August 2022 Security Updates for Exchange

Microsoft has released Security Updates (SUs) for Exchange 2013, Exchange 2016 and Exchange 2019 that address security vulnerabilities rated ‘Critical’ (Elevation of Privileges) and ‘Important’ (Information Disclosure).

In these Security Updates, Microsoft introduced support of Extended Protection. Windows Extended Protection was already available, but it is now supported in Exchange. Extended Protection enhances authentication and prevents so called ‘man in the middle’ attacks. It is possible to enable Extended Protection manually in Exchange, but it is strongly recommended to use the Microsoft PowerShell script to enable Extended Protection.

These Security Updates are available for the latest versions of Exchange server, i.e. Exchange 2013 CU23, Exchange 2016 CU11 en 2022H1 and Exchange 2019 CU11 and 2022H1. Although supported on n-1, I strongly recommended to update your Exchange servers to the latest version, the third block in the following image:

Before you can enable Extended Protection, make sure the following prerequisites are met:

• Public Folders must not be running on Exchange 2013, but must be running on Exchange 2016 or Exchange 2019.
• Extended Protection does not work on hybrid servers that have the hybrid agent installed (i.e. you are running classic hybrid you’re good!)
• SSL Offloading is not supported, but re-encrypting is supported when the SSL certificate on the load balancer and the Exchange servers is the same.
• TLS configuration must be consistent across all Exchange servers. This can be an issue and potentially take quite some time. Also, make sure that all clients continue to work when disabling TLS 1.0 and TLS 1.1 when running coexistence with Exchange 2019.

There are also knows issues (Microsoft is working on this):

• You must not enable Extended Protection when running a Retention Policy that contains a ‘move to archive’ Policy Tag. Extended Protection will stop automatic archiving.
• One of the MAPI over HTTP probes (OutlookMapiHttpCtpProbe) can show ‘failed’ after enabling Extended Protection

If you want to enable Extended Protection for all servers in one run, execute the PowerShell script without any options:

[PS] C:\Install> .\ ExchangeExtendedProtectionManagement.ps1

If you want to enable it for just a number of named server, using the following syntax:

[PS] C:\Install> .\ ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames EXCH01,EXCH02

Or if you want to exclude an Exchange server:

[PS] C:\Install> .\ ExchangeExtendedProtectionManagement.ps1 -SkipExchangeServerNames EXCH10

There’s also a rollback function you can use when you have undesirable results:

[PS] C:\Install> .\ ExchangeExtendedProtectionManagement.ps1 -RollbackType "RestoreIISAppConfig"

Summary
The August 2022 Security Updates for Exchange contain support for Extended Protection. The easiest way to configure this is to use the Microsoft PowerShell script. But be aware that all prerequisites are met before you start enabling Extended Protection. As usual, it is important that you install the updates and configure Extended Protection in your test environment first to see what the implications are, both on the server and the various clients in your organization.

More information regarding the Common Vulnerabilities and Exposures (CVE) and downloads can be found on the following locations:

• CVE-2022-21979 - Microsoft Exchange Information Disclosure Vulnerability
• CVE-2022-21980 - Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2022-24477 - Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2022-24516 - Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2022-30134 - Microsoft Exchange Server Elevation of Privilege Vulnerability

Exchange Server Support for Windows Extended Protection - https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

• Exchange 2013 CU23 - https://www.microsoft.com/en-us/download/details.aspx?id=104482
• Exchange 2016 CU22 - https://www.microsoft.com/en-us/download/details.aspx?id=104481
• Exchange 2016 CU23 - https://www.microsoft.com/en-us/download/details.aspx?id=104480
• Exchange 2019 CU11 - https://www.microsoft.com/en-us/download/details.aspx?id=104479
• Exchange 2019 CU12 - https://www.microsoft.com/en-us/download/details.aspx?id=104478 

Want to learn more about Exchange Monitoring & Reporting?

How do you ensure vital business communication, such as email, stays up and running? How do you demonstrate to senior management that additional resources are needed to meet growing demand or that service levels are being met? ENow makes your job easier by putting everything you need into a single, concise OneLook dashboard, instead of forcing you to use fragmented and complicated tools for monitoring and reporting.

Easy to deploy and intuitive to use, ACCESS YOUR FREE 14-DAY TRIAL and combine all key elements for your Exchange monitoring and reporting to keep your messaging infrastructure up and running like a pro!

PRODUCT HIGHLIGHTS

• Consolidated dashboard view of messaging environments health
• Automatically verify external Mail flow, OWA, ActiveSync, Outlook Anywhere
• Mail flow queue monitoring
• DAG configuration and failover monitoring
• Microsoft Security Patch verification
• 200+ built-in, customizable reports, including: Mailbox size, Mail Traffic, Quota, Storage, Distribution Lists, Public Folders, Database size, OWA, Outlook version, permissions, SLA and mobile device reports