In this chapter, we will cover the following topics:

• Granting users full access permissions to mailboxes
• Finding users with full access to mailboxes
• Sending email messages as another user or group
• Throttling client connections
• Working with Role Based Access Control
• Creating a custom RBAC role for administrators
• Creating a custom RBAC role for end users
• Troubleshooting RBAC
• Generating a certificate request
• Installing certificates and enabling services
• Importing certificates on multiple Exchange servers
• Configuring Domain Security
• Configuring S/MIME for OWA
• Configuring Windows Defender Exclusions

When it comes to managing security in Exchange 2016, you have several options depending on the resources that you're dealing with. For example, you can allow multiple users to open a mailbox by assigning them full access permissions to a mailbox object, but granting administrators the ability to create recipient objects needs to be done through Role Based Access Control (RBAC). Obviously, since the security for both components is handled differently, we have unrelated sets of cmdlets that need to be used to get the job done, and managing each of them through the Shell requires a different approach.

In this chapter, we'll take a look at several solutions implemented through the Exchange Management Shell that address each of the components described previously, as well as some additional techniques that can be used to improve your efficiency when dealing with...

One of the most common administrative tasks that Exchange administrators perform is to manage access rights to mailboxes. For example, you may have several users that share access to an individual mailbox, or you may have administrators and help desk staff that need to be able to open end users' mailboxes when troubleshooting a problem or providing technical support. In this recipe, you'll learn how to assign the permissions required to perform these tasks through the Exchange Management Shell.

To assign full access rights for an individual user to a specific mailbox, use the Add-MailboxPermission cmdlet:

    Add-MailboxPermission dsmith '
...

One of the issues with assigning full mailbox access to users and support personnel is that things change over time. People change roles, move to other departments, or even leave the organization. Keeping track of all of this and removing full access permissions when required can be challenging in a fast-paced environment. This recipe will allow you to solve these issues using the Exchange Management Shell to find out exactly who has full access permissions to the mailboxes in your environment.

To find all users or groups who have been assigned full access rights to a mailbox, use the Get-MailboxPermission cmdlet:

    Get-MailboxPermission admin | `
    Where-Object...

In some environments, it may be required to allow users to send email messages from a mailbox as if the owner of that mailbox had actually sent that message. This can be accomplished by granting Send-As permissions to a user on a particular mailbox. In addition, you can also allow a user to send email messages that are sent using the identity of a distribution group. This recipe explains how you can manage these permissions from the Exchange Management Shell.

To assign Send-As permissions to a mailbox, we use the Add-ADPermission cmdlet:

    Add-ADPermission "Frank Howe" '
    -User "Eric Cook" '
    -AccessRights ExtendedRight &apos...

Client Throttling Policies are used to manage client access performance by stipulating, for example, the number of concurrent connections for each client access protocol, the percentage of time that a client session can use to perform certain operations, and so on. There is a default client throttling policy named GlobalThrottlingPolicy_<GUID> with a throttling scope of Global that is perfectly adequate to manage the load placed on client access services for most environments. However, if this is not the case for your environment, you can modify this default policy or create additional custom policies to meet your requirements.

Client throttling policies are available for ActiveSync (EAS), Exchange Web Services (EWS), Outlook on the web (OWA), and RPC Client Access (RCA), among a few others. At the time of writing this book (Exchange 2016 CU5...

The security model that was introduced in Exchange 2010 is still present in Exchange 2016. With the introduction of the RBAC permissions model, you can essentially control which cmdlets administrators and end users are allowed to run. This recipe will show you how to work with RBAC permissions in Exchange 2016.

Let's say that you need to allow a member of your staff to manage the settings of the Exchange servers in your organization. This administrator only needs to manage server settings and should not be allowed to perform any other tasks, such as recipient management.

Exchange 2016 provides a large set of predefined permissions that can be used to address common...

Sometimes, the management roles that are installed by Exchange are not specific enough to meet your needs. When you are faced with this issue, the solution is to create a custom RBAC role. The process can be a little tricky, but the level of granular control that you can achieve is quite astounding. This recipe will show you how to create a custom RBAC role that can be assigned to administrators based on a very specific set of requirements.

Let's say that your company has decided that a group of support personnel should be responsible for the creation of all new Exchange recipients. You want to be very specific about what type of access this group will be...

