logo XD
logo Antler

email security Tag

ExchangeDefender General Security

To say that our security webinar went well is an understatement – partners actually loved it. It’s a strange and welcome departure from how my security and hacking conversations usually go (nobody ran away from me crying and screaming into their cell phone) and I cannot tell you how gratifying it felt to introduce security features and have people line up to offer them.

Frankly, it was time. The state of email (and email security) is unsustainable if we let the users and infrastructure we manage act like account security is an afterthought – that just leads to more compromised endpoints that just amplify the next attack that will be more sophisticated, harder to defend – AND – will eventually lead to increase in costs as more infrastructure is needed to protect users who want to act the same ways spammers do. We’ve put a smart lock on the door, it’s your choice whether you want to lock it.

That said – all these features are a part of the ExchangeDefender Enterprise which is designed for very large companies and government where organizational policies override any complaints and gripes end users may have with the security inconvenience. Which is exactly the opposite from the small businesses that MSPs tend to manage.

We get it. And we’re not giving up.

In the nearly two weeks that we’ve been rolling out the new security features to the MSP/SMB UI, we’ve noticed some severe pain points for our users that we’ve moved very aggressively to address and mitigate. Which is my commitment to you – we will keep on stepping up the security and we will find ways to mitigate some of the prompts, alerts, and notifications along the way if you don’t want your users to be aware of what is going on under the hood.

First up, if you’ve chosen to lock down ExchangeDefender admin panels to the restricted IP range you own, you now have the option to turn off email notices every time a login attempt is made from outside of this range.

We’re in progress of making additional changes and exceptions to the IP address restriction policy and removing it from the SPAM release process – so if your employees are mobile or working from home they will soon be able to release a legitimate message (false positive SPAM) from anywhere even with IP restrictions in place. They won’t be able to login to the control panel and make modifications or see other settings but they will be able to get to their email.

We hope this feature enhancement will reduce the amount of email notifications – you will still see them in your event logs.

Second, we have opened up our OTP/2FA infrastructure to the whole world.

Finally, the alerts on the clients dashboard. I am going to phrase this carefully as I’m not happy to announce this and will likely change it eventually: You can turn that alert off and stop users from being required to change their passwords very X days. Just set the value to 0. We will revisit this within 30 days but as a mitigation to any unwelcome support calls, yes 0 will just turn it off.

We’ve been working on the announcement and training features for quite some time now and we hope that they will make security implementation and support a problem for ExchangeDefender to handle, instead of burdening our partners with it. In an ideal world, those features would have launched first and we’d slowly trickle down ExchangeDefender Enterprise. Unfortunately, another 600+ million usernames, passwords and other PII has been leaked last week from some very popular sites and the odds that those users and passwords have the same credentials there as at ExchangeDefender are pretty good.

My point is, we are paid to protect and lock down your organizations communication and secrets, something we take extremely seriously. In order to protect all the data you trust us with, we have to lock things down. And as we do so, we will keep user experience front and center.

Thank you for trusting us with your data and thank you for your business.
Sincerely,
Vlad Mazek
CEO
ExchangeDefender

ExchangeDefender General Hosted Services PRO TIPS Security Webinars

ExchangeDefender has been SMB friendly – to a fault, but the era of terrible passwords and plain text passwords is finally over. Not a single piece of ExchangeDefender stores (or offers) user credentials in plain text anymore. We’ve made the transition exceptionally smooth as well, requiring no changes or IT intervention at all.

But we cannot encourage it enough. And over the next year you will see us introduce several features meant to help you lock down ExchangeDefender and use it to lock down your overall IT security strategy. We’re happy to introduce password age configuration that allows you to force users to reset their passwords automatically.

This setting can be accessed from the Domain Administrator > Policies > Features section of admin.exchangedefender.com

When the password is older than your preset number of days (by default, 90) the user will see an ugly red notice telling them to update their password.

If you set the password expiration to 0 days you will turn this feature off entirely but we cannot discourage it more. The feature is there to help your users avoid having their accounts compromised.

