Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

Overview In part 3 of our Exchange Server TLS Guidance series, we introduce how to turn off TLS 1.0 and 1.1 in your Exchange Server deployment. Turning off TLS 1.0 and 1.1 can be a highly disruptive event if not planned and executed properly. The Exchange team believes that it is time for the ecosystem…


Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Overview In part 2 of our Exchange Server TLS Guidance series we focus on enabling and confirming TLS 1.2 can be used by your Exchange Servers for incoming and outgoing connections, as well as identifying any incoming connection which is not utilizing TLS 1.2. The ability to identify these incoming connections will vary by Windows…


Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Update: With the Office 365 deadline to have TLS 1.2 enabled being moved from March 2018 to October 2018 we have changed the timing of subsequent post releases; please see below! Overview As the realm of security in technology continues to evolve over time, every so often we say hello to newer and more competent…


Demystifying Certificate Based Authentication with ActiveSync in Exchange 2013 and 2016 (On-Premises)

Some of the more complicated support calls we see are related to Certificate Based Authentication (CBA) with ActiveSync. This post is intended to provide some clarifications of this topic and give you troubleshooting tips.What is Certificate Based Authentication (CBA)? Instead of using Basic or WIA (Windows Integrated Authentication), the device will have a client (user)…


Multi-Factor Authentication in Exchange and Office 365

Multi-Factor Authentication (MFA), which includes Two-factor authentication (2FA), in Exchange Server and Office 365, is designed to protect against account and email compromise. Microsoft has evaluated recent reports of a potential bypass of 2FA. We have determined that the technique described is not a vulnerability and the potential bypass does not exist on properly configured…


Certificate-Based Authentication (CBA) for Exchange Online

Update 6/6/2017: We updated this post to reflect availability for China plans. Update 7/28/2017: Updated with links for support with Outlook for iOS and Android. On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available for customers using Office 365…


Exchange 2016 Coexistence with Kerberos Authentication

With the release of Exchange Server 2016, I thought it would be best to document our guidance around utilizing Kerberos authentication for MAPI clients. Like with the last two releases, the solution leverages deploying an Alternate Service Account (ASA) credential so that domain-joined and domain-connected Outlook clients, as well as other MAPI clients, can utilize…

2

Enabling BitLocker on Exchange Servers

The Exchange Preferred Architecture, for both Exchange Server 2013 and Exchange Server 2016, recommends enabling BitLocker on fixed data drives that store Exchange database files. Over the years, there have been a number of questions regarding how BitLocker should be enabled on servers. However, before we discuss that, I think it is important to provide…

2

No new security vulnerability in Outlook Web Access (OWA)

Recently reports of a new security vulnerability in OWA, a component of Microsoft Exchange Server, have been circulated throughout the internet. Microsoft considers the security of our products to be a top responsibility to our customers. We have investigated these reports and believe that a properly deployed and secured Exchange Server is not susceptible to…


Exchange TLS & SSL Best Practices

Whether you are running Exchange on-premises, in the cloud, or somewhere in between, we know that security is a top priority. Microsoft is committed to giving you the information needed to make informed decisions on how to properly secure your environment. It has been suggested by some external parties that customers need to disable TLS…