Security

List FIDO2 Keys and AAGUID for all Users with Microsoft Graph

List FIDO2 Keys and AAGUID for all Users with Microsoft Graph

Andres Bohren
Hi All, While looking into Enable passkeys in Microsoft Authenticator (preview) i figured, it is a good Idea tho have a List of FIDO2 AAGUID’s of all Users if enabled. This Article shows you how to Export the FIDO2 Keys and the AAGUID of all Users in a M365 Tenant. During my research i also found some AAGUID Lists on the Internet YubiKey Hardware FIDO2 AAGUIDs FIDO2 AAGUID lists Passkey Provider AAGUIDs Here you can see a registered FIDO2 Key in the M365 Security Info
Mail Transfer Agent Strict Transport Security (MTA-STS)

Mail Transfer Agent Strict Transport Security (MTA-STS)

Andres Bohren
Hi All, What is MTA-STS Mail Transfer Agent Strict Transport Security (MTA-STS) makes sure that Emails are Transfered over a secured TLS Connection but has lower requirements than DNS based Authentification of Named Entities (DANE). “Mail Transfer Agent Strict Transport Security (MTA-STS)” has been defined in 2018 in the following RFC rfc8461 SMTP MTA Strict Transport Security (MTA-STS) MTA-STS benefits: Emails are transfered over a secure TLS connection Must use TLS-Version 1.
Will Azure DNS soon support DNSSEC

Will Azure DNS soon support DNSSEC

Andres Bohren
Hi All, While writing the Blog Article that Microsoft is moving to New cloud.microsoft Domain for M365 i’ve been stumbled across something very interesting. In the Article from the Exchange Team Blog from Septemer 2023, they have anounced that Inbound DANE will be available between March and July 2024 using a new Domain *.mx.microsoft Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow I’ve decided to test DNSSEC with MXToolbox
throttling and blocking of out-of-date on-premises Exchange Servers

throttling and blocking of out-of-date on-premises Exchange Servers

Andres Bohren
Hi All, Microsoft has published several Blog Articles on the Exchange Team Blog, that they will throttle then block old and unpatched on-premises Exchange Servers. Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online Update on Transport Enforcement System in Exchange Online How to pause throttling and blocking of out-of-date on-premises Exchange Servers Timeline They started in Summer 2023 with Exchange 2007. Now in February 2024 they start to block Exchange 2013 - Extended Support ended on 11 April 2023
Enable DKIM in Exchange Online (updated)

Enable DKIM in Exchange Online (updated)

Andres Bohren
Hi All, A few years ago, i have already written an Article how to Enable DKIM in Exchange Online. Enable DKIM in Office 365 Things change over time and so does the Exchange Admin Center. Enabling DKIM has moved to the Microsoft Defender Admin Portal. Here are some older Articles regarding DKIM SPF / DKIM / DMARC DKIM with Exchange To enable DKIM in Exchange Online you have to go to the Microsoft Defender Admin Portal and select > Policies & rules > Threat Policies > Email authentication settings
Block ADDS Domain Join of Computers for Domain Users

Block ADDS Domain Join of Computers for Domain Users

Andres Bohren
Hi All, You might think that only Domain Administrators are able to add Computers to the Active Directory Domain. But that’s not true. AD Schema documentation MS-DS-Machine-Account-Quota attribute The number of computer accounts that a user is allowed to create in a domain. As a result, a regular Domain User can join up to 10 Computers to a Domain. If you open up adsiedit.msc and check the Properties on the Domain container and search for the Active Directroy Attribute “ms-DS-MachineAccountQuota” you can see that it has a value of “10”.
Swiss Domain Security Report Q4 2023

Swiss Domain Security Report Q4 2023

Andres Bohren
Hi All, I’ve published a new Swiss Domain Security Report Q4 2023 to rise awareness about the available Security technologies around Domains and Mailsecurity. It shows the adoption of diffrent technologies for the whole .ch TLD (Top Level Domain). Hope you enjoy it and learn something. Let’s improve the Security in Switzerland! Note: I am a private Person and this is just a Hobby Project. But i still believe this Report can be useful as an Overview of the Mail- and Domain Security in Switzerland.
November 2023 Exchange Server Security Updates

November 2023 Exchange Server Security Updates

Andres Bohren
Hi All, It’s again Patchday and Microsoft has released Security Updates for Exchange 2016 and 2019. Exchange Team Blog Released: November 2023 Exchange Server Security Updates Updates: Security Update For Exchange Server 2019 CU12 SU11 (KB5032146) Security Update For Exchange Server 2019 CU13 SU4 (KB5032146) Security Update For Exchange Server 2016 CU23 SU11 (KB5032147) I’ve downloaded the - MonitorExchangeAuthCertificate And checked the Exchange Auth Certificate .\MonitorExchangeAuthCertificate.ps1 Run the Setup after downloading
Automate Exchange Certificate renewal with Let's Encrypt

Automate Exchange Certificate renewal with Let's Encrypt

Andres Bohren
Hi All, My old TLS Certificate from GoDaddy has expired a few Days ago. I have already used “Let’s Encrypt” Certificates for Exchange in some Test Environements. Today i want you to show how to set up initionally and then use a Script to renew the Certificate on a regular basis. Initial Setup First of all you need a Client that can handle the “Let’s Encrypt” Certificate Request. There are plenty of alternatives out there.
October 2023 Exchange Server Security Updates

October 2023 Exchange Server Security Updates

Andres Bohren
Hi All, It’s again Patchday and Microsoft has released Security Updates for Exchange 2016 and 2019. Exchange Team Blog Released: October 2023 Exchange Server Security Updates Updates: Security Update For Exchange Server 2019 CU12 SU10 (KB5030877) Security Update For Exchange Server 2019 CU13 SU3 (KB5030877) Security Update For Exchange Server 2016 CU23 SU10 (KB5030877) The Token Cache will be fixed with the OS Updates for IIS. Today, Windows team has released the IIS fix for root cause of this vulnerability, in the form of fix for CVE-2023-36434.