Infrastructure, Recipients, Security Flashcards
(106 cards)
1
Q
What OS versions for the Domain Controller are supported by Exchange 2016?
A
• For Exchange 2016 CU1 and CU2:
– Windows Server, 2008 through 2012 R2
• For Exchange 2016 CU3 and later:
– Adds support for Windows Server 2016 DCs
2
Q
What are Exchange’s requirements and recommendations for Domain Controllers?
A
- Windows Server 2008 or later
- 64-bit recommended, but not required
- At least one Global Catalog server per site that has either Exchange or Outlook clients
- Read-only Domain Controllers are not supported (just ignored by Exchange)
3
Q
What unique requirements and restrictions exist when Installing Exchange on a Domain Controller?
A
- AD split permissions model cannot be used
- DC must be a global catalog (not enough to just have a GC in the site)
- All Exchange server computer accounts will become domain admins
- Cannot demote or promote a DC when Exchange has been installed
- Not supported for DAG members
- May impact performance stability.
4
Q
What is meant by Exchange “extending the AD Schema”?
When and why is this done?
A
- Most of Exchange’s configuration data is stored in AD.
- The AD Schema defines all the objects and attributes for AD to store data.
- For AD to support Exchange, Exchange extends and modifies this schema.
- It occurs when the first Exchange installation occurs in an organization. It may further be extended whenever a new CU is installed.
- The cmdlet must be run from the site that contains the Schema Master for the domain.
5
Q
What are the preparatory steps for Active Directory when installing Exchange?
A
1) Extend the AD schema
2) Prepare AD
3) Prepare AD Domains
6
Q
What does the “Prepare Active Directory” step accomplish?
A
It creates the containers and objects in AD that make up the Exchange organization itself.
It will also prepare one domain (the root domain) of the forest.
7
Q
How do you Extend the AD Schema as required before installing Exchange 2016 for the first time in an organization?
A
- This can only be completed from the within the same AD site as the schema master
- It will happen automatically when running Exchange setup, as long as you have the required permissions.
- But if you’d like to do it manually or in separate steps, run this command before installing:
Setup.exe /PrepareSchema
8
Q
How do you Prepare AD as required before installing Exchange 2016 for the first time in an organization?
A
- This can only be completed from the within the same AD site as the schema master
- It will happen automatically when running Exchange setup, as long as you have the required permissions.
- But if you’d like to do it manually or in separate steps, run this command before installing:
Setup.exe /PrepareAD /OrganizationName:”Contoso”
9
Q
How do you Prepare an AD Domain as required before installing Exchange?
And what Domains need to be prepared?
A
- If the forest contains a single domain, /PrepareAD will already have prepared that domain.
- You only need to prepare additional domains that will have Exchange objects in them.
For all domains:
• /PrepareAllDomains
For specific domains:
• /PrepareDomain:sub.contoso.com
10
Q
What Permissions Models exist for Exchange, and what does each do?
A
• Shared Permissions Model
– Used by default
– Simplest and most common model
– Allows Exchange management roles to both create and manage security principals (e.g. users, groups) in AD
• Split Permissions Model
– Optional
– Separates the ability to create security principals from the ability to manage Exchange attributes
– Useful in large, complex organizations that require separation of administrative rights.
11
Q
How is a Split Permissions model configured?
A
During the PrepareAD stage of AD preparation for an Exchange install:
Setup.exe
/PrepareAD
/ActiveDirectorySplitPermissions:True
/OrganizationName:”Contoso”
12
Q
What is a Resource Forest?
A
An Active Directory Forest can only have one Exchange organization.
However, multiple Active Directory Forests can be configured to trust each other, and access each other’s resources.
A Resource Forest is a dedicated forest where Exchange is hosted, separate to the forests that contain user accounts.
13
Q
What are the advantages of a Resource Forest?
A
- Separation of security boundaries
* Flexibility for mergers and divestitures
14
Q
What is a Throttling Policy?
A
- Throttling Policies prevent a user from consuming excessive Exchange server resources.
- E.g. Max number of concurrent connections a user may have with a particular client access protocol; max amount of CPU time a user’s requests can consume.