Like custom RBAC roles for administrators, you can also create custom roles that apply to your end users. This may be useful when you need to allow them to modify additional configuration settings that apply to their own accounts through the ECP. This recipe will provide a real-world example of how you might implement a custom RBAC role for end users in your Exchange organization.

When users log on to ECP, they have the ability to modify their work phone number, fax number, home phone number, and mobile phone number, among other things. Let's say that you need to limit this so that they can only update their home phone number, as their work, fax, and mobile numbers...

Troubleshooting permission issues can be challenging, especially if you've implemented custom RBAC roles. In this recipe, we'll take a look at some useful techniques that can be used to troubleshoot issues related to RBAC.

There are several scenarios in which you can use the Exchange Management Shell cmdlets to solve problems with RBAC, and there are a couple of cmdlets that you'll need to use to do this. The following steps outline the solutions for some common troubleshooting situations:

1. To determine which management roles have been assigned to a user, use the following command syntax:

    Get-ManagementRoleAssignment -GetEffectiveUsers | '
    Where-Object {$_.EffectiveUserName...

In order to create a new certificate, you first need to generate a certificate request using either the Exchange Admin Center, or through the Shell using the New-ExchangeCertificate cmdlet. Once you have a certificate request generated, you can then obtain a certificate from an internal Certificate Authority (CA) or from a third-party external CA (recommended). In this recipe, we'll take a look at the process of generating a certificate request from the Exchange Management Shell.

Let's see how to generate a certificate request using the following steps:

1. In this example, we'll generate a request using two Subject Alternative Names (SANs). This will allow us to...

After you've generated a certificate request and have obtained a certificate from a CA, you will need to install the certificate on your server using the Import-ExchangeCertificate cmdlet. This recipe will show you how to install certificates issued from a certificate authority and how to assign services to the certificate using the Exchange Management Shell.

Let's see how to install and enable services using the following steps:

1. Let's say that you have requested and downloaded a certificate from an Active Directory Enterprise CA and downloaded the file to the root of the C:\ drive. First, read the certificate data into a variable in the Shell using...

If your environment contains multiple Exchange servers, you'll likely want to use the same certificate on multiple servers. If you have a large number of servers, importing certificates one at a time, even with the Exchange Management Shell, could end up being quite time-consuming. This recipe will provide a method to automate this process using the Exchange Management Shell.

Once you've gone through the process of generating a certificate request, installing a certificate and assigning the services on one server, you can export that certificate and deploy it to your remaining servers.

The following steps outline the process of exporting an installed...

Securing SMTP traffic has been a concern for many years. Nowadays, many servers support opportunistic Transport Layer Security (TLS) where the sending server first attempts to secure the path that emails take when they travel to recipient email systems by using encryption. However, this is not always possible and emails end up being sent in clear text.

As you will see in the last recipe of this chapter, S/MIME can be used to digitally sign and encrypt emails, but if certificates from an internal PKI are used, external recipients will likely not trust them. Additionally, implementing S/MIME on an enterprise scale is not always easy.

Domain security provides a low-cost alternative to S/MIME and other message-level security solutions, by helping secure SMTP traffic between two Exchange organizations. Its advantage is that it is configured on a server level...

For those of you who might not be aware of what S/MIME (Secure/Multipurpose Internet Mail Extensions) is, this short description might be helpful.

As most of you are aware, emails in general are mostly insecure if they are not digitally signed and their transport isn't encrypted. With S/MIME, the messages can be digitally signed, which can be seen as a guarantee that the sender is the person they claim to be and not someone else. With the use of S/MIME, the contents and attachments of messages can also be encrypted.

In Exchange 2013 RTM, the support for S/MIME was removed for OWA, but it was brought back when Service Pack 1 was released and it is still available in Exchange 2016.

For this recipe, I've decided to use an internal PKI solution based on Windows Server 2016 for issuing certificates to users for securing their emails and ensuring...

It is always recommended to install antivirus software on Exchange servers, or any server for that matter, to help enhance the security and health of the Exchange organization. However, this will cause issues in Exchange if it is not configured correctly. For example, the antivirus might lock an open log or database file that Exchange needs to access or modify, thus possibly causing severe failures.

For this reason, it is crucial to properly configure folder, process and file name extension exclusions on any antivirus program running on Exchange servers.

When installing Exchange 2016 on Windows Server 2016, Windows Defender is installed by default. The good news is that it contains PowerShell cmdlets that we can use to easily configure these exclusions.

In this recipe, we will have a look at how to configure Exchange exclusions in Windows...