In this week’s show, Paul and I chat about the latest Security updates for Exchange Server and how serious they are; what you should do if you are on Exchange Server 2013. Plus, Azure AD Cross Tenant Sync arrives in the roadmap for imminent release, and a flurry of first-line worker updates arrive in Microsoft Teams.
Security Updates for Exchange Server Available
It was only in the last show that we warned you more security updates would be coming your way, and you need to keep your skills up to date for patching Exchange – or get rid of it entirely from your environment. If you are running it in Hybrid or fully on-prem, then you’ve some urgent patching to do. The security updates cover Exchange 2013, 2016, and 2019 and thankfully, Microsoft isn’t aware of any active exploits at the moment.
From Microsoft’s blog post and associated CVEs, there are several key points we discuss on the show.
With the update comes a recommendation to enable certificate signing of PowerShell Serialization Payload. This is used to pass objects between sessions, and the new CUs contain this update, but it must be manually configured. However, for Exchange 2013, Microsoft notes issues with this and does not recommend enabling it.
CVE-2023-21763 + CVE-2023-21764 are both a Local Elevation of Privilege exploit – meaning you need to be able to access the Exchange Server machine locally or via PowerShell/ssh/RDS
CVE-2023-21745 + CVE-2023-21762 are both spoofing exploits and can be exploited from the same IP subnet as your Exchange Servers
CVE-2023-21761, however, is potentially more serious – as it is an Information Disclosure exploit and can be exploited remotely, including over the internet.
Time to Upgrade or Move to the Cloud: End of Support for Exchange Server 2013
April 11, 2023 = End of Support – After that date, Microsoft will no longer provide:
- Technical support for problems that may occur
- Bug fixes for issues that are discovered and that may impact the stability and usability of the server
- Security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches
- Time zone updates
Naturally, Exchange Server 2013 won’t stop working – but given there are likely to be more security updates needed in the future – it would be dangerous to continue to run it. We discuss on the podcast Exchange Server 2013’s troubled history and how it paved the way for 2016 and 2019.
Cross-Tenant Sync coming to Azure AD
On the show, we discuss a new feature that has landed in the Microsoft 365 roadmap; it has very few details available at the moment – but will be coming this month (January 2023) and offers the ability for admins to be able to automate creating, updating, and deleting B2B users across tenants within an organization.
While private preview customers will have been able to use this for some time – they do so under a strict NDA, so we have to be somewhat careful in what we say on the show. Suffice it to say, though, this could be a very interesting feature if you need to run multiple Microsoft 365 tenants within a single business over the long term.
Front Line Teams features introduced for scalability
Several new, unrelated features arrive in Microsoft Teams and Microsoft 365 apps that are useful if you have front-line workers who use tools like Planner (or Tasks in Teams) or use mobile devices in shared device mode. An audience-targeting feature arrives for Outlook Group mailboxes, too – however, we’re less sure about the applicable use cases, as we wonder if organizations who maintain DGs today for this purpose will move to use the new feature.
Check out a more in-depth outline of these new features:
- Recurring tasks and grids in Planner
- Deploy and use Outlook & Power Apps in Shared Device Mode in addition to Teams, Managed Home screen and preview apps Edge & Yammer
- Group mailboxes get a feature for Audience targeting when sending mail
We’ll be back in two weeks’ time with the next episode!