- A default throttling policy is created by Exchange setup and applied to all mailboxes.
- Custom policies can be created and assigned to mailboxes using PowerShell.
15
Q
Using Exchange Shell, how do you customize the Throttling Policy for a specific mailbox?
A
New-ThrottlingPolicy
-Name
MyLittlePolicy
[set your parameters]
Set-Mailbox
john.smith
-ThrottlingPolicy
MyLittlePolicy
16
Q
What is the definition of a “recipient”?
A
Any mail-enabled object in AD that can have email delivered or routed to it by Exchange.
17
Q
What are examples of common recipient types?
A
- User mailbox (AD user accounts that have been enabled with a mailbox hosted on an Exchange mailbox database)
- Mail contact (Contact objects in AD that have been enabled for email)
- Distribution group
- Mail-enabled security group
- Shared mailbox
- Room mailbox
- Equipment mailbox
- Mail-enabled Public Folder
18
Q
What is the difference between a “mail contact” and a contact with an e-mail address?
A
- A contact object in AD can have an e-mail address, but not be enabled for email. This is because the email address can be used for other purposes, such as simply being part of the postal address.
- A Mail Contact is a Contact Object that has been enabled as a recipient for email.
19
Q
What is a Shared Mailbox?
A
Mailboxes that are usually configured to allow access by multiple users who need to read and respond to messages.
They are associated with AD user objects, but those objects are left disabled and their passwords are managed by Exchange.
20
Q
What is a Room Mailbox?
A
They represent bookable meeting room resources, allowing users to book a room when they need to hold a meeting.
21
Q
What is an Equipment Mailbox?
A
Similar to a Room mailbox, but allows user to book the use of shared resources such as a shared vehicle, laptop, etc.
22
Q
What is a Dynamic Distribution Group, and how does it work?
A
- A distribution group that does not contain a static list of members, but is instead based on a query that is assessed each time an email is sent to the group.
- The query is based on recipient attributes.
- For example, it could be configured for users who have “Sales” for their Department attribute.
23
Q
What is a Linked Mailbox?
A
A mailbox in an Exchange organization that is associated with a user account in a separate forest.
(Used in Multi-forest / Resource forest setups)
24
Q
What is a Linked User?
A
A user in a forest that is associated with a mailbox in a separate forest.
(Used in Multi-forest / Resource forest setups)
25
What is a Mail forest contact?
A contact in one forest that represents a recipient in another forest.
They are created and managed by a synchronization product such as Microsoft Identity Integration Server, or a third-party synchronization tool.
26
What is a Microsoft Exchange Recipient?
They are system objects that are created and managed by Exchange.
They are responsible for tasks such as sending non-delivery reports.
They don't require any configuration or management.
27
How do you create a new mailbox for an existing user, using Powershell?
Enable-Mailbox
| john.smith@contoso.com
28
What is a Mail User?
A User account in the internal AD that has an externally hosted mailbox, such as gmail.
29
Where do you go in EAC to create a Mail User?
Recipients >
Contacts >
Add >
Mail User
30
What is the difference between a Mail User and a Mail Contact?
They are both external e-mail addresses, but a Mail User has an associated AD user account, and the Mail Contact is merely a contact object.
31
In the context of Exchange, what is a Distribution Group?
• "Distribution Group" is used generically in Exchange, and can refer to any mail-enabled group.
• Mail-enabled groups can be:
– AD universal distribution groups
– AD universal security groups
32
What types of groups can be mail-enabled?
* Either an AD distribution group, or an AD security group, can be mail enabled.
* But they must have a scope of "Universal." Exchange does not work with global or domain-local groups.
33
What's the difference between a distribution group and a security group?
A distribution group is an Active Directory group that is NOT a security principal.
In other words, you cannot use a Dist. group to assign permissions to resources.
A security group is an AD group that IS a security principal, and so can be assigned permissions.
34
What does granting "Full Access" permissions to a mailbox result in?
• The mailbox is automatically mapped in Outlook and Outlook on the Web (after perhaps a few hours)
– (This is the default behavior, but it can be disabled.)
