Calendaring is Really Hard to Code and That’s Why You Were An Hour Late to that Meeting
Writing code for calendaring features is hard. You finally figure out a good time for your team to meet and then one of the attendees happens to live in a country that decided to implement Daylight Saving Time (DST) and change the local time by an hour. Just in that country. Here's some advice on what to do and how to handle it.Exchange and SameSite Updates
The Stable release of the Google Chrome web browser scheduled for release beginning February 17, 2020 features a change in how cookies are handled. Microsoft is committed to addressing this change in behavior in its products and services before the February 4, 2020 rollout date to ensure our customers are minimally impacted.Managing Focused Inbox in Office 365 and Outlook
Focused Inbox—focus on the emails that matter most For many, the inbox is the command center for their day. It’s the way to keep track of what is going on and what needs to get done. Outlook’s Focused Inbox makes this process easier by helping you focus on the emails that matter most to you. It separates your inbox into two tabs — Focused and Other. Emails that you need to act on right away are on the Focused tab, while the rest wait for you in Other. You’ll be informed about email flowing to “Other”, and you can switch between tabs at any time to take a quick look. For more about what makes Focused Inbox great, see Outlook helps you focus on what matters to you. Admin controls available for Focused Inbox: Ensure certain business critical mails land in the Focused tab. Tenant admins have controls to ensure certain business critical communications, like HR, Payroll, etc., always land in the user’s Focused tab of the Inbox. These whitelists can be set up using mail flow rules from the Admin center or via PowerShell cmdlets. After these are set up successfully, all future messages that satisfy these mail flow rules would be delivered in the Focused tab of the Inbox on Outlook clients that support Focused Inbox. Tenant and mailbox level control to enable/disable Focused Inbox. Tenant admins will controls to enable/disable Focused Inbox on Outlook clients (Windows, Mac, and web) for all current and future mailboxes or select mailboxes in their tenant. These controls are available via PowerShell cmdlets. If tenant admins enable/disable Focused Inbox, the Focused Inbox experience will be turned ON/OFF for these users the next time they boot the client. These controls do not block the availability of the feature for these users. If the users so desire, they can still re-enable the feature individually again on each of their clients. Transition from Clutter Focused Inbox is a refinement and improvement of a previous feature called Clutter. Clutter’s purpose was also to help you focus on the most important items in your inbox, but it did so by moving “Other” email to a separate folder. Focused Inbox makes it easier for you to stay on top of incoming email without having to visit another folder. The same machine learned algorithm that moved items to the Clutter folder now powers Focused Inbox, meaning that any emails that were set to move to Clutter will now be moved to Other. The learning and training that users invested into Clutter are transitioned to Focused Inbox without any effort on the user’s part. Users can keep using the existing Clutter experience through the transition. However, after the transition period, Clutter will be completely replaced by Focused Inbox. In the meantime, if a Clutter user chooses to opt-in to using Focused Inbox they will no longer receive less actionable email in the “Clutter” folder. Instead, email will be split between the Focused and Other tabs in their inbox. Tenant admins will be proactively notified before Clutter is fully replaced. Note: If a user activates Focused Inbox from Outlook on the web, their messages will no longer be moved to the Clutter folder in Outlook desktop. For this reason, we don’t prompt active Clutter users to try Focused Inbox in Outlook on the web. If you have previously disabled Clutter for users in your organization, we will not automatically re-enable Clutter for those users, nor will we automatically enable Focused Inbox for those users. The following table outlines how the user experience will look like as Focused Inbox rolls out: Admin Action User Experience - Today If admin does nothing during Focused Inbox rollout OFF by default for users who are actively using Clutter today OFF by default for users who have disabled Clutter themselves OFF by default for user who had Clutter disabled by an administrator ON by default for everyone else Individual user can still enable or disable the feature in supported Outlook clients If admin disables Focused Inbox organizationally OFF by default for every user Individual user can still enable or disable the feature in supported Outlook clients If admin enables Focused Inbox organizationally ON by default for every user in your organization (including those using Clutter before) Individual user can still enable or disable the feature in supported Outlook clients Roll out of Focused Inbox Focused Inbox is now available (as of December 2017) to all Office 365 customers on the Monthly Channel of Office 365 ProPlus. Customers on the Semi-Annual Channel will see it arrive in the March 2018 Semi-Annual Targeted release and the July 2018 Semi-Annual release, according to that channel’s standard scheduleFrequently asked questions: What happens to the Clutter folder after a user enables Focused Inbox? After Focused Inbox is enabled for a mailbox, Clutter