ps1 -action I -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" + " 4. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" + " 5. Now install the Search Foundation with this command: .\InstallConfig.ps1 -action I -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" ) } } diff --git a/Setup/Tests/SetupLogReviewer.Tests.ps1 b/Setup/Tests/SetupLogReviewer.Tests.ps1 index ae731de3d9..4a76ffbe6f 100644 --- a/Setup/Tests/SetupLogReviewer.Tests.ps1 +++ b/Setup/Tests/SetupLogReviewer.Tests.ps1 @@ -483,9 +483,9 @@ Describe "Testing SetupLogReviewer" { Assert-MockCalled -Exactly 1 -CommandName Write-Host ` -ParameterFilter { $Object -like "* 3. Open Powershell as Administrator and navigate to the folder C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Installer" } Assert-MockCalled -Exactly 1 -CommandName Write-Host ` - -ParameterFilter { $Object -like "* 4. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" } + -ParameterFilter { $Object -like "* 4. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" } Assert-MockCalled -Exactly 1 -CommandName Write-Host ` - -ParameterFilter { $Object -like "* 5. Now install the Search Foundation with this command: .\InstallConfig.ps1 -action I -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" } + -ParameterFilter { $Object -like "* 5. Now install the Search Foundation with this command: .\InstallConfig.ps1 -action I -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" } } It "Search Foundation Failure - Install" { @@ -503,7 +503,7 @@ Describe "Testing SetupLogReviewer" { Assert-MockCalled -Exactly 1 -CommandName Write-Host ` -ParameterFilter { $Object -like "* 2. Open Powershell as Administrator and navigate to the folder C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Installer" } Assert-MockCalled -Exactly 1 -CommandName Write-Host ` - -ParameterFilter { $Object -like "* 3. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`”" } + -ParameterFilter { $Object -like "* 3. Now uninstall the Search Foundation with this command: .\InstallConfig.ps1 -action U -DataFolder `"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\Data`"" } } It "Missing HomeMdb" { diff --git a/docs/Admin/MonitorExchangeAuthCertificate.md b/docs/Admin/MonitorExchangeAuthCertificate.md index 13c4e2a1a0..2e624aa75a 100644 --- a/docs/Admin/MonitorExchangeAuthCertificate.md +++ b/docs/Admin/MonitorExchangeAuthCertificate.md @@ -49,7 +49,7 @@ It's not recommended to replace the internal transport certificate with the newl The following syntax executes the script in renewal mode without user interaction. The required Auth Certificate renewal action will be performed. In unattended mode the internal SMTP certificate is replaced with the new Auth Certificate and then set back to the previous one. The script also restarts the `MSExchangeServiceHost` service and the `MSExchangeOWAAppPool` and `MSExchangeECPAppPool` WebApp Pools when the primary Auth Certificate has been replaced. -**NOTE:** The script creates a new internal transport certificate if the previously configured one wasn’t found on the machine where the script is run. +**NOTE:** The script creates a new internal transport certificate if the previously configured one wasn't found on the machine where the script is run. ```powershell PS C:\> .\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -Confirm:$false diff --git a/docs/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck.md b/docs/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck.md index 0e785a6bf8..733d5547fb 100644 --- a/docs/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck.md +++ b/docs/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck.md @@ -4,7 +4,7 @@ By default, Outlook Anywhere opens two default connections to the Exchange CAS called `RPC_InData` and `RPC_OutData`. The Outlook Anywhere client to server used a default timeout of `12 minutes (720 seconds)` of inactivity and the server to the client timeout is `15 minutes (900 seconds)`. -These default Keep-Alive intervals are not aggressive enough for some of today’s home networking devices and/or aggressive network devices on the Internet. Some of those devices are dropping TCP connections after as little as `5 minutes (300 seconds)` of inactivity. When one or both of the two default connections are dropped, the connection to the Exchange server is essentially broken and not useable. +These default Keep-Alive intervals are not aggressive enough for some of today's home networking devices and/or aggressive network devices on the Internet. Some of those devices are dropping TCP connections after as little as `5 minutes (300 seconds)` of inactivity. When one or both of the two default connections are dropped, the connection to the Exchange server is essentially broken and not useable. **Included in HTML Report?** @@ -13,4 +13,3 @@ Yes **Additional resources:** [Outlook Anywhere Network Timeout Issue](https://docs.microsoft.com/archive/blogs/messaging_with_communications/outlook-anywhere-network-timeout-issue) - diff --git a/docs/Diagnostics/HealthChecker/SMBv1Check.md b/docs/Diagnostics/HealthChecker/SMBv1Check.md index e21246036d..f8b5a76364 100644 --- a/docs/Diagnostics/HealthChecker/SMBv1Check.md +++ b/docs/Diagnostics/HealthChecker/SMBv1Check.md @@ -1,8 +1,8 @@ # SMBv1 Check -To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server. +To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it's enabled on your Exchange (2013/2016/2019) server. -There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. +There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn't safe and you lose key protections offered by later SMB protocol versions. This check verifies that SMBv1 is not installed (if OS allows) and that its activation is blocked. @@ -13,4 +13,3 @@ Yes **Additional resources:** [Exchange Server and SMBv1](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-and-smbv1/ba-p/1165615) - diff --git a/docs/Emerging-Issues.md b/docs/Emerging-Issues.md index 2535f8075d..504520f812 100644 --- a/docs/Emerging-Issues.md +++ b/docs/Emerging-Issues.md @@ -9,7 +9,7 @@ This page lists emerging issues for Exchange On-Premises deployments, possible r |**Updated on** | **Update causing the issue**| **Issue**| **Workaround/Solution** |-|-|-|-| -10/12/2023|[All versions of August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing any version of [August 2023 Security Update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811)

