Infrastructure, Recipients, Security Flashcards

Question 1

Q

What OS versions for the Domain Controller are supported by Exchange 2016?

Answer

A

• For Exchange 2016 CU1 and CU2:
– Windows Server, 2008 through 2012 R2

• For Exchange 2016 CU3 and later:
– Adds support for Windows Server 2016 DCs

Question 2

Q

What are Exchange’s requirements and recommendations for Domain Controllers?

Answer

A

Windows Server 2008 or later
64-bit recommended, but not required
At least one Global Catalog server per site that has either Exchange or Outlook clients
Read-only Domain Controllers are not supported (just ignored by Exchange)

Question 3

Q

What unique requirements and restrictions exist when Installing Exchange on a Domain Controller?

Answer

A

AD split permissions model cannot be used
DC must be a global catalog (not enough to just have a GC in the site)
All Exchange server computer accounts will become domain admins
Cannot demote or promote a DC when Exchange has been installed
Not supported for DAG members
May impact performance stability.

Question 4

Q

What is meant by Exchange “extending the AD Schema”?

When and why is this done?

Answer

A

Most of Exchange’s configuration data is stored in AD.
The AD Schema defines all the objects and attributes for AD to store data.
For AD to support Exchange, Exchange extends and modifies this schema.
It occurs when the first Exchange installation occurs in an organization. It may further be extended whenever a new CU is installed.
The cmdlet must be run from the site that contains the Schema Master for the domain.

Question 5

Q

What are the preparatory steps for Active Directory when installing Exchange?

Answer

A

1) Extend the AD schema
2) Prepare AD
3) Prepare AD Domains

Question 6

Q

What does the “Prepare Active Directory” step accomplish?

Answer

A

It creates the containers and objects in AD that make up the Exchange organization itself.

It will also prepare one domain (the root domain) of the forest.

Question 7

Q

How do you Extend the AD Schema as required before installing Exchange 2016 for the first time in an organization?

Answer

A

This can only be completed from the within the same AD site as the schema master
It will happen automatically when running Exchange setup, as long as you have the required permissions.
But if you’d like to do it manually or in separate steps, run this command before installing:

Setup.exe /PrepareSchema

Question 8

Q

How do you Prepare AD as required before installing Exchange 2016 for the first time in an organization?

Answer

A

This can only be completed from the within the same AD site as the schema master
It will happen automatically when running Exchange setup, as long as you have the required permissions.
But if you’d like to do it manually or in separate steps, run this command before installing:

Setup.exe /PrepareAD /OrganizationName:”Contoso”

Question 9

Q

How do you Prepare an AD Domain as required before installing Exchange?

And what Domains need to be prepared?

Answer

A

If the forest contains a single domain, /PrepareAD will already have prepared that domain.
You only need to prepare additional domains that will have Exchange objects in them.

For all domains:

• /PrepareAllDomains

For specific domains:

• /PrepareDomain:sub.contoso.com

Question 10

Q

What Permissions Models exist for Exchange, and what does each do?

Answer

A

• Shared Permissions Model
– Used by default
– Simplest and most common model
– Allows Exchange management roles to both create and manage security principals (e.g. users, groups) in AD

• Split Permissions Model
– Optional
– Separates the ability to create security principals from the ability to manage Exchange attributes
– Useful in large, complex organizations that require separation of administrative rights.

Question 11

Q

How is a Split Permissions model configured?

Answer

A

During the PrepareAD stage of AD preparation for an Exchange install:

Setup.exe
/PrepareAD
/ActiveDirectorySplitPermissions:True
/OrganizationName:”Contoso”

Question 12

Q

What is a Resource Forest?

Answer

A

An Active Directory Forest can only have one Exchange organization.

However, multiple Active Directory Forests can be configured to trust each other, and access each other’s resources.

A Resource Forest is a dedicated forest where Exchange is hosted, separate to the forests that contain user accounts.

Question 13

Q

What are the advantages of a Resource Forest?

Answer

A

Separation of security boundaries

* Flexibility for mergers and divestitures

Question 14

Q

What is a Throttling Policy?

Answer

A

Throttling Policies prevent a user from consuming excessive Exchange server resources.
E.g. Max number of concurrent connections a user may have with a particular client access protocol; max amount of CPU time a user’s requests can consume.
A default throttling policy is created by Exchange setup and applied to all mailboxes.
Custom policies can be created and assigned to mailboxes using PowerShell.

Question 15

Q

Using Exchange Shell, how do you customize the Throttling Policy for a specific mailbox?

Answer

A

New-ThrottlingPolicy
-Name
MyLittlePolicy
[set your parameters]

Set-Mailbox
john.smith
-ThrottlingPolicy
MyLittlePolicy

Question 16

Q

What is the definition of a “recipient”?

