Microsoft Exchange Server

Last updated

Microsoft Exchange Server
Developer(s) Microsoft
Initial releaseApril 2, 1996;27 years ago (1996-04-02) [1]
Stable release 2019 RTM (v15.02.221.12) (October 22, 2018;5 years ago (2018-10-22)) [±] [2]
Operating system Windows Server
Platform x64
Type Collaborative software
License Proprietary commercial software
Website www.microsoft.com/en-us/microsoft-365/exchange/email   OOjs UI icon edit-ltr-progressive.svg

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Contents

The first version was called Exchange Server 4.0, to position it as the successor to the related Microsoft Mail 3.5. Exchange initially used the X.400 directory service but switched to Active Directory later. Until version 5.0, it came bundled with an email client called Microsoft Exchange Client. This was discontinued in favor of Microsoft Outlook.

Exchange Server primarily uses a proprietary protocol called MAPI to talk to email clients, but subsequently added support for POP3, IMAP, and EAS. The standard SMTP protocol is used to communicate to other Internet mail servers.

Exchange Server is licensed both as on-premises software and software as a service (SaaS). In the on-premises form, customers purchase client access licenses (CALs); as SaaS, Microsoft charges a monthly service fee instead.

History

Microsoft had sold a number of simpler email products before, but the first release of Exchange (Exchange Server 4.0 in April 1996 [1] ) was an entirely new X.400-based client–server groupware system with a single database store, which also supported X.500 directory services. The directory used by Exchange Server eventually became Microsoft's Active Directory service, an LDAP-compliant directory service which was integrated into Windows 2000 as the foundation of Windows Server domains.

As of 2020, there have been ten releases.

Current version

The current version, Exchange Server 2019, [3] was released in October 2018. Unlike other Office Server 2019 products such as SharePoint and Skype for Business, Exchange Server 2019 could only be deployed on Windows Server 2019 when it was released. Since Cumulative Update 2022 H1 Exchange 2019 has been supported on Windows Server 2022. [4] One of the key features of the new release is that Exchange Server can be deployed onto Windows Server Core for the first time. Additionally, Microsoft has retired the Unified Messaging feature of Exchange, meaning that Skype for Business on-premises customers will have to use alternative solutions for voicemail, such as Azure cloud voicemail.

New features

Removed features

Clustering and high availability

Exchange Server Enterprise Edition supports clustering of up to 4 nodes when using Windows 2000 Server, and up to 8 nodes with Windows Server 2003. Exchange Server 2003 also introduced active-active clustering, but for two-node clusters only. In this setup, both servers in the cluster are allowed to be active simultaneously. This is opposed to Exchange's more common active-passive mode in which the failover servers in any cluster node cannot be used at all while their corresponding home servers are active. They must wait, inactive, for the home servers in the node to fail. Subsequent performance issues with active-active mode have led Microsoft to recommend that it should no longer be used. [5] In fact, support for active-active mode clustering has been discontinued with Exchange Server 2007.

Exchange's clustering (active-active or active-passive mode) has been criticized because of its requirement for servers in the cluster nodes to share the same data. The clustering in Exchange Server provides redundancy for Exchange Server as an application, but not for Exchange data. [6] In this scenario, the data can be regarded as a single point of failure, despite Microsoft's description of this set-up as a "Shared Nothing" model. [7] This void has however been filled by ISVs and storage manufacturers, through "site resilience" solutions, such as geo-clustering and asynchronous data replication. [8] Exchange Server 2007 introduces new cluster terminology and configurations that address the shortcomings of the previous "shared data model". [9]