If you implement some of these stronger security features we’ve also got you when it comes to minimizing account management – users can reset their password at any time if they have their PIN on them. So even if their mail server is down, having their PIN handy will let them reset the password without additional authentication. Forgot your pin? No problem, we can email you a reset link to a known email address.

As you can tell, ExchangeDefender will go the extra step of helping your users configure a strong password. It will also keep memory of recent passwords so that they can’t just rotate it back and forth between the same two passwords they use elsewhere.

As you’ve seen with mass password resets , access to advanced access logging , known trusted devices and IP restrictions , we are adding more, and more, of our enterprise features to the ExchangeDefender Pro product.

To hear about all these new security features in more detail please check out the webinar  that covers our current security portfolio and how these features make sense.

 

ExchangeDefender Hosted Services Security Webinars

ExchangeDefender launches New Security Logs

I have some great news – ExchangeDefender security logs are now available for all users of ExchangeDefender. This move is a part of our larger security ambition for 2019 to introduce Enterprise features of ExchangeDefender across our lower MSP, SMB and retail tiers in order to improve service security.

One of the biggest things in 2019 is the end of the era for plain text passwords. People love them, MSPs rely on them, they are super convenient for everyone including… the hackers that are looking to break in. But more on that in a minute.

The single simplest way to stay on top of account security… is identifying break-in attempts. ExchangeDefender Enterprise logs every event, login, escalation (and so, when you as the enterprise administrator or organization owner choose to automatically login as the user for support purposes) attempt.

We’re happy to bring this feature in across both the service provider, domain and user login. Free of charge.

As the admin or service provider you also have the ability to search the account log for specific user or address that is causing problems. In the Enterprise version you have the ability to further lock things down based on IP, location, charset, and more. But if/when there is an issue, you can clearly see if the account has been compromised. At all other times, you can see login failures that are a good indication that there is a problem.

This feature, and a whole lot more, is coming down to the ExchangeDefender SMB land. While all these features were a premium in the past, the extent to which everything from your PC and the network devices that surround you are susceptible to compromise – we have to treat these features as what they are – essential to your security. As a matter of fact, we’ll be discussing this next Wednesday in our webinar:

When:
Noon, Wednesday, February 6th

Where:
https://attendee.gotowebinar.com/register/4562047862967330307

Hope to see you there.

Sincerely,
Vlad Mazek
CEO
ExchangeDefender

ExchangeDefender Hosted Services

 

 

Exchange 2016 Migration Process

It has been an exciting year of migrations to our new Exchange platform and now that we’re reaching the tail end (under 500 accounts/domain) we wanted to make sure everyone was up to speed about how the migration will work. While we have done everything to make it completely seamless and non-intrusive for the users (most will just continue working without even noticing anything) we still manage every single migration as if it were our own personal email. Carefully.

Here are some steps that are involved in every migration.

Step 1: Let us know that you want to migrate at least 5 days in advance

It takes a little bit of coordination for every migration project and we want to make sure we treat each migration with white gloves – if we can address issues or potential issues ahead of time and have someone present that you can dial directly, we can minimize problems. Once you know you’re ready to go, let us know at least 5 days in advance and we’ll guide you through the process. After all, you’re paying us, don’t DIY it and chance getting lost Googling for a solution to a random issue that we’ve probably encountered thousands of times.

Step 2: Pick a URL for OWA

Everything at ExchangeDefender is branded for you and each organization comes with it’s own domain for Autodiscover, owa, etc. Anything under 16 characters goes and is typically going to be https://YOUR-ORG-HERE.xd.email

Step 3: Make DNS modifications to lower domain TTL

At least 3 days in advance you’ll want to contact your ISP or domain registrar (where your domain is hosted) and “lower the domain TTL to 5 minutes” – what this means is that you want your DNS to only be cached for 5 minutes. Most DNS servers have the setting at 3 or 1 days so we need to bring this way down so that Outlook clients can switch to the new servers quickly instead of waiting for days.

Step 4: Make backups

You should be making backups all the time but a migration is a great time to do so just because everyone will be in their email aware of the migration. If you rely heavily on Public Folders you’ll have to export that data and add it to the new technology in 2016, Shared Mailboxes. There are millions of reasons to do so from productivity to better reliability and better management.

