Exchange 2013 / 2016 Enabling TLS 1.2

Exchange

I have recently been working with a customer to upgrade to Exchange Server 2016, one of the requirements is to enable TLS 1.2. The following will guide you through the preparation, implementation and then testing.

For the testing I have used ZenMap/NMAP: –  https://nmap.org/download.html

Preparation

Exchange Server 2016

  • Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1. –CU 10 is now available.
  • Install the newest version of .NET and associated patches supported by your CU (currently 4.7.2).

Exchange Server 2013

  • Install CU19 in production for TLS 1.2 support and be ready to upgrade to CU20 after its release if you need to disable TLS 1.0 and TLS 1.1.
  • Install the newest version of .NET and associated patches supported by your CU (currently 4.7.2).

Windows Server 2016

  • TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP.
  • Ensure you have installed the most recent Monthly Quality Update along with any other offered Windows updates.

Windows Server 2012 R2

  • TLS 1.2 is the default security protocol for Schannel and consumable by WinHTTP
  • Ensure your server is current on Windows Updates.
    • This should include security update KB3161949 for the current version of WinHTTP.
  • If you rely on SHA512 certificates; please see KB2973337.

Windows Server 2012

  • TLS 1.2 is the default security protocol for Schannel.
  • Ensure your server is current on Windows Updates.
    • This should include security update KB3161949 for the current version of WinHTTP.
  • If you rely on SHA512 certificates; please see KB2973337.

Implementation

Enable TLS 1.2 for Schannel

To enable TLS 1.2 for both server (inbound) and client (outbound) connections on an Exchange Server please perform the following.

  1. From Notepad.exe, create a text file named TLS12-Enable.reg.
  2. Copy and paste the following text into the file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
  1. Save TLS12-Enable.reg.
  2. Double-click the TLS12-Enable.reg file.
  3. Click Yes to update your Windows Registry with these changes.
  4. Restart the machine for the changes to take effect.

Enable TLS 1.2 for .NET 4.x

This step is only required for Exchange Server 2013 or later installations where .NET 4.x is relied upon.

The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x will inherit its defaults from the Windows Schannel DisabledByDefault registry values. If the value is undefined, it will behave as if the value is set to 0. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.

  1. From Notepad.exe, create a text file named NET4X-UseSchannelDefaults.reg.
  2. Copy, and then paste the following text.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
  1. Save the NET4X-UseSchannelDefaults.reg file.
  2. Double-click the NET4X-UseSchannelDefaults.reg file.
  3. Click Yes to update your Windows Registry with these changes.
  4. Restart your computer for the change to take effect.

Note: When configuring a system for TLS 1.2, you can make the Schannel and .NET registry keys at the same time and reboot the server once.

Testing

Testing before TLS has been enabled (the default state of an Exchange 2016 Deployment) using ZenMap

NO TLS enabled

Testing after TLS has been enabled (after following the above procedures) using ZenMap

TLS Enabled

Message Headers (Exchange Server 2016 Only)

Message header data in Exchange Server 2016 provides the protocol negotiated and used when the sending and receiving host exchanged a piece of mail. While this is a more manual method of checking how mail arrived it can be used for testing between specific systems in a pinch.

Example when viewing message header data via Message Header Analyzer at https://testconnectivity.microsoft.com

TLSP2_1

Mail Flow via SMTP Logging

SMTP Logs in Exchange 2016 will contain the encryption protocol and other encryption related information used during the exchange of email between two systems.

When the server is the SMTP receiving system, the following strings exist in the log depending on the version of TLS used.

  • TLS protocol SP_PROT_TLS1_0_SERVER
  • TLS protocol SP_PROT_TLS1_1_SERVER
  • TLS protocol SP_PROT_TLS1_2_SERVER

When the server is the SMTP sending system, the following strings exist in the log depending on the version of TLS used.

  • TLS protocol SP_PROT-TLS1_0_CLIENT
  • TLS protocol SP_PROT-TLS1_1_CLIENT
  • TLS protocol SP_PROT-TLS1_2_CLIENT

 

Advertisements

Office 365 – Linking Cloud Only Accounts to Sync’d AD Accounts

Recently I have been working with a customer who wanted to move key business services over to Office 365, so Exchange Online, SharePoint and OneDrive. The company had already created a tenant and was using it for Power BI. They had a number of user accounts created (Cloud only) that matched the company email address.  – This made the migration process a little more interesting as we had to match up the Active directory user accounts with the Azure AD account that were already being used within Office 365 so the user only had one username and the password that matched that of the one they use to log onto there local domain.

In order to make this work, we have to match up the users GuiD from Active Directory to the Immutable ID of that for the users created on Office 365 / Azure AD. – The following steps will explain how this is done.

Install Microsoft Online Services Signin Assistant and Azure AD powershell module, I recommend that you do this on a domain controller for making things simple (Link https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule )

On the Domain Controller open a powershell window and run the command

Import-Module ActiveDirectory

Then run the command

Get-ADUser -Identity "Enter Local AD logon ID in these quotes"

Once you run the above command you should be able to see an output like this:-​​

Now copy the objectGUID from the output and open the website http://guid-convert.appspot.com/ and paste the same on the textbox as shown in the image and click on convert, you shoud be getting the B64 value and copy the same. Make sure that there are no spaces when you paste the value in the text box. (Although, there are other ways to get the Base64 value from a GUID I recommend this approach as it is simple, you can get the same results from LDIFDE and Powershell)

 

Now run the command

 Import-Module MSOnline

Then run the command

Connect-MSOLService

you will see a prompt to enter credentials, enter the office 365 global admin credentials here.

