I would like to ask you for your help with Exchange configuration. We tried to set in O365 Exchange an transport rule/mail flow with following response action: "Deliver the message to the hosted quarantine". We noticed based on the MS documentation that Quarantine policies are not supported in transport rule (https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) but then who is able to review/release the mails from quarantine? is it only Exchange admin / high privileges accounts? or is it possible to somehow configure it?
Also is there some recommended way how to bypass this limitation? e.g. set the mail via Transport rule as e.g.: high confidence spam or some other tag so other Threat protection would trigger and there set the quarantine policy on top those? or is there any other easier way?
Thank you!
Cheers,
Tomas
Default Quarantine Policy
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide
I have the same query. I found the above in Microsoft Docs which gives some hope but from what I have seen, there is no way to allow standard users to access items quarantined by Transport Rules or HCP.
Related
I have a requirement where I need to configure my CRM Online with an Exchange Server which is hosted out of my organization's Office 365 to sync Emails for Incoming and Outgoing profiles.
Of the steps, I understand that I need to setup and Email Server Profile of type Exchange that has Server Location pointing to the Exchange Server which I have been using currently. However, I get an error saying that the configuration is invalid and I don't get to save the Incoming and Outgoing server locations. Also, do I need authentication for the same? If yes, of whom should it be? The current Incoming and Outgoing is set to the URL. (Without '/EWS/Exchange.asmx' which is used by default for hosting it on O365.
Any help / links to blogs that effectively explain this would really help.
Thanks !
Supported email service configurations for server-side synchronization
CRM Online only supports Server Side Synchronization with:
Exchange Online in the same tenant in Office365 (mail, tasks, etc.)
Gmail or Yahoo! Mail via POP3/SMTP (mail only)
Anything else is not (yet1) supported.
1 Online to On-Premise SSS is supposed to become supported at some point in the future
There are three ways of handling email processing in CRM:
Server-side synchronization
CRM for Outlook
Email Router
Server-side synchronization does not support hybrid deployments (e.g. CRM Online with Exchange On-premise), as Alex mentions.
I suggest looking into the Email Router. You install it on a machine which is then responsible for synchronizing email messages between CRM and Exchange. For an in-depth explanaion, see Email Router Demystified.
If you also need to synchronize Outlook contacts, tasks and appointments have a look at CRM for Outlook.
I want to setup Server Side synchronization in a CRM 2015 Online environment. The Email Server Profile is not allowing me to change the Auto-discover settings.
It is set to Yes by default. Is it supposed to be this way?
Or is this a known issue.
Kindly Help.
Some what just confirmation of Alex's comment.
Please see Supported email service configurations for server-side synchronization.
CRM Online supports server-side synchronization with Exchange Online
in the same tenant in Office 365 with Server to Server Authentication.
Other authentication methods or settings are not recommended or
supported, including;
Setting Auto Discover Server Location to No
So you can do server side synchronisation, but only with Exchange Online which is perhaps why you cant change that setting.
Does Outlook2010/2013interface with anything other than IMAP or Pop3? If so how? While manual configuration of imap works, the autodiscover wizard is turning up nothing. I have the cname on my 1and1.com pointed to www.mydomain.us. The manual setup for Outlook.com or compatible prompts for a server. Is that supposed to be the same server as specified for the imap?
I am hoping that setup for Outlook clients on pc and laptops is as seamless as it is when the pc/laptop is on a LAN. Can Outlook Anywhere (over https/rpc) be used? If so, how does one obtain the proxy server names and settings?
When it is all setup will the enduser experiance emulate that of Outlook and Exchange 2010 in regards to calender sharing and contacts?
Thankyou for any insight.
I don't know what 1and1.com offers, however you can only use OutlookAnywhere (RPC-over-HTTP) with Exchange 2003-2013.
Outlook 2003-2013 can use IMAP, POP, Exchange MAPI (RPC). With add-ons you may be able to support other protocols, but I've never used any.
For autodiscover to work, you'll usually need Exchange although there are some ways to generate the autodiscover XML without Exchange. Outlook 2010-13 (and I think 2007 too) can try guess the settings for IMAP/POP settings based on your email address, but the server would have to use pretty standard hostnames and ports for it to guess correctly.
IMAP and POP only support email message types and will not sync contacts and calendars between the server and the Outlook client, not natively anyway.
Using Google Apps for your Domain, is it possible to set up a catch-all address to act as a proxy for various other addresses on a hypothetical virtual mailbox system and, if so, how would you go about setting this up?