Always backup.

Step 5: Actual Migration

Best part of the migration is that after the Autodiscover change in your DNS everything is pretty much on autopilot. Email will be moved by our team on the backend to the right servers automatically. Outlook clients will automatically reconnect to the new servers and most won’t even notice any difference except for better speed and more reliability.

Step 6: Cleanup

The last step is where we look at odds and ends: random Microsoft stuff that used to work before but now it’s suddenly broken. We’ve all been here with users, we’ve all dealt with “unique business case scenarios for xyz” and so on – again, we want to make sure everyone is happy with 2016 and productive right away and that means being on top of all the issues right away.

Knock on wood, our migrations process has had enough reps and tests that it’s very fluid and predictable now. While the cutover to the new 2016 platform is pretty much instantaneous, and mail is synced up on the backend, it can take about an hour or so depending on the mailbox for all the data to move and the search index to update. But what you get with 2016 is the most stable, trouble-free, platform we’ve ever offered.

Looking forward to seeing you on 2016.

 

ExchangeDefender General Hosted Services

Exchange 2016 Built For End Users

Have you ever wanted an email system that anyone in your organization could manage, with no IT training? Something so simple even a teenager could master it? Well, you’re in luck, now you can do that with Microsoft Exchange 2016 and ExchangeDefender. We’re putting the power of all the enterprise Exchange features  into the hands of businesses to help reduce IT costs and improve office productivity.

How? We’ve made it so it’s impossible to make a mistake.

Why? Because as a service provider, we too pay a price when support is necessary for some basic and routine tasks. We’ve automated them, simplified the process flow, and given you access to provision services and answer all the questions you’ll possibly have in a jargon-free language.

For example, let’s say a new employee starts today. All you have to do is login to our portal at https://support.ownwebnow.com, click on Service Manager, Exchange 2016, Quick Actions, Mailbox.

Just 3 more clicks and some basic information typed in – and you’re done. You’ve created a mailbox.

Thing is, you’ve done far more than just creating a mailbox. You’ve added an email address to the organization and provisioned all the security templates that match your organization. You’ve enforced your corporate password policy. You’ve ordered the correct plan and assigned the right licensing for this user (it’s automatically done for you). You’ve provisioned all the required services that your organization requires be it corporate encryption, 2 factor authentication, or even compliance archiving and eDiscovery.

You’ve also become your own support person for basic settings, configurations, and guides. The entire system is on-demand, self-service, instant gratification to the max. You can get more done, by yourself, on your schedule and quickly. That is the value behind ExchangeDefender powered Exchange 2016.

Now wait till you see what we can do for the IT personnel managing 100+ user organizations! Are you ready to migrate your users to Exchange 2016? Simply click on the Early Adopters banner below, submit a ticket requesting early adoption, and we’ll get started!

ExchangeDefender Hosted Services

The time to move over to Exchange 2016 is NOW!

We previously blogged about our brand new SMB User Interface initiative around Exchange 2016 hosting – we aim to simplify the management of Microsoft Exchange so that any white collar employee can manage business email administration end to end.

But what about Exchange 2016, what is so great about it? Truthfully (and this will not make our MSP friends happy) bulk of the Exchange 2016 benefits are really centered around making our life easier as the service provider – we’ve never been able to say this about ANY Microsoft product in the two decade history: we’ve had 0 issues. You read that correctly, we’ve had absolutely no problems with Exchange 2016 so the primary benefit is the overall reliability and flexibility of the platform. It’s solid.

But if you want to sit with a client and walk them through a set of features that are new and compelling – and a good reason to upgrade to our Exchange 2016 if they are still on another provider or earlier version of Exchange – here are some talking points.

P.S. We recommend getting a demo account with our sales team and discussing how we often position these services to win business. You can talk about it till you’re blue in the face but just showing them the feature live might make them not want to live without it.