**Note**
The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don’t use multiple forests.|** Update on 10/12/2023 **

Follow steps on [this article](https://support.microsoft.com/topic/users-in-account-forest-can-t-change-expired-password-in-owa-in-multi-forest-exchange-deployments-after-installing-august-2023-su-b17c3579-0233-4d84-9245-755dd1092edb) +10/12/2023|[All versions of August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | Users in account forest can't change expired password in OWA in multi-forest Exchange deployments after installing any version of [August 2023 Security Update for Exchange servers](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811)

**Note**
The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don't use multiple forests.|** Update on 10/12/2023 **

Follow steps on [this article](https://support.microsoft.com/topic/users-in-account-forest-can-t-change-expired-password-in-owa-in-multi-forest-exchange-deployments-after-installing-august-2023-su-b17c3579-0233-4d84-9245-755dd1092edb) 8/15/2023|[Non-English August 2023 Security Update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811) for Exchange 2016, Exchange 2019 | When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. |The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out [this KB](https://support.microsoft.com/topic/exchange-server-2019-and-2016-august-2023-security-update-installation-fails-on-non-english-operating-systems-ef38d805-f645-4511-8cc5-cf967e5d5c75). 6/15/2023|[January 2023 Security Update](https://www.microsoft.com/en-us/download/details.aspx?id=104914) for Exchange 2016, Exchange 2019 | When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message:

[ERROR] The operation couldn't be performed because object '' couldn't be found on ''. |Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/help/5025312) for more details 6/15/2023|Extended protection enabled on Exchange server | Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled:

`The modified Permissions cannot be changed.`| Install Exchange Security Update June 2023 or higher to resolve the issue. Check [this KB](https://support.microsoft.com/en-us/topic/extended-protection-doesn-t-support-public-folder-client-permissions-management-through-outlook-bd2037b5-40e0-413a-b368-746b3f5439ee) for more details @@ -79,6 +79,6 @@ Following are the known issues after installing July 2021 Security Updates/Cumul OWA/ECP stops working after installing July Security Update with following error:
**ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1** | The issue occurs if OAuth certificate is missing or expired | Follow steps on [this](https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired) article to re-publish the Oauth certificate. Do note it takes up to an hour for certificate to change place OWA/ECP stops working when accessed from load balanced URL, but works if directly accessed from the server URL | The root cause for the issue is under investigation | Follow steps in [this article](https://support.microsoft.com/en-us/help/5005341) to fix the issue PrepareAD with Exchange 2016 CU21/Exchange 2019 CU10 error:
Used domain controller dc1.contoso.com to read object CN=AdminSDHolder,CN=System,DC=Contoso,DC=COM. [ERROR] Object reference not set to an instance of an object. | The issue is under investigation | Follow steps in [this article](https://support.microsoft.com/kb/5005319) to fix the issue -PrepareSchema in environments that have empty root AD domain | July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. | Option 1
Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server.
Install the July security fix, perform Schema update.