Answer

A

Any mail-enabled object in AD that can have email delivered or routed to it by Exchange.

Question 17

Q

What are examples of common recipient types?

Answer

A

User mailbox (AD user accounts that have been enabled with a mailbox hosted on an Exchange mailbox database)
Mail contact (Contact objects in AD that have been enabled for email)
Distribution group
Mail-enabled security group
Shared mailbox
Room mailbox
Equipment mailbox
Mail-enabled Public Folder

Question 18

Q

What is the difference between a “mail contact” and a contact with an e-mail address?

Answer

A

A contact object in AD can have an e-mail address, but not be enabled for email. This is because the email address can be used for other purposes, such as simply being part of the postal address.
A Mail Contact is a Contact Object that has been enabled as a recipient for email.

Question 19

Q

What is a Shared Mailbox?

Answer

A

Mailboxes that are usually configured to allow access by multiple users who need to read and respond to messages.

They are associated with AD user objects, but those objects are left disabled and their passwords are managed by Exchange.

Question 20

Q

What is a Room Mailbox?

Answer

A

They represent bookable meeting room resources, allowing users to book a room when they need to hold a meeting.

Question 21

Q

What is an Equipment Mailbox?

Answer

A

Similar to a Room mailbox, but allows user to book the use of shared resources such as a shared vehicle, laptop, etc.

Question 22

Q

What is a Dynamic Distribution Group, and how does it work?

Answer

A

A distribution group that does not contain a static list of members, but is instead based on a query that is assessed each time an email is sent to the group.
The query is based on recipient attributes.
For example, it could be configured for users who have “Sales” for their Department attribute.

Question 23

Q

What is a Linked Mailbox?

Answer

A

A mailbox in an Exchange organization that is associated with a user account in a separate forest.

(Used in Multi-forest / Resource forest setups)

Question 24

Q

What is a Linked User?

Answer

A

A user in a forest that is associated with a mailbox in a separate forest.

(Used in Multi-forest / Resource forest setups)

Question 25

Q

What is a Mail forest contact?

Answer

A

A contact in one forest that represents a recipient in another forest.

They are created and managed by a synchronization product such as Microsoft Identity Integration Server, or a third-party synchronization tool.

Question 26

Q

What is a Microsoft Exchange Recipient?

Answer

A

They are system objects that are created and managed by Exchange.

They are responsible for tasks such as sending non-delivery reports.

They don’t require any configuration or management.

Question 27

Q

How do you create a new mailbox for an existing user, using Powershell?

Answer

A

Enable-Mailbox

john.smith@contoso.com

Question 28

Q

What is a Mail User?

Answer

A

A User account in the internal AD that has an externally hosted mailbox, such as gmail.

Question 29

Q

Where do you go in EAC to create a Mail User?

Answer

A

Recipients >
Contacts >
Add >
Mail User

Question 30

Q

What is the difference between a Mail User and a Mail Contact?

Answer

A

They are both external e-mail addresses, but a Mail User has an associated AD user account, and the Mail Contact is merely a contact object.

Question 31

Q

In the context of Exchange, what is a Distribution Group?

Answer

A

• “Distribution Group” is used generically in Exchange, and can refer to any mail-enabled group.

• Mail-enabled groups can be:
– AD universal distribution groups
– AD universal security groups

Question 32

Q

What types of groups can be mail-enabled?

Answer

A

Either an AD distribution group, or an AD security group, can be mail enabled.
But they must have a scope of “Universal.” Exchange does not work with global or domain-local groups.

Question 33

Q

What’s the difference between a distribution group and a security group?

Answer

A

A distribution group is an Active Directory group that is NOT a security principal.

In other words, you cannot use a Dist. group to assign permissions to resources.

A security group is an AD group that IS a security principal, and so can be assigned permissions.

Question 34

Q

What does granting “Full Access” permissions to a mailbox result in?

Answer

A

• The mailbox is automatically mapped in Outlook and Outlook on the Web (after perhaps a few hours)
– (This is the default behavior, but it can be disabled.)

The user has full read and write access
But the user does not automatically get Send As or Send on Behalf Of permissions; those are set separately.

Question 35

Q

What are “Mailbox Folder Permissions,” and how does it work?

Answer

A

Permissions set per specific individual folders, rather than per mailbox.
Can be configured either by the mailbox owner using Outlook, or by an admin using Exchange Shell.
It will NOT be automapped the way Full Access permissions will automap.

Question 36

Q

What are Mailbox Folder Permission Roles?

Answer

A

A set of built-in roles for Folder Permissions.

Users and admins can set specific permission settings individually, or select a role to apply a set of permissions at once.

Question 37

Q

What specific Mailbox Folder Permissions exist that can be granted?