Exchange 2016 Notable Features

Expanding Archives – When an archive mailboxes reaches 50 GBs, the archive mailbox expands. Under the covers, once the mailbox reaches a size of 50 GBs, another archive mailbox is automatically created and linked together to form a chain of mailboxes that acts as one logical mailbox. As archive mailboxes are added, the content is distributed across the mailboxes to even out the load. Keep in mind that auto expanding archives still don’t auto expand your storage backend. Make sure you have adequate storage to accommodate such growth.

Calendar – Do Not Forward: This is similar to Information Rights Management (IRM) for calendar items without the IRM deployment requirements. Attendees can’t forward the invitation to other people, and only the organizer can invite additional attendees.

Calendar – Better Out of Office: Additional options when you won’t be in the office. Key options include: add an event to your calendar that shows you as Away/Out of Office, and a quick option to cancel/decline meetings that will happen while you’re away.

Calendar – Remove-CalendarEvents cmdlet: Enables administrators to cancel meetings that were organized by a user that has left the company. Previously, conference rooms or meeting attendees would have these defunct meetings permanently on their calendars.

Outlook on the Web (Formerly known as OWA)

When you use Outlook on the Web you have access to powerful collaboration tools that help to improve productivity.  As an end user, you can easily engage in document collaboration, URL and video previews in email messages, and access advanced search functions. These capabilities have been especially enhanced for the most recent web browser versions including Microsoft Edge, Google Chrome, IE 11, Safari, and Mozilla Firefox. Additionally, there is now a productivity toolbar that appears in the top of your web browser for easy access to the functions you frequently use such as calendars, reading and composing email messages, searches, accessing files and documents, and more.

Pin: This function allows you to highlight a message and pin it to your inbox so you can easily locate important messages.

Undo: The Undo function helps you recover messages that were inadvertently deleted and undo actions you accidentally executed.

Sweep: This capability allows you to easily manage messages you frequently receive by configuring the settings for the messages. You can choose to keep messages for a specified number of days, automatically delete certain messages, keep the latest messages, and more.

Emoji’s: The Emoji’s provide enhancement to expressions in your email messages.  Since contact is not face to face, you can use this function to display emotions.

Organised Archiving: Exchange 2016 allows you to easily organise old email messages into designated folders with one click of your mouse. This helps to reduce inbox clutter.

Personalisation: A series of new themes have been added to Exchange 2016 to provide a more personalized experience when working with email messages.

Outlook 2016

As mentioned earlier, Outlook 2016 offers enhanced features for collaboration in addition to a few other functions mention here.

Quick Access to Recent Files: This feature allows you to easily access recent files stored in OneDrive for Business, SharePoint

Online, and OneDrive using a convenient dropdown menu.

Improved Screen Resolution: The intuitive DPI support features provides you with enhanced screen rendering when using Outlook.

HTML Format for Appointments and Meetings: You can now use rich HTML for email messages and attachments.

TellMe: The TellMe feature prevents you from having to search the productivity ribbon for a function you want to use.

Smart Lookup: Helps you to locate information on the web related to content in an email message. This feature places the information in directly in your inbox from sources such as Wikipedia, Bing, and others.

Small Screen Support: Enhanced support for small screens allows you to automatically adjust Outlook to adapt to your device screen. A back button allows you to easily switch screens to easily work with your message list and reading window.

Enhanced Multilingual Support: Exchange 2016 offers more international characters to support messages and documents in different languages.

Better Storage: Exchange 2016 offers improved settings that allow you to specify how long you want to retain email on your device.  Outlook is designed to monitor disk space.  If your space has become reduced, it will automatically set a smaller timeframe for syncing.

More Office Themes: A new Colorful theme has been added to Outlook 2016 while maintaining the previous white and dark grey theme options.

Improved Email Performance: With Exchange 2016, the time it takes to download and display messages as well as wake after hibernation has been reduced.

Outlook for iOS and Android

Early last year, Microsoft introduced Outlook email for the iOS and Android operating systems. This move helped to expand Exchange capabilities to more devices and operating systems.

Some of the features include:

Quick File Access: This features allows you to easily separate important emails from less urgent ones by using the double tab feature.

