Microsoft has released the June 2019 cumulative updates for Exchange servers running 2013, 2016 or 2019.
While the patches themselves addresses several both functional as well as security issues, there are two things I find worth noting about this release.
Lowering rights assigned to Exchange server
One of the tasks to be done when applying this update, is the need to perform an Active Directory preparation. This is done to perform some changes to the Active Directory, more specifically set a “Deny ACE” on the “DNS Admins group” and also remove the Exchange servers ability to assign “Service Principal Names” (SPN).
One of the key aspects of a secure IT environment is the least privilege approach and apparently the Exchange server team has deemed these permissions as not needed. From a security perspective, this change is a good thing, but why where these permissions there in the first place?
Well, the SPN part can be somewhat easily explained. Fiddling around with service principal names can be a tedious and often error-prone task, so having Exchange server do this automatically makes sense. But there seems to be no need for Exchange to be able to handle these themselves, hence the removal.
The other part, placing the Deny permission on that specific group is more shrouded in the dark. The release note from the Exchange team does not state the reason, but placing a specific deny permission on something would suggest there is something at play. I could venture to guess it being something about (ab)using Exchange to escalate privileges, since there are known attack paths from the DNS Admins group to Domain Admins, but that would be mere speculation.
But speculation aside, lowering the permissions assigned to a system while also preserving its functionality is always great.
Controlled Connections in public folders
One of the other interesting things Microsoft introduces, is the ability to control who gets to see the public folder tree or not.
This feature has previously been made available for Exchange Online (here), but is now also available for the on-premises version of Exchange server. In short, the feature gives the Exchange administrator the ability to choose who gets to see the public folder tree or not. In larger organizations, this makes sense as everyone may not have access to it anyways or need it, thus placing a larger load than needed on the Exchange platform.
Modern Authentication in on-premise Exchange
This is a feature that has been long-sought-after, as it’s been available for years in Exchange Online and for some time as well on hybrid scenarios.
But this time, were unfortunately out of luck. This feature will, as it stands at the moment, not be coming to Exchange on-premises. The reason why can only be speculated.
Now for the actual work…
Remember to observe system requirements, as .NET 4.7.2 will now be required and 4.8 will be supported.
Links to the patches:
Happy patching everyone…