Option 2
PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU’s have the changes.
However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well. +PrepareSchema in environments that have empty root AD domain | July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. | Option 1
Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server.
Install the July security fix, perform Schema update.

Option 2
PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU's have the changes.
However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well. The Schema Version number for Exchange 2013 environment remains on 15312, even after installing SU and performing PrepareSchema | This is expected behavior. The schema version is going to remain 15312 after installing Security Update and performing PrepareSchema After installing Exchange 2016 CU21/Exchange 2019 CU10, the values added to custom attributes using EAC are not retained. The scenario works fine in Exchange 2016 CU20/Exchange 2019 CU9 | The issue is under investigation | **Workaround 1:**
Use EAC from Internet Explorer

**Workaround 2:**
Add the values using Exchange Management Shell diff --git a/docs/Security/CVE-2023-23397/index.md b/docs/Security/CVE-2023-23397/index.md index e48b426e3d..f7a78dc13f 100644 --- a/docs/Security/CVE-2023-23397/index.md +++ b/docs/Security/CVE-2023-23397/index.md @@ -43,7 +43,7 @@ Add-RoleGroupMember -Identity "CVE-2023-23397-Script" -Member " Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment On Note: If there are Exchange 2013 servers in the environment with Exchange 2016 or 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error: -![Exchange Server doesn’t support the requested version screenshot](attachments/CVE-2023-23397_screenshot1.png) +![Exchange Server doesn't support the requested version screenshot](attachments/CVE-2023-23397_screenshot1.png) If the above error appears, run the script with an additional parameter EWSExchange2013, as shown below. @@ -154,10 +154,10 @@ PS C:\> Get-Mailbox -ResultSize Unlimited | .\CVE-2023-23397.ps1 -Environment On The script provides a list of all the messages containing the problematic property in the mailboxes of users specified in an AuditResult_timestamp.CSV file. Admins should analyze this file and mark (with a "Y") messages for which either the property is to be cleaned or the message must be removed. Step 1 -Mark the messages for cleanup by entering “Y” instead of “N” in the cleanup column of CSV file. +Mark the messages for cleanup by entering "Y" instead of "N" in the cleanup column of CSV file. Step 2 -Choose either to remove the message or only the problematic property in the next step by specifying CleanupAction as “ClearItem” or “ClearProperty.” Execute the script as follows to remove the message or property marked with Y in the CSV file. +Choose either to remove the message or only the problematic property in the next step by specifying CleanupAction as "ClearItem" or "ClearProperty." Execute the script as follows to remove the message or property marked with Y in the CSV file. ##### Examples: This syntax runs the script to clear the problematic property from messages: @@ -235,10 +235,10 @@ PS C:\> .\CVE-2023-23397.ps1 -Environment "Online" -CleanupAction ClearItem -Cle ``` ## Script execution errors and troubleshooting -### Exchange Server doesn’t support the requested version +### Exchange Server doesn't support the requested version If there are Exchange 2013 servers in an environment with Exchange 2016 or Exchange 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error: -![Exchange Server doesn’t support the requested version screenshot](attachments/CVE-2023-23397_screenshot1.png) +![Exchange Server doesn't support the requested version screenshot](attachments/CVE-2023-23397_screenshot1.png) If the above error appears, run the script with the EWSExchange2013 parameter: diff --git a/docs/Security/EOMT.md b/docs/Security/EOMT.md index 1ab938b349..208ba08592 100644 --- a/docs/Security/EOMT.md +++ b/docs/Security/EOMT.md @@ -76,7 +76,7 @@ This will run the default mode which does the following: 3. Applies the URL rewrite mitigation **(only if vulnerable)**. 