* The user has full read and write access
* But the user does not automatically get Send As or Send on Behalf Of permissions; those are set separately.
35
What are "Mailbox Folder Permissions," and how does it work?
* Permissions set per specific individual folders, rather than per mailbox.
* Can be configured either by the mailbox owner using Outlook, or by an admin using Exchange Shell.
* It will NOT be automapped the way Full Access permissions will automap.
36
What are Mailbox Folder Permission Roles?
A set of built-in roles for Folder Permissions.
Users and admins can set specific permission settings individually, or select a role to apply a set of permissions at once.
37
What specific Mailbox Folder Permissions exist that can be granted?
There are 10:
* ReadItems
* CreateItems
* EditOwnedItems
* DeleteOwnedItems
* EditAllItems
* DeleteAllItems
* CreateSubfolders
* FolderOwner
* FolderContact
* FolderVisible
38
What Mailbox Folder Permission Roles exist?
* None
* Owner
* Publishing Editor
* Editor
* Publishing Author
* Author
* NonEditingAuthor
* Reviewer
* Contributor
* AvailabilityOnly
* LimitedDetails
39
What specific permissions come with this Mailbox Folder Permission Role?
Author
* CreateItems
* ReadItems
* FolderVisible
* EditOwnedItems
* DeleteOwnedItems
40
What specific permissions come with this Mailbox Folder Permission Role?
Publishing Author
* Same as Author, but adds:
| * CreateSubfolders
41
What specific permissions come with this Mailbox Folder Permission Role?
Editor
* Same as Author, but adds:
* EditAllItems
* DeleteAllItems
42
What specific permissions come with this Mailbox Folder Permission Role?
Publishing Editor
* Same as Editor, but adds:
| * CreateSubfolders
43
What specific permissions come with this Mailbox Folder Permission Role?
Owner
* Same as Publishing Editor, but adds:
* FolderOwner
* FolderContact
44
What specific permissions come with this Mailbox Folder Permission Role?
NonEditingAuthor
* CreateItems
* ReadItems
* FolderVisible
45
What specific permissions come with this Mailbox Folder Permission Role?
Reviewer
* ReadItems
| * FolderVisible
46
What specific permissions come with this Mailbox Folder Permission Role?
Contributor
* CreateItems
| * FolderVisible
47
What specific permissions come with this Mailbox Folder Permission Role?
AvailabilityOnly
* Applies to Calendar folders only
| * View only calendar free/busy information
48
What specific permissions come with this Mailbox Folder Permission Role?
LimitedDetails
* Applies to Calendar folders only
| * View only calendar free/busy information with meeting subject and location
49
For Mailbox Folder Permissions, how does inheritance of permissions work?
* When you apply a Folder Permissions to a folder, none of its existing subfolders will inherit the newly added permission. They will need to be set manually.
* However, any NEW folders that are created subsequent to configuring the permissions WILL inherit the parent folder's permission settings.
50
What happens if a user is granted both "Send As" and "Send On Behalf" permissions to another mailbox?
* They don't work well together. Only one should ever be granted to any one user.
* Outlook doesn't provide options when setting the "From" address, so the user will have no choice over whether "Send As" or "Send On Behalf" is used.
* Often, the send attempt will simply be rejected.
51
What is a Resource Mailbox?
* Like regular user mailboxes, except it has additional attributes for managing automated calendar processing.
* They are associated with a user account in AD, which is left disabled.
• There are two kinds:
– Room Mailboxes, used for fixed locations
– Equipment mailboxes, used for non-fixed location items (e.g. laptops, cars)
52
What Calendar Processing features are available for Resource Mailboxes?
• Automatic processing of meeting requests
– Configurable, can be policy based
– Can be set to require manual approval
• Enables a "self service" model for users to book rooms and equipment
53
How do you convert a regular user mailbox to a Resource Mailbox?
Set-Mailbox
"Name of Mailbox"
-Type
Room
or,
-Type
Equipment
54
What is a Room List?
* Just a distribution group that has an extra flag specifying it is a Room List.
