Exchange Center

ENow Software's Exchange blog built by Microsoft MVPs for IT/Sys Admins.

Posts about:

Security

Microsoft Defender for Cloud Apps listing image

Microsoft Defender for Cloud Apps

Image of Nathan O'Bryan MCSM
Nathan O'Bryan MCSM

Formerly known as “Cloud App Security”, Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that is part of the Microsoft 365 Defender suite of products. Defender for Cloud Apps (DCA) is built to help IT departments control the data that their organizations have hosted in multiple cloud services including but not limited to Office 365.

Read More
business man touching cyber padlock

Securing Exchange Servers

Image of Nathan O'Bryan MCSM
Nathan O'Bryan MCSM

Securing Exchange Servers

Securing Exchange servers is hard. I mean it can be a giant pain sometimes. There are what, hundreds of millions or maybe billions of lines of code running on your Exchange servers, right? It doesn’t take much for a typo to get through and open a vulnerability that can then be exploited opening the most important and valuable data within your organization to all kinds of bad actors.

Read More
Group of business people assembling jigsaw puzzle and represent team support and help concept

LDAP Policies & Exchange Deployment

Image of Ingo Gegenwarth
Ingo Gegenwarth

The Exchange Team provides you the Exchange Role Requirements Calculator now for a long time. This tool is still maintained and the preferred one for correct sizing. You can find information on how to use it on this EHLO blog post.

Although the calculator takes several  scenarios into account, it cannot cover everything. One of these are LDAP Policies, which exist since Windows 2000. These policies are your friends as they help to safeguard your Active Directory Domain Controllers. When Exchange 2010 throttling policies were introduced, which have the same purpose: Manage performance and heath of your Exchange servers. If you are not familiar with, I recommend reading this(old) Docs article as the new one doesn’t contains much details.

Why should I care?

There is a recommendation about the ratio of CPU cores of Active Directory global catalog cores for every mailbox server core of 1:8, but nothing related to LDAP client connections.

When you look at LDAP policies, you will see there is a property MaxConnections with a value of 5000. This limit is for per Domain Controller for ALL clients. You might think this is quite a high number, but here is an example of a DAG with preferred architecture:

  • 1 DAG with 4 servers
  • 72 databases
  • Each database has 4 copies (3 high available and 1 lagged)
  • Evenly distributed across all servers

In a normal situation, where every server is in a healthy state, each server holds 18 activate and 54 passive databases.

Since Exchange 2010 every database has its own Microsoft.Exchange.Store.Worker process, which is an improvement in terms of availability and performance, but this process also establish a connection to a domain controller. And this is not the only process, which is doing this. Every Exchange related process (e.g.: MSExchangeHMWorker, MSExchangeFrontendTransport) will do and some of them even more than one like w3wp.exe. You can check easily check the number of connections your Exchange server has established to a domain controller with PowerShell:

Open an elevated PowerShell and run the following commands:

  1. $DCConnections=Get-NetTCPConnection -RemoteAddress 10.21.0.118  
  2. $DCConnections | group OwningProcess | sort count | select count,@{l="Process";e={(Get-Process -Id $_.Name).ProcessName}},@{l="ProcessID";e={$_.Name}} | ft -a  
  3. $DCConnections | group OwningProcess | measure -Sum -Property count  

In this example you see that the IIS worker for Exchange Active Sync established 4 connections to one of the domain controllers.

This server established in total 98 connections to one domain controller and Exchange will do the same to any other domain controller. Now you have to do the math and keep in mind that Exchange might not be the only client. Here an example:

Assuming you have 4 DC with 40 CPU cores in an AD-Site:

4*40 = 160 CPU cores (AD) è 160*8 = 1280 CPU cores (Exchange)

Furthermore, you have in this AD site 40 Exchange servers with each 24 CPU cores, which gives you a total of 960 CPU cores. From ratio perspective you are below the required ratio, but from LDAP connection perspective you have already approx. 3920 per domain controller, which is 78,4% of the allowed.

What happens when the connection limit is reached?

By design a domain controller is looking into idle connections and will drop them as needed. Idle connection doesn’t seem to sound too bad, right? From Exchange perspective it is as Exchange has a pool with active domain controllers and checks them periodically. If a domain controller is not responsive, it will be removed from the pool and re-added after successful check. It can be that after a successful check, the domain controller terminated the connection. When this happens, Exchange assumes that the server is healthy and will send requests to. These requests will fail, and as unforeseeable things can happen e.g.: unexpected prompts for credentials, database failovers, server performance decreasing. This is what I have seen in an environment running into this issue.

What is the fix?

Even though the KB article is old it’s still valid: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

The good thing about this is that you can configure the policy either per domain controller or per AD site. Thus, it gives you the ability for carefully testing, which should be always done.

After you applied the new policy you can verify that the increase was successfully implemented:

There are several servers above the 5000 LDAP Client Sessions limit.

Conclusion

This scenario cannot be found in any environment. It also doesn’t apply only to large environment as it’s depending on many aspects like ratio, installed application and number of clients. But something you should check and monitor. The impact for the domain controller should be marginal on newer hardware. In this environment the value for MaxConnections was increased to 15.000 without any negative impact.

Read More
Email security listing image

Email Security - How to Protect Against CFO Fraud

Image of Jaap Wesselius
Jaap Wesselius

Everybody receives spam and phishing email. Most of the time they are easy to recognize and just annoying, but sometimes there’s phishing email that’s harder to detect by eye. Imagine you’re the CFO of a company and you receive an email from your CEO where he asks to transfer $ 50,000 to an account. And you cannot talk about it, because it is for an unannounced acquisition.

Read More
Keep Calm and Use PowerShell banner

Restricting Access to Security and Compliance Center Functionalities

Image of Vasil Michev MVP
Vasil Michev MVP

About a year ago, we published an article on how to manage preservation policies in the new Security and Compliance Center in Office 365 via PowerShell. Over the course of the last year, a great number of new features have been added to the SCC, which is now the central place for data governance in Office 365. With some minor exceptions, all of the functionalities exposed in the SCC are very sensitive and controlling access to them is vital. In this article, we will cover some methods to restrict access to the SCC features. By using PowerShell, of course!

Read More