4. Runs the Microsoft Safety Scanner in "Quick Scan" mode **(vulnerable or not)**. -**Question**: What if I run a full scan and it’s affecting the resources of my servers? +**Question**: What if I run a full scan and it's affecting the resources of my servers? **Answer**: You can terminate the process of the scan by running the following command in an Administrative PowerShell session. @@ -92,7 +92,7 @@ This will run the default mode which does the following: * Malware scan of the Exchange Server via the Microsoft Safety Scanner * Attempt to reverse any changes made by identified threats. ### ExchangeMitigations.ps1: -* Does mitigations for all 4 CVE’s - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858. +* Does mitigations for all 4 CVE's - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858. * Some of the mitigation methods impact Exchange functionality. * Does not do any scanning for existing compromise or exploitation. * Does not take response actions to existing active identified threats. diff --git a/docs/Security/Extended-Protection.md b/docs/Security/Extended-Protection.md index 705a9090c2..c567026251 100644 --- a/docs/Security/Extended-Protection.md +++ b/docs/Security/Extended-Protection.md @@ -89,7 +89,7 @@ Enabling Extended Protection on Hybrid servers using Modern Hybrid configuration This step is not required if you are using classic Hybrid configuration. -In case you don’t have a list of servers published via Hybrid Agent, you can use the following steps to identify them: +In case you don't have a list of servers published via Hybrid Agent, you can use the following steps to identify them: 1. Log into a machine where the Hybrid Agent is installed and running. Open the [PowerShell module](https://docs.microsoft.com/exchange/hybrid-deployment/hybrid-agent#hybrid-agent-powershell-module) of the Hybrid Agent and run _Get-HybridApplication_ to identify the _TargetUri_ used by the Hybrid Agent. 2. The _TargetUri_ parameter gives you the FQDN of the Exchange Server that is configured to use Hybrid Agent. @@ -195,7 +195,7 @@ Before enabling Extended Protection in your Exchange environment, ensure you mee To enable Extended Protection on all your Exchange Servers, you can use the [ExchangeExtendedProtectionManagement.ps1](https://aka.ms/ExchangeEPScript) script, which is hosted on the Microsoft Exchange-CSS repository on GitHub. -It’s not required to run the script directly on any specific Exchange Server in your environment. Just copy it to a machine that has the Exchange Management Shell (EMS) installed. +It's not required to run the script directly on any specific Exchange Server in your environment. Just copy it to a machine that has the Exchange Management Shell (EMS) installed. !!! warning "Note" @@ -273,7 +273,7 @@ Or 3. Some Exchange servers are not reachable: - The script performs multiple tests against all Exchange servers in scope. If one or more of these servers aren’t reachable, the script will exclude them and not configure Extended Protection on them. + The script performs multiple tests against all Exchange servers in scope. If one or more of these servers aren't reachable, the script will exclude them and not configure Extended Protection on them. ![Text Description automatically generated](attachments/3095edc994a8aa4bb79f90fe519a0e36.png) If the server is offline, you should enable Extended Protection on it once it is back online. If the server was unreachable for other reasons, you should run the script directly on the servers to enable Extended Protection. @@ -288,7 +288,7 @@ The following command initiates a full rollback of **Extended Protection setting #### Rolling back IP Restriction settings -You can use the script to **only** roll back **Allow and Deny rules** set in Backend EWS vDir’s IP Address and Domain Restriction module in the following way. +You can use the script to **only** roll back **Allow and Deny rules** set in Backend EWS vDir's IP Address and Domain Restriction module in the following way. `.\ExchangeExtendedProtectionManagement.ps1 -RollbackType RestrictTypeEWSBackend` @@ -317,7 +317,7 @@ If you want to enable Extended Protection in your environment manually without u #### Set Require SSL settings to either Required or Accept for an Exchange Virtual Directory -1. Go to the Virtual Directory’s home page. +1. Go to the Virtual Directory's home page. ![Graphical user interface, text, application, Word Description automatically generated](attachments/0d05a67039245dde885522e84ca74bc3.png) 2. Go to _SSL Settings_. 3. Check the _Require SSL_ checkbox to make sure that Require SSL is enabled for this Virtual Directory.