Exchange Server 2007 provides built-in support for asynchronous replication modeled on SQL Server's "Log shipping" [10] in CCR (Cluster Continuous Replication) clusters, which are built on MSCS MNS (Microsoft Cluster Service—Majority Node Set) clusters, which do not require shared storage. This type of cluster can be inexpensive and deployed in one, or "stretched" across two data centers for protection against site-wide failures such as natural disasters. The limitation of CCR clusters is the ability to have only two nodes and the third node known as "voter node" or file share witness that prevents "spit in the brain" [11] scenarios, generally hosted as a file share on a Hub Transport Server. The second type of cluster is the traditional clustering that was available in previous versions, and is now being referred to as SCC (Single Copy Cluster). In Exchange Server 2007 deployment of both CCR and SCC clusters has been simplified and improved; the entire cluster install process takes place during Exchange Server installation. LCR or Local Continuous Replication has been referred to as the "poor man's cluster". It is designed to allow for data replication to an alternative drive attached to the same system and is intended to provide protection against local storage failures. It does not protect against the case where the server itself fails.

In November 2007, Microsoft released SP1 for Exchange Server 2007. This service pack includes an additional high-availability feature called SCR (Standby Continuous Replication). Unlike CCR, which requires that both servers belong to a Windows cluster typically residing in the same datacenter, SCR can replicate data to a non-clustered server, located in a separate datacenter.

With Exchange Server 2010, Microsoft introduced the concept of the Database Availability Group (DAG). A DAG contains Mailbox servers that become members of the DAG. Once a Mailbox server is a member of a DAG, the Mailbox Databases on that server can be copied to other members of the DAG. When a Mailbox server is added to a DAG, the Failover Clustering Windows role is installed on the server and all required clustering resources are created.

Licensing

Like Windows Server products, Exchange Server requires client access licenses, which are different from Windows CALs. Corporate license agreements, such as the Enterprise Agreement, or EA, include Exchange Server CALs. It also comes as part of the Core CAL. Just like Windows Server and other server products from Microsoft, there is the choice to use User CALs or Device CALs. Device CALs are assigned to devices (workstation, laptop or PDA), which may be used by one or more users. [12] User CALs, are assigned to users, allowing them to access Exchange from any device. User and Device CALs have the same price, however, they cannot be used interchangeably.

For service providers looking to host Microsoft Exchange, there is a Service Provider License Agreement (SPLA) available whereby Microsoft receives a monthly service fee instead of traditional CALs. Two types of Exchange CAL are available: Exchange CAL Standard and Exchange CAL Enterprise. The Enterprise CAL is an add-on license to the Standard CAL.

Clients

Microsoft Exchange Server uses a proprietary remote procedure call (RPC) protocol called MAPI/RPC, [13] which was designed to be used by Microsoft Outlook. Clients capable of using the proprietary features of Exchange Server include Evolution, [14] Hiri and Microsoft Outlook. Thunderbird can access Exchange server via the Owl Plugin. [15]

Exchange Web Services (EWS), an alternative to the MAPI protocol, is a documented SOAP-based protocol introduced with Exchange Server 2007. Exchange Web Services is used by the latest version of Microsoft Entourage for Mac and Microsoft Outlook for Mac - since the release of Mac OS X Snow Leopard Mac computers running OS X include some support for this technology via Apple's Mail application.

E-mail hosted on an Exchange Server can also be accessed using POP3, and IMAP4 protocols, using clients such as Windows Live Mail, Mozilla Thunderbird, and Lotus Notes. These protocols must be enabled on the server. Exchange Server mailboxes can also be accessed through a web browser, using Outlook Web App (OWA). Exchange Server 2003 also featured a version of OWA for mobile devices, called Outlook Mobile Access (OMA).

Microsoft Exchange Server up to version 5.0 came bundled with Microsoft Exchange Client as the email client. After version 5.0, this was replaced by Microsoft Outlook, bundled as part of Microsoft Office 97 and later. [16] When Outlook 97 was released, Exchange Client 5.0 was still in development and to be later released as part of Exchange Server 5.0, primarily because Outlook was only available for Windows. Later, in Exchange Server 5.5, Exchange Client was removed and Outlook was made the only Exchange client. As part of Exchange Server 5.5, Outlook was released for other platforms.

The original Windows 95 "Inbox" client also used MAPI and was called "Microsoft Exchange". A stripped-down version of the Exchange Client that does not have support for Exchange Server was released as Windows Messaging to avoid confusion; it was included with Windows 95 OSR2, Windows 98, and Windows NT 4. It was discontinued because of the move to email standards such as SMTP, IMAP, and POP3, all of which Outlook Express supports better than Windows Messaging.