Calendar Availability Notification: The Calendar feature allows you to easily send the times you are available to your colleagues, friends, and co-workers.

Schedule Emails: This function allows you to remove an inbox message and schedule to appear at a later time when it is more convenient.

Directory Search: The Directory Search function provides a way to quickly find people and their location.

Automatic Replies: Exchange 2016 allows you to set messages to let others know you are out of the office. An icon remains on the screen to remind you this function is activated.

ExchangeDefender Security

 

Introducing ExchangeDefender 2 Factor Authentication / One Time Password Service

ExchangeDefender Pro is proud to announce the launch of a free 2 factor authentication / one time password service that will help our users better protect their ExchangeDefender accounts. Most people use the same password everywhere and if your password is compromised anyone can login from anywhere – what 2FA/OTP service enables you to do is use your cell phone as a secondary ID check.

When you login to ExchangeDefender, the system will immediately text you a 4 digit PIN to your cell phone. This way even if someone were to guess or steal your password, they will not be able to login without having access to your cell phone as well.

As we blogged about implementing advanced password security, plain text passwords are a thing of the past and the whole universe is moving towards having that additional layer of security to make sure unauthorized changes aren’t being made.

This is why we are making ExchangeDefender 2FA/OTP free for ExchangeDefender Pro and it works at all three levels – Service Provider, Domain administrator (domain.com login) and individual end user accounts at https://admin.exchangedefender.com. Once you’ve authenticated with a PIN on the top level you will not need to re-authenticate in order to manage and support your MSP clients or the end users so by all means enable it for everyone.

We hope you enjoy this feature and start relying on it, don’t worry this is no bait and switch, we do not intend to start charging for it down the road – it’s all about improving security and keeping our clients protected. It’s just what we do!

ExchangeDefender Security

 

Dealing with Newsletter and Subscription bombs
ExchangeDefender now protects you from malicious subscriptions to newsletters and emails you never opted into through “Subscription (Newsletter) Bomb Protection” available at admin.exchangedefender.com. By enabling the feature all newsletter “CAN-SPAM” “legitimate sender” content that you don’t want in your mailbox will automatically be filtered out as SureSPAM by ExchangeDefender.

The Bomb Issue
Hackers are currently exploiting security issues in newsletter software that allows them to add your email address to a mailing list without validation. If you’ve signed up for anything recently you know that you’re generally sent a confirmation email to validate you own the email address — well, hackers have found a way to add your email to the list without that step. Repeated thousands of times, it gives hackers a way to blow up your mailbox through a broadcast storm by otherwise legitimate senders who cannot tell your email address from thousands of others on their mailing list.

The ExchangeDefender Solution
ExchangeDefender already has a built-in newsletter management software (where you can have all of your newsletters skip your inbox and be available for reading online). We can effectively quarantine all the newsletters for you and allow you to read them online without them hitting your inbox and putting you over the quota. With the Subscription Bomb protection we go an extra step and outright classify these newsletters you haven’t subscribed to as SureSPAM. You can still access them but they won’t bother you or damage your Inbox or productivity.

There are 3 options:
Enabled: Protection is turned on and any newsletter will be flagged as SureSPAM. We do not recommend this option as it will catch all newsletters, whether you’ve subscribed to them or not.
Disabled: No protection. This is the default setting at the moment for all domains.
Whitelisted: Protection from newsletters but whitelisted ones will still get through. This allows you to have the best of both worlds: protection from newsletters you didn’t subscribe to but newsletters you want and have whitelisted will still come through. On January 1, 2019 this will be the default setting.

What do I tell my clients?
ExchangeDefender can now protect you from SPAM being generated by legitimate newsletter and subscription providers – if someone steals your identity (your email address, name, etc) they can subscribe you to newsletters without your knowledge or permission. Because the sending and management of these lists is automated, hackers can get an innocent third party to send you thousands of newsletters to clog up your inbox, make you wait for your email to download, and just make your email experience miserable.