* Room Mailbox accounts are added into the group.
* When users create a new appointment in Outlook, they will have a Room List drop-down option, and it will show what rooms are available out of the rooms on the list.
55
What are the Default Calendar Processing Restrictions that are applied to a new Resource Mailbox?
* Conflicting bookings are not allowed
* Bookings can be made up to 180 days in the future
* Meeting instances can last no longer than 24 hours
* Recurring meetings are allowed
* Bookings are allowed at any time of day
* External senders can't book resources
* All Bookings that are within policy are automatically accepted and booked
56
In automated Calendar Processing settings, what is the difference between these two policy settings?
AllBookInPolicy
AllRequestInPolicy
When each is set to True:
AllBookInPolicy means any booking attempt that is within policy will automatically be processed and booked.
AllRequestInPolicy means any booking attempt that is within policy will automatically be sent to specified ResourceDelegates for approval or rejection.
57
What are Public Folders?
* Used for team collaboration
* Used to store mail, contact, calendar, note, or task items
* Can be mail-enabled to receive mail
* Stored in public folder mailboxes
* Only accessible using Outlook or Outlook on the web (Need to be in "Folder" view)
58
What steps are involved in creating a Public Folder?
1) Create the Public Folder Mailbox to store the Public Folder Hierarchy
2) Create another Public Folder Mailbox to store the Public Folders and Public Folder contents
3) Create a Public Folder
4) Configure Folder Permissions as needed.
59
What is RBAC?
Role Based Access Control
* The permissions model for Exchange (since Exchange 2010)
* Provides granular control of permissions for administrative tasks
* Allows us to apply a least privilege approach to administrative rights
60
What are the components / configuration elements that make up RBAC in Exchange?
* Management role groups ("who")
* Management roles ("what")
* Management scopes ("where")
* Management role assignments
61
What are Management Role Groups?
* Universal Security Groups in AD
* They are assigned one or more Management Roles
* Exchange Setup creates 12 pre-defined management role groups, in an OU called "Microsoft Exchange Security Groups"
* Custom management role groups can also be created for specific requirements
62
What are Management Roles?
* Collections of role entries
* Typically assigned to Management Role Groups, though they can also be assigned directly to users
* When assigned, they grant the group or user permission to perform the tasks defined in the role entries
63
What is a Management Role Entry?
* A role entry defines a specific task or capability that administrators can perform
* For example, role entries can define cmdlets or scripts that a role can run
* They can even include and limit specific parameters for those cmdlets and scripts
64
What is a Management Scope?
* Defines where a role group's members will be able to perform their assigned roles.
* The scope can be, or example, an OU, a server, a database, or recipient filter
* The Pre-defined roles have a scope that includes all applicable objects, e.g. all Mail Contacts
* You can define custom scopes when creating custom role assignments
65
What kind of scope is assigned to each of the pre-built RBAC roles in Exchange?
* They all have a scope that includes all applicable objects across the entire organization.
* That is, none of them have a scope that is restrictive.
66
What is a Management Role Assignment?
* Connects management roles with users or role groups
* Each pre-defined role group has a set of existing role assignments from the pre-defined roles Exchange creates
* Custom role assignments can be created for either existing roles or custom roles
* Custom role assignments can inherit the default scope for the role, or define a custom management scope
67
What is a Management Role Assignment Policy?
* Assigned to mailboxes.
* Each mailbox can only be assigned a single role assignment policy.
* Defines what the user can manage for their own mailbox or distribution groups.
* A default management role assignment policy exists in each Exchange organization.
* Custom management role assignment policies can be created.
68
What permissions are allowed in the Default Role Assignment Policy, by default?
Allows user to view and modify their own:
* Contact information, such as address and mobile phone number
* Membership in distribution groups (provided those groups are "open")
* Custom Apps
* Marketplace Apps
69
What is this built-in Management Role Group?
Organization Management
Role holders have access to the entire Exchange Server 2016 organization and can perform almost any task against any Exchange Server object.
(Includes managing role groups and their members.)
70
What is this built-in Management Role Group?