Exchange ActiveSync

Support for Exchange ActiveSync (EAS) was added to Microsoft Exchange Server 2003. It allows a compliant device such as a Windows Mobile device or smartphone to securely synchronize mail, contacts and other data directly with an Exchange server and has become a popular mobile access standard for businesses due to support from companies like Nokia and Apple Inc. [17] as well as its device security and compliance features.

Support for push email was added to it with Exchange Server 2003 Service Pack 2 and is supported by Windows Phone 7, [18] the iPhone and Android phones, [19] but notably not for Apple's native Mail app on macOS.

Exchange ActiveSync Policies allow administrators to control which devices can connect to the organization, remotely deactivate features, and remotely wipe lost or stolen devices. [20]

Hosted Exchange as a service

The complexities of managing Exchange Server—namely running both one or more Exchange Servers, plus Active Directory synchronization servers—make it attractive for organisations to purchase it as a hosted service.

Third-party providers

This has been possible from a number of providers [21] for more than 10 years, but as of June 2018 is that many providers have been marketing the service as "cloud computing" or "Software-as-a-Service". Exchange hosting allows for Microsoft Exchange Server to be running in the Internet, also referred to as the Cloud, and managed by a "Hosted Exchange Server provider" instead of building and deploying the system in-house.

Exchange Online

Exchange Online is Exchange Server delivered as a cloud service hosted by Microsoft itself. It is built on the same technologies as on-premises Exchange Server, and offers essentially the same services as third-party providers which host Exchange Server instances. [22]

Customers can also choose to combine both on-premises and online options in a hybrid deployment. [23] Hybrid implementations are popular for organizations that are unsure of the need or urgency to do a full transition to Exchange Online, and also allows for staggered email migration.

Hybrid tools can cover the main stack of Microsoft Exchange, Lync, SharePoint, Windows, and Active Directory servers, in addition to using replica data to report cloud user experience. [ citation needed ]

History

Exchange Online was first provided as a hosted service in dedicated customer environments in 2005 to select pilot customers. [24] Microsoft launched a multi-tenant version of Exchange Online as part of the Business Productivity Online Standard Suite in November 2008. [25] In June 2011, as part of the commercial release of Microsoft Office 365, Exchange Online was updated with the capabilities of Exchange Server 2010.

Exchange Server 2010 was developed concurrently as a server product and for the Exchange Online service.

Vulnerabilities and hacks

2020

In February 2020, an ASP.NET vulnerability was discovered and exploited relying on a default setting allowing attackers to run arbitrary code with system privileges, only requiring a connection to the server as well as being logged into any user account which can be done through credential stuffing. [26] [27]

The exploit relied on all versions of Microsoft Exchange using the same static validation key to decrypt, encrypt, and validate the 'View State' by default on all installations of the software and all versions of it, where the View State is used to temporarily preserve changes to an individual page as information is sent to the server. The default validation key used is therefore public knowledge, and so when this is used the validation key can be used to decrypt and falsely verify a modified View State containing commands added by an attacker. [26] [27]

When logged in as any user, any .ASPX page is then loaded, and by requesting both the session ID of the user login and the correct View State directly from the server, this correct View State can be deserialised and then modified to also include arbitrary code and then be falsely verified by the attacker. This modified View State is then serialised and passed back to the server in a GET request along with the session ID to show it is from a logged-in user; in legitimate use, the view state should always be returned in a POST request, and never a GET request. This combination causes the server to decrypt and run this added code with its own privileges, allowing the server to be fully compromised as any command can therefore be run. [26] [27]

In July 2020, Positive Technologies published research explaining how hackers can attack Microsoft Exchange Server without exploiting any vulnerabilities. [28] It was voted into Top 10 web hacking techniques of 2020 according to PortSwigger Ltd. [29]