Set up Google Apps so that all mail delivered to a non existant address gets sent to a certain address, log into that mailbox via POP, download all mail addressed to x#your-service.com
You might try the free service described at http://groups.google.com/group/google-appengine/browse_thread/thread/7f48e15a7cedafa6 ; I believe the ability for app engine to directly receive email is on Google's roadmap, but I don't know when it's scheduled to appear, or whether it will be available for free, etc, etc.
If I uncheck the "Enable anonymous access" checkbox in IIS, so as to password protect a site, i.e. by restricting read access to designated Windows accounts, does the resulting password dialogue which is then presented to all anonymous http requests, represent a security risk in that it (seemingly) offers all and sundry an unlimited number of attempts to guess at any Windows account password?
EDIT:
Okay, not much joy with this so far, so I'm attaching a bounty. Just 50 points sorry, I am a man of modest means. To clarify what I'm after: does disabling anonymous access in IIS offer a password guessing opportunity to the public which did not exist previously, or is it the case that the browser's user credentials dialogue can be simulated by including a username and password in a http request directly, and that the response would indicate whether the combination was correct even though the page was open to anonymous users anyway? Furthermore, are incorrect password attempts submitted via http subject to the same lockout policy enforced for internal logins, and if so does this represent a very easy opportunity to deliberately lock out known usernames, or alternatively, if not, is there anything that can be done to mitigate this unlimited password guessing opportunity?
The short answer to your question is yes. Any time you give any remote access to any resource on your network it presents a security risk. Your best bet would be to follow IIS best practices and then take some precautions of your own. Rename your built in administrator account. Enforce strong password policies. Change the server header. Removing anonymous access, while a password guessing risk, is a very manageable one if used with the proper layered security model.
When you choose an authentication other than Anonymous, you certainly can be subject to password hacking. However, the account that is uses is subject to the standard account lockout policies set in Local Security Policy and your Domain's security policy.
For example, if you have a local account "FRED" and the account lockout policy is set to 5 invalid attempts within 30 minutes, then this effectively prevents account password guessing, at the risk of a denial of service attack. However, setting the reset window to a value (15 minutes?) effectively limits the DOS.
Basic Authentication is not recommeded for a non-SSL connection since the password will travel in plain text.
Digest Authentication requires passwords to be stored on the server using a reversible encryption, so while better than Basic, Digest has its flaws.
Windows Integrated Authentication
includes NTLM and Kerberos.
The IIS Server should be configured via Group Policy or Local Security settings to disable LM authentication ( Network security: LAN Manager authentication level set to "Send NTLMv2 response only" or higher, preferred is "Send NTLMv2 response only\refuse LM & NTLM") to prevent trivial LM hash cracking and to prevent NTLM man in the middle proxy attacks.
Kerberos can be used, however it only works if both machines are members of the same domain and the DC's can be reached. Since this doesn't typically happen over the internet, you can ignore Kerberos.
So the end result is, yes, disabling anonymous does open you up for password cracking attempts and DOS attacks, but these can be prevented and mitigated.
You should read about differnet authentication mechanisms available: Basic, Digest, NTLM, Certificates, etc. The IETF compiled a document that dicusses the pros and cons of some of these (NTLM is propriatary MS protocol).
Bottom line is: You are not done with just disabling anonymous access. You definitely have to consider carefully what the attack scenarios are, what the potential damage might be, what user may be willing to accept and so on.
If you introduce authorization you need to address the risk of credentials being compromised. You should also think if what you actually want to achieve is confidential transport of the content: In this case you will have to instroduce transport layer security like SSL.
I am by know means a hosting guru and I imagine there are ways and means of doing this but my personal opinion is that what you are talking about doing is defiantly an unnecessary security risk. If this site is to be available on the internet i.e. it will have public access then you probably don't want to disable anonymous access in IIS.
Please remember that the idea of being able to configure the anonymous access for a site in IIS is so that you can create a user which has specific permission to read the relevant files for a particular site. What we are talking about here is file access on a physical disc. For one thing a public web server should be in a DMZ and not part of your companies domain so users should not be able to log in with their domain credentials anyway.
The only reason why I could imagine that you would want to switch off anonymous access and force users to input their Windows credentials is for a site which will only be used internally and even then I would probably not choose to restrict access in this manner.
If you want to restrict access to content on a public website then you would probably be better of writing something which handles authentication as part of the site itself or a service which the site can consume. Then if someone were to obtain user credentials then at least all they will be able to do is gain access to the site and there is no potential for a breach of your internal network by any means.
There is a reason why developers spend allot of time writing user management solutions. You will find plenty of advice on how to write something like this and plenty of libraries that will do most of the work for you.