June 2019 Quarterly Exchange Updates

General changes:

  • Decreasing Exchange Rights in the Active Directory – Deny ACE placed on the DNS Admins group and the ability for Exchange to assign Service Principal Names (SPN’s) was removed because these are not required by Exchange; the directory updates released today are fully compatible with all versions of Exchange Server regardless of cumulative update or update rollup version deployed and so these changes can be applied to any existing Exchange deployment by following the steps above
  • Support for .NET Framework 4.8 – support for .NET Framework 4.8 added. The minimum .NET requirement remains 4.7.2 on Exchange Servers. .NET 4.8 will be required with all updates released in December 2019 and later
  • Authentication Policies Update – enhanced the feature to provide the ability to specify it as default authentication policy at Organization level
  • Future support of Modern Authentication in on-premises Exchange – this capability in on-premises Exchange server will no longer be pursued; Modern Authentication will be restricted to customers with hybrid deployments
  • Controlled Connections to Public Folders in Outlook – added support to Exchange Online to help admins have control over which users would see public folders in their Outlook clients

Source

How to maintain Exchange to comply with GDPR

GTPR for exchange mail server

There is a ton of information about paperwork needs to be done to comply with GDPR. Here we would answer the question: «What technically should be done at your mail server to meet requirements?»

First of all, let’s qualify what is ‘personal data’ according to the GDPR:

 

Article 4
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Mail server naturally keeps a lot of ‘personal data’. And it is not just about mailboxes’ content. Every time when an employee connects to corporate mail using a personal device, the server saves information about the device and IP address which can be linked to geolocation.

Even more, if you have CVs in your mailbox (most probably you have it), then your mail server contain specific personal data:

 

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

 

As a result, even if you are not collecting personal data purposely, just by operating in B2B segment you accumulate ‘personal data’ and need to follow GDPR.

So, what technical actions need to be taken to meet the GDPR? The law gives very general requirements:

 

Article 32 Safety of processing
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

We recommend are the following:

 

  1. Encryption whenever it is possible as GDPR requires organizations that keep or process personally identifiable information to protect data by design
    • Encryption for Exchange drives using BitLocker Drive Encryption
    • Hardware encryption on storages where Exchange drives are placed, if Exchange is virtualized. Most of the vendors have this feature supported.
    • Use Host Guardian Service (HGS) to protect access to the Exchange virtual machines. It prevents unauthorized access to shielded Exchange VM and protects from coping VHD.
  2. You must have backups and a disaster recovery plan(s). Periodically test consistency and recoverability of backup.
  3. For secure email transport as minimum STARTTLS must be configured on your server(s) and very recommended to configure DNS-based Authentication of Named Entities (DANE) based on DNSSEC technology
  4. Critical updates must be tested and installed in time to prevent potential security breaches
  5. Implement deleted item retention policy
  6. Configure Data Loss Prevention (DLP) rules to scan and report email containing personal information that could fall under GDPR rules.
  7. Prepare a custom script for your exchange version to manage shared mailbox and individual public folder items to delete user-defined data.
  8. Consider migration to the cloud. Оn-premises solutions are more flexible, but it is also more complicated, without outscoring partner it may be difficult to comply with GDPR rules.

 

Skype announced integration with OneDrive

Skype development team announced testing of the new cloud filesharing feature in the latest Skype Insider Build. Users will be able to share a link to a file or folder in OneDrive directly in the chat. If your contact is on a mobile device and has the application available, the file will open directly in that app, and not in the browsers. If your contact does not have the application installed, the OneDrive web site can preview most commonly used filetypes. A new feature is currently available to Skype insiders.

Hackers started using a bug with online video feature in Microsoft Word

A bug with the online video feature in Microsoft Word, recently discovered by Cymulate security researchers, found its first use for deliver malware. Trend Micro specialists discovered and described the URSNIF information stealer spreading mechanism. Users can defend against threats abusing this by blocking Word documents that has the embeddedHtml tag in their respective XML files or disabling documents with embedded video.

Cisco inadvertently released Dirty Cow exploit code in software

The company explained that in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software inadvertently left an internal exploit for the Dirty COW vulnerability (CVE-2016-5195). The purpose of this QA validation step is to make sure the Cisco product contains the required fixes for this vulnerability. This issue affects versions X8.9 to X8.11.3. All affected software images have proactively been removed from the Cisco Software Center and will soon be replaced with fixed software images.

Windows Defender Antivirus can now run inside a sandbox

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. Support the sandbox feature is not enabled by default, but users can turn the feature on by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.