2021

In 2021, critical zero-day exploits were discovered in Microsoft Exchange Server. [30] Thousands of organizations have been affected by hackers using these techniques to steal information and install malicious code. [31] Microsoft revealed that these vulnerabilities had existed for around 10 years, [32] but were exploited only from January 2021 onwards. The attack affected the email systems of an estimated 250,000 global customers, including state and local governments, policy think tanks, academic institutions, infectious disease researchers and businesses such as law firms and defense contractors. [33]

In a separate incident, an ongoing brute-force campaign from mid-2019 to the present (July 2021)[ needs update ], attributed by British and American (NSA, FBI, CISA) security agencies to the GRU, uses/used publicly known Exchange vulnerabilities, as well as already-obtained account credentials and other methods, to infiltrate networks and steal data. [34] [35]

2023

In September 2023, Microsoft was notified that Microsoft Exchange is vulnerable to remote code execution including data theft attacks. Microsoft has not fixed these issues yet. [36]

See also

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by RFC 9051.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

<span class="mw-page-title-main">GNOME Evolution</span> Personal information manager software and workgroup information management tool for GNOME

GNOME Evolution is the official personal information manager for GNOME. It has been an official part of GNOME since Evolution 2.0 was included with the GNOME 2.8 release in September 2004. It combines e-mail, address book, calendar, task list and note-taking features. Its user interface and functionality is similar to Microsoft Outlook. Evolution is free software licensed under the terms of the GNU Lesser General Public License (LGPL).

<span class="mw-page-title-main">Microsoft Outlook</span> Email and calendaring software

Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Though primarily being popular as an email client for businesses, Outlook also includes functions such as calendaring, task managing, contact managing, note-taking, journal logging, web browsing, and RSS news aggregation.

<span class="mw-page-title-main">Windows Server 2003</span> Third version of Windows Server, released in 2003

Windows Server 2003, codenamed "Whistler Server", is the sixth version of the Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2003. Windows Server 2003 is the successor to the Server editions of Windows 2000 and the predecessor to Windows Server 2008. An updated version, Windows Server 2003 R2, was released to manufacturing on December 6, 2005. Windows Server 2003 is based on Windows XP.

Messaging Application Programming Interface (MAPI) is an API for Microsoft Windows which allows programs to become email-aware. While MAPI is designed to be independent of the protocol, it is usually used to communicate with Microsoft Exchange Server.

In computing, a Personal Storage Table (.pst) is an open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook. The open format is controlled by Microsoft who provide free specifications and free irrevocable technology licensing.

<span class="mw-page-title-main">Microsoft Mail</span> Several Microsoft email products

Microsoft Mail was the name given to several early Microsoft e-mail products for local area networks, primarily two architectures: one for Macintosh networks, and one for PC architecture-based LANs. All were eventually replaced by the Exchange and Outlook product lines.

Push email is an email system that provides an always-on capability, in which when new email arrives at the mail delivery agent (MDA), it is immediately, actively transferred (pushed) by the MDA to the mail user agent (MUA), also called the email client, so that the end-user can see incoming email immediately. This is in contrast with systems that check for new incoming mail every so often, on a schedule. Email clients include smartphones and, less strictly, IMAP personal computer mail applications.

<span class="mw-page-title-main">Windows Live Mail</span> Email client, electronic calendar and newsreader, developed by Microsoft

Windows Live Mail is a discontinued freeware email client from Microsoft. It was the successor to Windows Mail in Windows Vista, which was the successor to Outlook Express in Windows XP and Windows 98. Windows Live Mail is designed to run on Windows 7 and Windows Server 2008 R2, but is also compatible with Windows 8 and Windows 10, even though Microsoft bundles a new email client, named Windows Mail, with the latter. In addition to email, Windows Live Mail also features a calendar, an RSS feed reader, and a Usenet newsreader.

<span class="mw-page-title-main">Outlook.com</span> Microsoft webmail service

Outlook.com, formerly Hotmail, is a free personal email service offered by Microsoft. This includes a webmail interface featuring mail, calendaring, contacts, and tasks services. Outlook can also be accessed via email clients using the IMAP or POP protocols.