folder would be demoted to a regular user folder. All regular user created folder operations would be supported, including delete. Could admins clean up the Clutter folder for their users without enabling Focused Inbox? We will enable admins to clean up the Clutter folder for their users, if they so desire. This will be supported via the current PowerShell cmdlets. Is Focused Inbox available to on-premises users? Focused Inbox only applies to Office 365 Exchange Online tenants and users. Which Outlook clients support Focused Inbox? Here is an updated list of supported Outlook clients. Platform Required build iOS Any supported build Android Any supported build Mac 1 15.26+ Web N/A. Available to all users. Windows 10 Mobile 16.0.8600+ Outlook 2016 for Windows (1), (2),(3) 16.0.7967.2xxx+ | Version 1703 of Current Channel. Expected as part of July 2018 Semi-Annual release. (1) requires the Office 365 subscription versions of the clients. Focused Inbox will not be delivered to Outlook for Mac 2011, or the perpetual versions of Outlook 2013 for Windows and Outlook 2016 for Windows. (2) Prior to build 16.0.8730 Version 1711, requires Modern Authentication to be enabled for Exchange Online. The Exchange Team Updates 6/5/2017: Updated list of supported clients. 11/8/2017: Changed "Modern Authentication to be enabled for Exchange Online" to "Prior to build 16.0.8730 Version 1711, requires Modern Authentication to be enabled for Exchange Online." Removed "(3) We are also working on an additional update, which will remove the requirement of Modern Authentication for Focused Inbox to work. That will come in a future fork." Changed "Emails that matter most to you are in the Focused tab, while the rest remain easily accessible—but out of the way in the Other tab." to "Emails that you need to act on right away are on the Focused tab, while the rest wait for you in Other." 12/12/2017: Several updates related to rollout. Details here.Life in a Post TMG World – Is It As Scary As You Think?
Let’s start this post about Exchange with a common question: Now that Microsoft has stopped selling TMG, should I rip it out and find something else to publish Exchange with? I have occasionally tried to answer this question with an analogy. Let’s try it. My car (let’s call it Threat Management Gateway, or TMG for short), isn’t actively developed or sold any more (like TMG). However, it (TMG) works fine right now, it does what I need (publishes Exchange securely) and I can get parts for it and have it serviced as needed (extended support for TMG ends 2020) and so I ‘m keeping it. When it eventually either doesn’t meet my requirements (I want to publish something it can’t do) or runs out of life (2020, but it could be later if I am ok to accept the risk of no support) then I’ll replace it. Now, it might seem odd to offer up a car analogy to explain why Microsoft no longer selling TMG is not a reason for Exchange customers to panic, but I hope you’ll agree, it works, and leads you to conclude that when something stops being sold, like your car, it doesn’t immediately mean you replace it, but instead think about the situation and decide what to do next. You might well decide to go ahead and replace TMG simply based on our decision to stop selling or updating it, that’s fine, but just make sure you are thinking the decision through. Of course, you might also decide not to buy another car. Your needs have changed. Think about that. Here are some interesting Exchange-related facts to help further cement the idea I’m eventually going to get to. We do not require traffic to be authenticated prior to hitting services in front of Exchange Online. We do not do any form of pre-authentication of services in front of our corporate, on-premises messaging deployments either. We have spent an awfully large amount of time as a company working on securing our code, writing secure code, testing our code for security, and understanding the threats that exist to our code. This is why we feel confident enough to do #1 and #2. We have come to learn that adding layers of security often adds little additional security, but certainly lots of complexity. We have invested in getting our policies right and monitoring our systems. This basically says we didn’t buy another car when ours didn’t meet our needs any more. We don’t use TMG to protect ourselves any more. Why did we decide that? To explain that, you have to cast your mind back to the days of Exchange and Windows 2000. The first thing to admit is that our code was less ‘optimal’ (that’s a polite way of putting it), and there were security issues caused by anonymous access. So, how did we (Exchange) tell you to guard against them? By using something called ISA (Internet Security and Acceleration – which is an odd name for what it was, a firewall). ISA, amongst other things, did pre-authentication of connections. It forced users to authenticate to it, so it could then allow only authenticated users access to Exchange. It essentially stopped anonymous users getting to Windows and Exchange. Which was good for Windows and Exchange, because there were all kinds of things that they could do if they got there anonymously. However once authenticated users got access, they too could still do those bad things if they chose to. And so of course could anyone not coming through ISA, such as internal users. So why would you use ISA? It was so that you would know who these external users were wouldn’t you? But do you really think that’s true? Do you think most customers a) noticed something bad was going on and b) trawled logs to find out who it was who