ExchangeDefender can detect newsletters and “legitimate marketing emails” with unsubscribe or newsletter control keywords and automatically filter it out from you. Messages aren’t gone, you can still access them through admin.exchangedefender.com in realtime and on demand, but your Inbox will stay clean.

ExchangeDefender Hosted Services Security

Friendly Names, Finally.

You’ve only been waiting 20 years for this feature and we’re happy to finally deliver it: ExchangeDefender will now show friendly display names and email addresses, giving you a better idea of who the email sender is.

This is a slightly technical pragraph that we encourage you to skip. Every email you receive has two From: addresses. One is a “friendly from” or “header from” address that prints the name of the sender as the user configured it inside their mail software such as Outlook or Gmail. The other is an “envelope from” or “mail from / return path from” address that is used for mailer/postmaster reasons to bounce and process messages. As an email security solution, ExchangeDefender only looks at and reports envelope addressing as the friendly from can easily be spoofed and faked and generally has no impact on the underlying SPAM filtering technology, message routing, SPF/DKIM, and a myriad of other technical reasons. Two decades ago, when ExchangeDefender was first and foremost meant to be a front line defense on the edge/perimeter before allowing traffic to get to the firewall, envelope from was what I went with.

What made sense two decades ago, which is centuries in IT terms, doesn’t make sense in 2018. Today ExchangeDefender is no longer primarily an edge security service, it is prime real estate in which end users and business employees spend a considerable amount of their time managing their mail, sending documents, sending encrypted attachments, assuring compliance, collaborating, and as such the design and the content needs to show something relevant to the user (not the IT administrator power user that is likely managing things through our powerful Domain Administrator section).

Oh, and by the way, it’s also going to show up like this in our updated SPAM Reports starting in October for our ExchangeDefender Pro subscribers:

P.S. Please tune into our new feature webinar on Wednesday, October 17th, 2018 at noon EST. Lot’s of new features are coming in ExchangeDefender as we transform the product to better serve the compliance and security needs of our clients. Register Now!

 

ExchangeDefender Security

 

ExchangeDefender Encryption Enrollment Account Reset

Encryption is hot – with daily news of hackers breaking in or compromising one system after another, taking that extra step to make sure your information is safe and secure has never been on the minds of business owners more. We may sound like a broken record when it comes to encryption but it is one of our more popular products and today we’re happy to announce another quick feature that is coming.

October 1st: You can now reset your recipients accounts (PIN+Password) in Corporate Encryption.

ExchangeDefender Corporate Encryption has an alternate [ENCRYPT] flag that can allow the users to encrypt messages on demand and require the recipient to enroll in the ExchangeDefender Corporate Encryption in order to access the message. Enrollment process is quick and simple and requires the recipient to provide their name and phone number along with a selection of a password and a 4 digit PIN. This additional security step is put in place to eliminate man in the middle attacks where a hacker may have compromised the firewall, disgruntled employee is trying to spy on inbound mail, or a variety of other threatening issues. It is the ultimate layer of protection because PIN is only known to the user.

If you support ExchangeDefender Corporate Encryption, you’re going to like this feature a lot because you’ve likely had to deal with the inevitable case of a recipient forgetting both their password and their PIN. Since we have no way to verify the users identity, we’ve always processed reset requests manually. Now, this process is automated.

Just go to admin.exchangedefender.com and login as the domain administrator.  If you subscribe to Corporate Encryption you will see it under the Configuration menu. Simply type in the recipients email address and their account at ExchangeDefender will be reset allowing them to enroll again.

As a security precaution, they will not be able to see emails sent to them prior to the enrollment period – only new messages after they have created their account. On the backend, there are additional checks in order to make sure that this is actually a user that receives email from your domain, etc, etc so we don’t open the door to a malicious ExchangeDefender client attempting to reset accounts of unknown contacts. Obviously there is far more going on in the background that we cannot disclose in a blog post but if you’re interested in the technology, we have patents pending on several of these and would be happy to discuss privately.

There you have it, October 1st. Another cool feature that will save a lot of time for our users while keeping everyone just a little bit safer. We’re adding more features all over the place so please stay tuned to our blog and our Facebook page.