<span class="mw-page-title-main">Mimecast</span> Jersey-domiciled information technology company

Mimecast Limited is an American–British, Jersey-domiciled company specializing in cloud-based email management for Microsoft Exchange and Microsoft Office 365, including security, archiving, and continuity services to protect business mail.

Exchange ActiveSync is a proprietary protocol designed for the synchronization of email, contacts, calendar, tasks, and notes from a messaging server to a smartphone or other mobile devices. The protocol also provides mobile device management and policy controls. The protocol is based on XML. The mobile device communicates over HTTP or HTTPS.

<span class="mw-page-title-main">GroupWise</span> Messaging and collaborative software platform

GroupWise is a messaging and collaboration platform from OpenText that supports email, calendaring, personal information management, instant messaging, and document management. The GroupWise platform consists of desktop client software, which is available for Windows,, and the server software, which is supported on Windows Server and Linux.

MailSite is a commercial mail server, calendar software, contact manager and collaborative software that was developed by Rockliffe Systems. It was one of the first mail servers to run on Windows NT using Internet standards when version 1.2 was released in 1996. Additionally, MailSite has been in continual development since 1996 with version 10 released in 2013, and runs on a single Windows Server as well as on a cluster of Windows Server computers. MailSite works natively with Microsoft Outlook versions 2007 to 2013 for mail, calendar and contacts without requiring any Outlook plug-ins, as well as including an Exchange ActiveSync (EAS) server for synchronizing mail, calendar and contacts with mobile devices. MailSite also works with Internet Standards-based mail clients such as Mozilla Thunderbird.

<span class="mw-page-title-main">Zentyal</span>

Zentyal is a open source email and groupware solution based on Ubuntu Linux. The latest release took place on February 26, 2024.

<span class="mw-page-title-main">Mail (Windows)</span> Conflation of two applications developed by Microsoft

Mail is an email client developed by Microsoft and included in Windows Vista and later versions of Windows. It is available as the successor to Outlook Express, which was either included with, or released for Internet Explorer 3.0 and later versions of Internet Explorer. It is set to be replaced by Outlook for Windows.

The first release of Microsoft Exchange Server was version 4.0 in April 1996, when it was sold as an upgrade to Microsoft Mail 3.5. Before that, Microsoft Mail v2.0 was replaced in 1991 by "Microsoft Mail for PC Networks v2.1", based on Network Courier from its acquisition of Consumers Software. Exchange Server was an entirely new X.400-based client–server mail system with a single database store that also supported X.500 directory services. During its development, Microsoft migrated their own internal email from a Xenix-based system to Exchange Server from April 1993, with all 32,000 Microsoft mailboxes on Exchange by late 1996. The directory used by Exchange Server eventually became Microsoft's Active Directory service, an LDAP-compliant directory service. Active Directory was integrated into Windows 2000 as the foundation of Windows domains.

Kopano is an open-source groupware application suite originally based on Zarafa. The initial version of Kopano Core (KC) was forked from the then-current release of Zarafa Collaboration Platform, and superseded ZCP in terms of lineage as ZCP switched to maintenance mode with patches flowing from KC. Kopano WebApp similarly descended from Zarafa WebApp. Since October 2017, Kopano Core is also known more specifically as Kopano Groupware Core, since Kopano B.V. developed more products that were not directly requiring groupware components.