did it? No, they didn’t. So it was a bit like an insurance policy. You bought it, you knew you had it, you didn’t really check to see if it covers what you were doing until you needed it, and by then, it was too late, you found out your policy didn’t cover that scenario and you were in the deep doo doo. Insurance alone is not enough. If you put any security device in front of anything, it doesn’t mean you can or should just walk away and call it secure. So at around the same time as we were telling customers to use ISA, back in the 2000 days, the whole millennium bug thing was over, and the proliferation of the PC, and the Internet was continuing to expand. This is a very nice write up on the Microsoft view of the world. Those industry changes ultimately resulted in something we called Trustworthy Computing. Which was all about changing the way we develop software – “The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.” There was also the Secure Windows Initiative. And the Security Development Lifecycle. And many other three letter acronyms I’m sure, because whatever it was you did, it needed a good TLA. We made a lot of progress over those ten years since then. We delivered on the goal that the security of the application can be better managed inside the OS and the application rather than at the network layer. But of course most people still seem to think of security as being mainly at the network layer, so think for a moment about what your hardware/software/appliance based firewall does today. It allows connections from a destination, on some configurable protocol/port, to a configured destination protocol/port. If you have a load balancer, and you configure it to allow inbound connections to an IP on its external interface, to TCP 443 specifically, telling it to ignore everything else, and it takes those packets and forward them to your Exchange servers, is that not the same thing as a firewall? Your load balancer is a packet filtering firewall. Don’t tell your load balancing vendor that, they might want to charge you extra for it, but it is. And when you couple that packet level filtering firewall/load balancer with software behind it that has been hardened for 10 years against attacks, you have a pretty darn secure setup. And that is the point. If you hang one leg of your load balancer on the Internet, and one leg on your LAN, and you operate a secure and well managed Windows/Exchange Server – you have a more secure environment than you think. Adding pre-authentication and layers of networking complexity in front of that buys you very little extra, if anything. So let’s apply this directly to Exchange, and try and offer you some advice from all of this. What should YOU do? The first thing to realize is that you now have a CHOICE. And the real goal of this post is to help you make an INFORMED choice. If you understand the risks, and know what you can and cannot do to mitigate them, you can make better decisions. Do I think everyone should throw out that TMG box they have today and go firewall commando? No. not at all. I think they should evaluate what it does for them, and, if they need it going forward. If they do that, and decide they still want pre-auth, then find something that can do it, when the time to replace TMG comes. You could consider it a sliding scale, of choice. Something like this perhaps; So this illustrated that there are some options and choices; Just use a load balancer – as discussed previously, a load balancer only allowing in specified traffic, is a packet filtering firewall. You can’t just put it there and leave it though, you need to make sure you keep it up to date, your servers up to date and possibly employ some form of IDS solution to tell you if there’s a problem. This is what Office 365 does. TMG/UAG – at the other end of the scale are the old school ‘application level’ firewall products. Microsoft has stopped selling TMG, but as I said earlier, that doesn’t mean you can’t use it if you already have it, and it doesn’t stop you using it if you buy an appliance with it embedded. In the middle of these two extremes (though ARR is further to the left of the spectrum as shown in the diagram) are some other options. Some load balancing vendors offer pre-authentication modules, if you absolutely must have pre-auth (but again, really… you should question the reason), some use LDAP, some require domain joining the appliance and using Kerberos Constrained Delegation, and Microsoft has two options here too. The first, (and favored by pirates the world over) is Application Request Routing, or ARR! for short. ARR! (the ! is my own addition, marketing didn’t add that to the acronym but if marketing were run by pirates, they would have) “is a proxy based routing module that forwards HTTP requests to application servers based on HTTP headers and server variables, and load balance algorithms” – read about it here, and in the series of blog posts we’ll be posting here in the not too distant future. It is a reverse proxy. It does not do pre-authentication, but it does let you put a non-domain joined machine in front of Exchange to terminate the SSL, if your 1990’s style security policy absolutely requires it, ARR is an option. The second is WAP. Another TLA. Recently announced at TechEd 2013 in New Orleans is the upcoming Windows Server 2012 R2 feature – Web Application Proxy. A Windows 2012 feature that is focused on browser and device based access and with strong ADFS support and WAP is the direction the Windows team are investing in these days. It can currently offer pre-authentication for OWA access, but not for Outlook