View-Only Organization Management
Role holders can only view the properties of any object in the organization.
71
What is this built-in Management Role Group?
Recipient Management
Role holders have access to create, modify, or delete Exchange Server 2016 recipients within the Exchange Server organization, such as:
* Mailboxes
* Distribution Groups
* Contacts
72
What is this built-in Management Role Group?
UM Management
Role holders can manage the Unified Messaging (UM) features within the organization, such as UM server configuration, properties on mailboxes, prompts, and auto-attendant configuration.
73
What is this built-in Management Role Group?
Discovery Management
Role holders can perform searches of mailboxes in the Exchange Server organization for data that meets specific criteria.
This role group is assigned these roles:
• Mailbox Search role
• Legal Hold role
Together, these allow eDiscovery queries to be performed, and InPlace holds created for those queries.
74
What is this built-in Management Role Group?
Records Management
Role holders can configure compliance features, such as:
* retention policy tags
* message records management
* message classifications
* mailbox audit logging
* journaling
* transport rules
75
What is this built-in Management Role Group?
Server Management
Role holders have access to Exchange Server configuration. They do not have access to administer recipient configuration.
76
What is this built-in Management Role Group?
Help Desk
Role holders can perform limited recipient management.
77
What is this built-in Management Role Group?
Public Folder Management
Role holders can manage public folders and databases on Exchange servers.
78
What is this built-in Management Role Group?
Delegated Setup
Role holders can deploy previously provisioned Exchange servers.
79
What is this built-in Management Role Group?
Compliance Management
Role holders can configure and manage compliance settings, such as:
* Data Loss Prevention (DLP) policies
* Information Rights Management (IRM) configuration
* Messaging Records Management (MRM)
80
What is this built-in Management Role Group?
Hygiene Management
Role holders have access to three groups of cmdlets:
* Receive Connectors (create, modify, and delete)
* Transport Hygiene (can manage anti-spam features and grant permissions for antivirus products to integrate with Exchange Server)
* Transport Rules
81
What permissions does this role grant?
Mailbox Search
Perform eDiscovery queries / searches.
82
What permissions does this role grant?
Legal Hold role
Create a Litigation Hold (also known as an InPlace Hold without a query)
(If you also have the Mailbox Search role, then this role allows you to create a query-based InPlace Hold.)
83
How does BitLocker work on a Physical Server?
* Requires TPM chip (if needs for FIPS compliance, must be TPM 2.0.)
* Encrypted volumes can automatically unlock using recovery info stored in AD
84
How does BitLocker work on a Virtual Server?
* No TPM chip available
* Therefore, if OS volume is encryped, recovery key must be entered manually at startup
* If OS volume is not encrypted, system can boot but data volumes must be manually unlocked. (May be automated using a scheduled task).
85
How does BitLocker interact with AutoReseed?
For Exchange 2016 CU1 and earlier:
• The AutoReseed disk reclaimer IS NOT BitLocker-aware. So you need to either:
– Disable the disk reclaimer, and then manually format and encrypt spare disks in the DAG members, or:
– Leave disk reclaimer enabled, and after an AutoReseed event, manually encrypt the new volume
For Exchange 2016 CU2 and later:
* The AutoReseed disk reclaimer IS BitLocker-aware.
* Simply set the AutoDagBitLockerEnabled property of the DAG to $true
* The Disk Reclaimer will then automatically encrypt the spare disks in an AutoReseed event.
86
What is S/MIME?
* Secure/Multipurpose Internet Mail Extensions
| * A protocol for sending digitally signed and encrypted email messages
87
How does digitally signing a message work?
* Sender uses a private key to add a digital signature to an email message.
* That signature is based on the contents of the message itself
* When the recipient receives the message, they receive the sender's public key, to perform verification of the digital signature
88
What are the benefits of Digitally Signing a message?
* Verifies that the sender is who they claim to be
* Verifies that the message has not been changed since it was sent
* Sender can't claim they did not send it (non-repudiation)
* Does NOT provide privacy or prevent message from being read by others (i.e., no encryption)
89
How does encrypting a message work?
