News

Microsoft Updates Exchange Server, Makes Architecture Changes

• By Kurt Mackie
• 02/13/2019

The latest quarterly release of Exchange Server includes "critical security" fixes and also marks significant changes to the architectures of all supported versions.

Microsoft described the February 2019 quarterly updates in this Exchange Team announcement, which coincided with "update Tuesday," Microsoft's monthly patch release day for all Windows systems. Possibly, Microsoft accelerated the delivery of this quarterly update for Exchange Server by about a month to address NT LAN Manager (NTLM) relay attack issues that were publicized in last week's Security Advisory ADV190007.

IT pros managing Exchange Server products from Exchange Server 2010 on up to Exchange Server 2019 likely will have to roll up their sleeves with this quarterly update release. It's not the usual patch story this time around. For instance, the Exchange Team included security updates in these cumulative updates, which apparently isn't the usual practice with Exchange Server patching.

"While it is not the normal or preferred practice to release security updates in a cumulative update package, the nature of the product changes dictate that they be delivered this way as they include changes to the setup and configuration of Exchange Server," the Exchange Team explained.

Exchange Web Services Change
One of those product changes notably affects the architecture of Exchange Web Services (EWS) for all supported Exchange Server products. The quarterly update is bringing a fix for push notification issues in Exchange Web Services so that they can't be abused by NTLM relay attack methods. This notion is explained in Microsoft's Knowledge Base article KB4490060.

Some clients that connect with Exchange Server will need to get updated because of the EWS architectural change induced by the quarterly update.

"After this change [to EWS functionality], clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require an update to continue to function correctly," the KB article explained.

Microsoft wants organizations to apply the new quarterly updates as soon as they "understand and accept any potential impact." However, applying the quarterly update will result in "a permanent change" to the push notification authentication process, Microsoft warned.

Shared Permissions Model Change
The quarterly update is also going to lower privileges assumed in the "Shared Permissions Model" that's currently the default setup with Exchange Server and Active Directory environments.

"Changes in the latest cumulative updates, described in KB4490059, reduce the scope of objects where Exchange is able to write security descriptors in the directory," the Exchange Team explained.

Microsoft favors the Split Permissions Model over the Shared Permissions Model for Exchange Server and Active Directory authentications, but it supports both models, noting that there are "relative strengths and weaknesses inherent to both models." Organizations should weigh the effects before making any changes to the model they're using, Microsoft warned.

Moreover, the NTLM security issues are mostly addressed by the fixes described in KB4490059 and KB4490060, so the permissions model used by an organization is a less important consideration.

"The combination of the directory permission changes and EWS security change provides the best possible protection against possible attacks, meaning that Active Directory Split Permissions are not required, but still optional," the Exchange Team explained.

Old Protocols
The Exchange Team also declared war on old "legacy" protocols, at least for users of Exchange Server 2019 Cumulative Update 1. A new PowerShell cmdlet will be announced that will allow organizations to "restrict legacy authentication protocols" for Microsoft's flagship messaging server product. These old protocols weren't described, but it'll be possible to set restrictions on a "per protocol and user by user basis," the team promised.

Possibly, Microsoft is referring to NTLM itself, a challenge/response security protocol that dates back to the early 1990s. Microsoft still supports NTLM but recommends using Kerberos instead. However, it's sometimes hard for organizations to avoid using NTLM. Microsoft recently described detecting the use of NTLM version 1 in 30 percent to 40 percent of environments, for instance.