Exchange Zero days are very common these days and there is a freshly baked one today (30th September 2022 as of writing). If you want to know what how the vulnerabilities work, take a look at the reference at the bottom. As a sysadmin I care about securing my systems.

Here are a few steps to mitigate this zero day vulnerability:

In IIS Manager on the Exchange Server, select the Autodiscover virtual directory and open URL Rewrite and add a new rule.

Select Request Blocking

Enter the string

.*autodiscover\.json.*\@.*Powershell.*

Using should be changed to Regular Expression.

Change URL to REQUEST_URI and save the changes.

References:

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

A good backup tool uses VSS Writers to achieve application consistent backups, which also truncates transaction log files. You can also achieve that without having to do a backup. Here are the few commands:

diskshadow

You can add multiple volumes, if database and log files are located on different disk drives:

add volume D:

add volume E:

begin backup

create

end backup

On the first day of a new year (for me it was the second day) Microsoft gave us a present to work on that affects Exchange servers. Affected systems could not send or receive mails, messages would get stuck in message queue with the error "Message deferred by categorizer agent". Here are the two relevant event viewer entries:

The issue here is that the malware filter could not scan the message because of this error (it has to do with date time not fitting into 32 bit integers anymore) and the message would not get sent to the recipient. To temporarily resolve the issue, you can disable antimalware.

Open PowerShell as admin.

& "$env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1"

Restart MS Exchange Transport Service

Restart-Service MSExchangeTransport

References:

https://www.itwriting.com/blog/11910-exchange-emails-stuck-in-queue-because-message-deferred-by-categorizer-agent-happy-new-year-admins.html

After updating Exchange 2013/2016/2019 you might get an error when trying to open OWA or ECP. This happens because of an expired OAuth certificate.

Open Exchange Powershell and check if the certificate has expired:

Get-ExchangeCertificate (Get-AuthConfig).CurrentCertificateThumbprint

If the certificate has expired, create a new one (do not forget to change the domain name):

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName "ajni.it"

Set the new certificate for OAuth:

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig –PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

Restart the Exchange IIS App Pools:

Restart-WebAppPool MSExchangeOWAAppPool
Restart-WebAppPool MSExchangeECPAppPool

If you still get the error in OWA/ECP, you either have to wait a couple of hours (some people have reported that they had to wait for up to 6 hours) or change the time zone of the Exchange server to UTC (Universal Coordinated Time).

References:

https://www.frankysweb.de/exchange-server-owa-und-eac-starten-nicht-nach-installation-der-juli-updates/

https://support.microsoft.com/en-us/topic/you-can-t-access-owa-or-ecp-after-you-install-exchange-server-2016-cu6-88b3fe67-5f97-a8a2-8ed8-70034ff15761