* The sender retrieves the recipient's public key, and uses it to encrypt the message that is being sent
* When the recipient receives the message, they use their own private key to decrypt it
90
What are the benefits of Encrypting a message?
* The message can only be decrypted and read by the recipient
* Provides privacy of the message (although not for the metadata)
* Verifies that message has not been changed since it was sent
* Does NOT verify that the sender is who they claim to be
* Does not provide non-repudiation
91
What are the requirements and restrictions of S/MIME?
* PKI infrastructure or 3rd-party certificate authority
* Certificates must be issued to users who require S/MIME capabilities
* Doesn't work with all mail clients, servers, webmail systems, and mobile devices
92
What are the steps for deploying S/MIME?
1) Deploy PKI using AD Certificate Services
2) Create a user certificate template that is enabled for auto-enrollment
3) Create a Group Policy for certificate auto-enrollment
4) Deploy the S/MIME extension for OWA users (if needed)
5) Perform user training
93
How does Message Signing and Encryption work for end users?
When composing a new message in Outlook, on the Ribbon > Options tab, there is a button for Encrypt and for Sign.
If they do not appear there, they are also in the More Options > Security Settings.
When an encrypted message is received, it shows a padlock icon in Outlook. It decrypts automatically and seamlessly for the recipient.
When a signed message is received, it shows a certification ribbon icon.
94
If Toad has Full Access permissions to Peach's mailbox, what happens when Mario sends Peach an encrypted message?
Only Peach will be able to open it.
Toad will see the message arrive, with its sender and subject information, but will not be able to read the contents. Even though he has Full Access, he does not have Peach's private key and will not be able to decrypt the message.
95
What is IRM?
* Information Rights Management
| * A means of enforcing usage rights on digital content such as email messages and office documents.
96
How does IRM work?
* Policy-based enforcement of protection and usage rights
* The protection stays with the file itself, so it remains in place even if the file is taken offline or outside of the network.
* It is not a built-in capability of Exchange. It requires AD RMS or Azure RMS to provide the rights management functionality.
97
What rights can be assigned to a policy template and enforced on content using IRM?
* Full Control
* View
* Edit
* Save
* Export
* Print
* Forward
* Reply
* Reply All
* Extract
* Allow Macros
* View Rights
* Edit Rights
98
What is a weakness of IRM for protecting content?
It is not bullet-proof against deliberate attacks.
For example, it can prevent a user from printing a protected document, but it doesn't stop them from taking a photograph of their screen.
99
What does Active Directory RMS support?
* Only on-prem servers
| * Exchange, SharePoint, and file servers
100
What are the requirements for AD RMS?
* Requires installation of highly available, on-prem servers
| * Complex to configure for external sharing of protected content. It's usually only used for internal-only content.
101
What advantages does Azure RMS have over AD RMS?
Azure RMS has these additional features over AD RMS:
* Does not require on-prem servers (but does support them if you install a connector)
* Supports Office 365 services
* External sharing works by default (instead of requiring a complex configuration)
* Includes two default policy templates (AD RMS includes none).
* Supports mobile and Mac clients.
* Allows document tracking or revocation.
102
How can Rights Management policies be applied?
* Through Transport Rules
| * Through Outlook Protection Rules
103
What are Outlook Protection Rules?
* Apply rights management to content before email is sent.
| * Only applies to messages sent from an Outlook client.
104
How do you configure Outlook Protection Rules?
* Only configurable through PowerShell, not EAC
* New-OutlookProtectionRule
* New rules and changes can take 24 hours for clients to receive, because clients poll Exchange Web Services only every 24 hours
105
What are the disadvantages of applying rights management policies to content through Transport Rules?
If using Transport Rules instead of Outlook Protection Rules:
* The sender isn't aware / notified that rights management is applied to the message
* The copy of the content in the sender's Sent Items remains unprotected
* There is no option to allow sender's to override the protection when that is desired
106
What are the disadvantages of applying rights management policies to content through Outlook Protection Rules?
* You have a much more limited set of conditions for building the rules
* Only applies to messages sent from an Outlook client.
