Saturday, September 8, 2018

Disable SSL 3.0 in Lync Server 2013 and Skype for Business Server 2015


According to Microsoft Security Advisory 3009008, a vulnerability was detected in SSL 3.0.

Since both Lync and Skype for Business are using certificates extensively,it is recommended to disable SSL 3 on all Front End servers and reverse proxy solutions used to publish the web services.

Disabling SSL 3.0 in Lync Server 2013:

Action suggested:-

For Windows Servers, SSL 3.0 can be disabled by creating a registry key using the following steps:
1.            Open the Command Prompt using elevated permissions
2.            Run the following cmdlet: reg add “HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” /v Enabled /t REG_DWORD /d 0 /f
3.            After changing this, a restart to the Lync Services will be enough to apply the new configuration:
Stop-CsWindowsService
Start-CsWindowsService



In case you need to rollback, simply remove the key and restart the Lync Services:
reg delete “HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” /v Enabled

Thursday, August 23, 2018

Fix it by F5 APM - EAS devices still sync after an account is disabled or a password is changed

Symptoms

Exchange ActiveSync (EAS) devices continue to synchronize after their account has been disabled. Devices also connect using an old password, after the password has been changed.
The main issue of concern is that if a user is terminated and just their AD account is disabled, that once their AD account is disabled it’s believed that the user is now stopped from being able to access anything using Windows Authentication, such as Exchange).  However, that may not necessarily be true…especially with ActiveSync.

Why Does This Happen?

One of the main reasons is due to the way ActiveSync keeps a connection open to the server to watch for new messages. That connection has already authenticated and has been validated…so while the AD count may be disabled, all Exchange knows is that the user HAD rights to the mailbox and is continuing to use that connection. Eventually, the “life” of that authentication expires and the user has to re-authenticate (which is all done transparent to the user) and if the account was disabled, the re-authentication will fail and the user will no longer be able to sync. ActiveSync devices with their long heartbeat intervals and token cache can still allow access up to 24 hours after an AD account has been disabled.
We have two component involved which does the authentication viz F5 APM (Pre-authentication) and IIS authentication.
The main component/feature of IIS involved is User Token Caching in IIS. Default is 15 mins, that means, if connection is made within 15 mins of last connection, the cached token information is reused instead of checking with AD. It will take 8 to 24 hours for IIS to reset token caching.
In F5 APM, expiration time for authenticated session is inactivity timeout which is 15 Minutes by default and maximum session timeout is 7 days by default which will force session to re-authenticate.
However, as DirectPush in ActiveSync maintains an open connection to server, inactivity timeout on F5 never reaches and in IIS, cached token will be re-used.
So even after AD account is disabled, user can still sync the emails until maximum session timeout which is 7 days or when IIS re-authenticates the request (after it resets cached token) which could be around 8 to 24 hours.

Resolution

According to my study, there are two solutions that we can implement to resolve this scenarios.
1. Reduce Maximum Session timeout (F5 APM) to a less value like 15 min or 30 mins
2. Reduce token caching in IIS (Not recommended)


Reduce Maximum Session Timeout

We are using APM feature in F5 which pre-authenticates the session before traffic can be sent to Exchange servers.
In APM, two timeout settings are available

1. Inactivity Timeout

The Inactivity Timeout setting controls how long a client can keep a live session without sending traffic. Timeout counter is updated after session is updated or client sends traffic before timeout value is reached. Once timeout value is reached, APM will terminate the session.
For example, if user sje1 is connected and authenticated at , session’s start time will be current time and session’s expiration time will be timeout value after start time. (In our case, timeout value is selected as 15 mins as default)

The expiration value keeps updating as timeout counter of inactivity timeout keeps updating itself after session is updated with client traffic.
For ActiveSync devices, it keeps connection open with long their heartbeat, resulting inactivity timeout will keep extending every second by 15 mins.

So in nominal scenario, APM session will not be terminated until activeSync device is connected.

2. Maximum Session Timeout

The Maximum Session Timeout setting configures a limit on the maximum amount of time a user’s session is active without needing to reauthenticate. Default value is 7 days.
With default value, user’s session can be active maximum upto 7 days. After 7 days, user’s session will be forcefully reauthenticated.
During my testing, I have setup this value to 12 mins. The main difference that this value would be resulting is, it will set expiration time for this session to 12 mins after start time.

After I setup this value to 12 mins, after every 12 mins, APM forcefully reauthenticates all sessions. And if during this time, AD account is disabled or AD account password is changed, at the expiration time, APM will reauthenticates the session. If user account is disabled, APM will deny the request for session and if password is changed, new password needs to be updated on Activesync device.
Although reauthentication process is transparent to all other users, this will put some load on domain controllers.


Reduce token caching time in IIS



In IIS, we can reduce token caching. But this means for every request within that period, IIS will authenticate the session with Domain controllers. This is will put lot of load on Server and Domain controller. This option will impact performance. This option is not recommended by microsoft.

Upgrade to System Center DPM 2012 SP1 to System Center DPM 2012 R2

Upgrade Prerequisites
  1. Ensure that the hard disk on which DPM is installed has at least 4.5 gigabytes (GB) of free disk space.
  2. Ensure the DPM backup has been completed successfully on secondary DPM server.


  1. SQL Server 2008 r2 is supported for DPM 2012 R2, so we don’t need to upgrade SQL version.
Upgrade The DPM Server
  1. Download DPM 2012 R2 installables.
  2. Run Setup.exe on the DPM server and select Data Protection Manager from the Install list





  1. On the Prerequisites Check page, click Check and Install to verify that the computer meets the Setup requirement



  1. When the prerequisite check is complete and all required components are present, Setup displays a confirmation, and the Next button becomes available


  1. On the Product Registration page, Enter the serial number provided in share itself.
  1. On Installation settings page, check the free space and click on next.
  2. On the Summary page, confirm the installations settings, and click Upgrade to continue.




Update Rollup 14 for System Center 2012 R2 Data Protection Manager
  1. Go to Windows update and check online for updates from Microsoft update.
  2. Install all security updates along with Update rollup 14 for DPM 2012 R2.
Upgrade the agent on protected servers
  1. Open DPM 2012 R2 Console, go to Management.
  2. Select the protected server and click on update available, which will push new agent on protected server.



Run a synchronization job with consistency check
  1. All the replicas will be inconsistent for backups. This is expected.
  2. Right click on warning and select “run a synchronization job with consistency check”