Now before we proceed further make sure you get rid of the duplicate account from Office 365/Azure AD. (The one that has been Syncronised from AD) Make sure you remove it from the Deleted Users as well.

 

To remove the user from the deleted users container run the command:

 

 Remove-MsolUser -UserPrincipalName malcolm.plested@mapleit.onmicrsosoft.com -RemoveFromRecycleBin -Force

 

This command would permanently remove the user, so make sure you remove the right account.

 

Once you remove the account run the command:

 Set-MsolUser -UserPrincipalName malcolm.plested@mapleit.net -ImmutableId QX00ApTUDEiiEm5kX0WP2w==

Here you need to enter the UPN /Signin address of office 365/azure AD against which you wish to perform a hard match and after the -immutableID flag enter the B64 value that you copied from http://guid-convert.appspot.com/

Once this is done run a delta sync and you will see the once Cloud Only account will now be Synced with that of the user in AD.

So Long iPad….Hello Surface

I simply cannot believe that I am writing this, but as the title suggests I have ditched the iPad favouring the new Surface Pro 4….

I have been a serious Apple fan for many years, in fact I still am. I own a Mac Book Pro, iPhone, Watch and Apple TV and my family also own a range of Apple products-they are superb. However, I am a technical consultant that spends many hour travelling the UK meeting customers and generally fixing stuff. Up until recently I have relied on my trusty iPad Air 2 with the Logitech keyboard and of course the superb Office 365 services.

ipad surface

So why the change?

I specialise in all things Microsoft so Windows Servers, Office 365, Azure and also have been known to dabble in Networking and I simply cannot use my iPad for everything For example, if I go and see customers that don’t have wireless networks then I have no means of connecting to the infrastructure. I cannot create Powershell scripts and run them from my iPad, the biggy for me is the Outlook app. I run a small team of engineers and not being able to have true visibility of multiple calendars and business critical applications is a real problem. Don’t get me wrong, I will continue to adore my iPad, I continue to use it regularly for media and also for the range of excellent apps. I also fly drones commercially and the iPad comes in really handy for planning and controlling my drones.

Are there any downsides to the Surface?

Well like everything, you can’t have it all. With my iPad I was used to having a lovely 4g connection pretty much everywhere I went on the Three network. Unfortunately the Microsoft Surfaces do not have the ability to add a sim card for mobile data usage. – I guess I will just have to get used to tethering my device to my iPhone…

To Finish…..

The iPad and the Surface are both superb devices, and right now I am exceptionally lucky to own both of them, but for my professional career as much as it pains me to say this, the Surface gives me just that bit more flexibility to be able to do more aspects of my job. I am looking forward to seeing what 2017 brings in the world of technology, you never know, Apple may pull something out of the bag that yet again makes the iPad the weapon of choice.

PowerShell Script to List Active Directory Users & Last Logon Time

Occasionally there is a need to quickly query Active Directory for all user accounts or user accounts with only certain values in particular properties. This can be done by installing and loading the Microsoft Active Directory Administration module for PowerShell. This is an add-on module, named ActiveDirectory, that provides cmdlets that let you manage your Active Directory domains.

Below is a script I recently put together to produce a CSV File detailing the following:

Displayname – @{e={$_.properties.cn};n=’Display Name’},`

Username – @{e={$_.properties.samaccountname};n=’Username’}

LastLogonTime – @{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n=’Last Logon’},`

Account Disabled or Not – @{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=’Account Is Disabled’}

The Complete Script is below – Just copy and past the following into notepad, and save the file as filename.ps1

$NumDays = 0
$LogDir = “.\User-Accounts.csv”

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]”
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = “(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=” + $lltIntLimit + “))”

$users = $objstalesearcher.findall() | select `
@{e={$_.properties.cn};n=’Display Name’},`
@{e={$_.properties.samaccountname};n=’Username’},`
@{e={[datetime]::FromFileTimeUtc([int64]$_.properties.lastlogontimestamp[0])};n=’Last Logon’},`
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=’Account Is Disabled’}

$users | Export-CSV -NoType $LogDir

How to Backup/Restore IIS7 & IIS8 Configuration

Backing up IIS7 configuration is as simple as copying the \windows\system32\inetsrv\config directory (and subdirectories) into a backup directory, so you don’t need anything special to do it.  Just include this directory in whatever your OS/content back-up plan is, or write a custom script to do it.

To help make managing backups easy, Microsoft added a simple cmd-line option to AppCmd.exe that makes management of backup/restore sets easy.  For example, to backup configuration, run the follow command:

> %windir%\system32\inetsrv\appcmd.exe add backup “My Backup Name”

to restore that backup, run this command:

> %windir%\system32\inetsrv\appcmd.exe restore backup “My Backup Name”

to delete a backup, run this command:

> %windir%\system32\inetsrv\appcmd.exe delete backup “My Backup Name”

IIS will automatically make history snapshots of ApplicationHost.config each time a change is detected, enabling you to easily restore to a prior version.  By default, IIS checks for a new version every 2 mins, and will keep 10 prior versions of the file.  IIS stores these snapshots in the %systemdrive%\inetpub\history folder by default.  You can change any of these settings by editing the section in ApplicationHost.config.