Anywhere or ActiveSync. See a video of the TechEd session here (the US session) and here (the Europe session). Of course all this does raise some tough questions. So let’s try and answer a few of those; Q: I hear what you are saying, but Windows is totally insecure, my security guy told me so. A: Yes, he’s right. Well he was right, in the yesteryear world in which he formed that opinion. But times have changed, and when was the last time he verified that belief? Is it still true? Do things change in this industry? Q: My security guy says Microsoft keeps releasing security patches and surely that’s a sign that their software is full of holes? A: Or is the opposite true? All software has the potential for bugs and exploits, and not telling customers about risks, or releasing patches for issues discovered is negligent. Microsoft takes the view that informed customers are safer customers, and making vulnerabilities and mitigations known is the best way of protecting against them. Q: My security guy says he can’t keep up with the patches and so he wants to make the server ‘secure’ and then leave it alone. Is that a good idea? A: No. It’s not (I hope) what he does with his routers and hardware based firewalls is it? Software is a point in time piece of code. Security software guards against exploits and attacks it knows of today. What about tomorrow? None of us are saying Windows, or any other vendor’s solution is secure forever, which is why a well-managed and secure network keeps machines monitored and patched. If he does not patch other devices in the chain, overall security is compromised. Patches are the reality of life today, and they are the way we keep up with the bad guys. Q: My security guy says his hardware based firewall appliance is much more secure than any Windows box. A: Sure. Right up to the point at which that device has a vulnerability exposed. Any security device is only as secure as the code that was written to counter the threats known at that time. After that, then it’s all the same, they can all be exploited. Q: My security guy says I can’t have traffic going all the way through his 2 layers of DMZ and multitude of devices, because it is policy. It is more secure if it gets terminated and inspected at every level. A: Policy. I love it when I hear that. Who made the policy? And when? Was it a few years back? Have the business requirements changed since then? Have the risks they saw back then changed any? Sure, they have, but rarely does the policy get updated. It’s very hard to change the entire architecture for Exchange, but I think it’s fair to question the policy. If they must have multiple layers, for whatever perceived benefit that gives (ask them what it really does, and how they know when a layer has been breached), there are ways to do that, but one could argue that more layers doesn’t necessarily make it better, it just makes it harder. Harder to monitor, and to manage. Q: My security guy says if I don’t allow access from outside except through a VPN, we are more secure. A: But every client who connects via a VPN adds one more gateway/endpoint to the network don’t they? And they have access to everything on the network rather than just to a single port/protocol. How is that necessarily more secure? Plus, how many users like VPN’s? Does making it harder to connect and get email, so people can do their job, make them more productive? No, it usually means they might do less work as they cannot bothered to input a little code, just so they can check email. Q: My security guy says if we allow users to authenticate from the Internet to Exchange then we will be exposed to an account lockout Denial of Service (DoS). A: Yes, he’s right. Well, he’s right only because account lockout policies are being used, something we’ve been advising against for years, as they invite account lockout DoS’s. These days, users typically have their SMTP address set to equal their User Principal Name (UPN) so they can log on with (what they think is) their email address. If you know someone’s email address, you know their account logon name. Is that a problem? Well, only if you use account lockout policies rather than using strong password/phrases and monitoring. That’s what we have been telling people for years. But many security people feel that account lockouts are their first line of defense against dictionary attacks trying to steal passwords. In fact, you could also argue that a bad guy trying out passwords and getting locked out now knows the account he’s trying is valid… Note the common theme in these questions is obviously – “the security g uy said…..”. And it’s not that I have it in for security guys generally speaking, but given they are the people who ask these questions, and in my experience some of them think their job is to secure access by preventing access. If you can’t get to it, it must be safe right? Wrong. Their job is to secure the business requirements. Or put another way, to allow their business to do their work, securely. After all, most businesses are not in the business of security. They make pencils. Or cupcakes. Or do something else. And is the job of the security folks working at those companies to help them make pencils, or cupcakes, securely, and not to stop them from doing those things? So there you go, you have choices. What should you choose? I’m fine with you choosing any of them, but only if you choose the one that meets your needs, based on your comfort with risk, based on your operational level of skill, and based on your budget. Greg Taylor Principal Program Manager Lead Exchange Customer Adoption Team