References

  1. 1 2 "Microsoft Exchange Server Available". Microsoft . April 2, 1996. Retrieved February 5, 2023.
  2. "Exchange Server build numbers and release dates". Microsoft. Retrieved February 19, 2018.
  3. "Microsoft kündigt Exchange 2019 an". September 26, 2017.
  4. "Released: 2022 H1 Cumulative Updates for Exchange Server". TECHCOMMUNITY.MICROSOFT.COM. April 20, 2022. Retrieved April 21, 2022.
  5. "Considerations when deploying Exchange on an Active/Active cluster". Microsoft. Retrieved October 28, 2012.
  6. "The benefits of Windows 2003 clustering with Exchange 2003". The Exchange Team Blog. June 9, 2004. Retrieved October 28, 2012.
  7. "Exchange Clustering Concepts". TechNet. February 9, 2006. Retrieved October 28, 2012.
  8. "Storage Glossary: Basic Storage Terms". TechNet . Microsoft. March 8, 2005. Archived from the original on July 15, 2007. Retrieved October 28, 2012.
  9. "High availability". TechNet. March 8, 2005. Retrieved July 2, 2007.
  10. "Frequently asked questions—SQL Server 2000—Log shipping". Microsoft. March 8, 2005. Retrieved October 28, 2012.
  11. "An update is available that adds a file share witness feature and a configurable cluster heartbeats feature to Windows Server 2003 Service Pack 1-based server clusters". Microsoft. Retrieved October 28, 2012.
  12. "Top 75 Microsoft Licensing Terms – A Glossary From A(ntigen) To Z(une)". OMTCO, omt-co Operations Management Technology Consulting GmbH. Retrieved April 24, 2013.
  13. "Exchange Server Protocols". Microsoft. November 7, 2008. Retrieved October 28, 2012.
  14. "Evolution/FAQ - GNOME Live!". Microsoft. Retrieved October 28, 2012.
  15. Beonex. "Owl for Exchange". Owl for Exchange. Retrieved February 21, 2020.
  16. "What is the Microsoft Exchange client?".
  17. "Microsoft Exchange ActiveSync Licensees". Microsoft. Retrieved October 28, 2012.
  18. "Exchange ActiveSync: Frequently Asked Questions". TechNet. Retrieved October 28, 2012.
  19. "Exchange ActiveSync". Apple. Retrieved October 28, 2012.
  20. "Apple - iPhone in Business". TechNet. Retrieved October 28, 2012.
  21. "Hosted Exchange Partner Directory". Microsoft. Retrieved October 28, 2012.
  22. "Microsoft Exchange Online for Enterprises Service Description". Microsoft. Retrieved October 28, 2012.
  23. Puca, Anthony (2013). Microsoft Office 365 Administration Inside Out. Microsoft Press. pp. 459–462. ISBN   978-0735678231.
  24. Ina Fried (March 10, 2005). "Microsoft hops into managed PC business". CNET News. Retrieved October 28, 2012.
  25. "Microsoft hops into managed PC business". Microsoft. November 7, 2008. Retrieved October 28, 2012.
  26. 1 2 3 "Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!". BleepingComputer. Retrieved March 20, 2021.
  27. 1 2 3 Nusbaum, Scott; Response, Christopher Paschen in Incident; Response, Incident; Forensics (February 28, 2020). "Detecting CVE-2020-0688 Remote Code Execution Vulnerability on Microsoft Exchange Server". TrustedSec. Retrieved March 20, 2021.
  28. Sharoglazov, Arseniy (July 23, 2020). "Attacking MS Exchange Web Interfaces". PT SWARM. Retrieved June 18, 2022.
  29. "Top 10 web hacking techniques of 2020". PortSwigger Research. February 24, 2021. Retrieved June 18, 2022.
  30. "HAFNIUM targeting Exchange Servers with 0-day exploits". Microsoft Security. March 2, 2021. Retrieved March 14, 2021.
  31. "Exchange email hack: Hundreds of UK firms compromised". BBC News. March 11, 2021. Retrieved March 12, 2021.
  32. "Microsoft's big email hack: What happened, who did it, and why it matters". CNBC. March 9, 2021. Retrieved March 14, 2021.
  33. "Here's what we know so far about the massive Microsoft Exchange hack". CNN. March 10, 2021. Retrieved March 14, 2021.
  34. "NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign". nsa.gov. National Security Agency. Archived from the original on July 2, 2021. Retrieved July 2, 2021.
  35. "Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments" (PDF). Defense.gov. Joint publication form US/UK security agencies. Retrieved July 3, 2021.
  36. New Microsoft Exchange zero-days allow RCE, data theft attacks
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.