Answer

A

There are 10:

ReadItems
CreateItems
EditOwnedItems
DeleteOwnedItems
EditAllItems
DeleteAllItems
CreateSubfolders
FolderOwner
FolderContact
FolderVisible

Question 38

Q

What Mailbox Folder Permission Roles exist?

Answer

A

None
Owner
Publishing Editor
Editor
Publishing Author
Author
NonEditingAuthor
Reviewer
Contributor
AvailabilityOnly
LimitedDetails

Question 39

Q

What specific permissions come with this Mailbox Folder Permission Role?

Author

Answer

A

CreateItems
ReadItems
FolderVisible
EditOwnedItems
DeleteOwnedItems

Question 40

Q

What specific permissions come with this Mailbox Folder Permission Role?

Publishing Author

Answer

A

Same as Author, but adds:

* CreateSubfolders

Question 41

Q

What specific permissions come with this Mailbox Folder Permission Role?

Editor

Answer

A

Same as Author, but adds:
EditAllItems
DeleteAllItems

Question 42

Q

What specific permissions come with this Mailbox Folder Permission Role?

Publishing Editor

Answer

A

Same as Editor, but adds:

* CreateSubfolders

Question 43

Q

What specific permissions come with this Mailbox Folder Permission Role?

Owner

Answer

A

Same as Publishing Editor, but adds:
FolderOwner
FolderContact

Question 44

Q

What specific permissions come with this Mailbox Folder Permission Role?

NonEditingAuthor

Answer

A

CreateItems
ReadItems
FolderVisible

Question 45

Q

What specific permissions come with this Mailbox Folder Permission Role?

Reviewer

Answer

A

ReadItems

* FolderVisible

Question 46

Q

What specific permissions come with this Mailbox Folder Permission Role?

Contributor

Answer

A

CreateItems

* FolderVisible

Question 47

Q

What specific permissions come with this Mailbox Folder Permission Role?

AvailabilityOnly

Answer

A

Applies to Calendar folders only

* View only calendar free/busy information

Question 48

Q

What specific permissions come with this Mailbox Folder Permission Role?

LimitedDetails

Answer

A

Applies to Calendar folders only

* View only calendar free/busy information with meeting subject and location

Question 49

Q

For Mailbox Folder Permissions, how does inheritance of permissions work?

Answer

A

When you apply a Folder Permissions to a folder, none of its existing subfolders will inherit the newly added permission. They will need to be set manually.
However, any NEW folders that are created subsequent to configuring the permissions WILL inherit the parent folder’s permission settings.

Question 50

Q

What happens if a user is granted both “Send As” and “Send On Behalf” permissions to another mailbox?

Answer

A

They don’t work well together. Only one should ever be granted to any one user.
Outlook doesn’t provide options when setting the “From” address, so the user will have no choice over whether “Send As” or “Send On Behalf” is used.
Often, the send attempt will simply be rejected.

Question 51

Q

What is a Resource Mailbox?

Answer

A

Like regular user mailboxes, except it has additional attributes for managing automated calendar processing.
They are associated with a user account in AD, which is left disabled.

• There are two kinds:
– Room Mailboxes, used for fixed locations
– Equipment mailboxes, used for non-fixed location items (e.g. laptops, cars)

Question 52

Q

What Calendar Processing features are available for Resource Mailboxes?

Answer

A

• Automatic processing of meeting requests
– Configurable, can be policy based
– Can be set to require manual approval

• Enables a “self service” model for users to book rooms and equipment

Question 53

Q

How do you convert a regular user mailbox to a Resource Mailbox?

Answer

A

Set-Mailbox
“Name of Mailbox”
-Type
Room

or,

-Type
Equipment

Question 54

Q

What is a Room List?

Answer

A

Just a distribution group that has an extra flag specifying it is a Room List.
Room Mailbox accounts are added into the group.
When users create a new appointment in Outlook, they will have a Room List drop-down option, and it will show what rooms are available out of the rooms on the list.

Question 55

Q

What are the Default Calendar Processing Restrictions that are applied to a new Resource Mailbox?

Answer

A

Conflicting bookings are not allowed
Bookings can be made up to 180 days in the future
Meeting instances can last no longer than 24 hours
Recurring meetings are allowed
Bookings are allowed at any time of day
External senders can’t book resources
All Bookings that are within policy are automatically accepted and booked

Question 56

Q

In automated Calendar Processing settings, what is the difference between these two policy settings?

AllBookInPolicy

AllRequestInPolicy

Answer

A

When each is set to True:

AllBookInPolicy means any booking attempt that is within policy will automatically be processed and booked.

AllRequestInPolicy means any booking attempt that is within policy will automatically be sent to specified ResourceDelegates for approval or rejection.

Question 57

Q

What are Public Folders?

Answer

A

Used for team collaboration
Used to store mail, contact, calendar, note, or task items
Can be mail-enabled to receive mail
Stored in public folder mailboxes
Only accessible using Outlook or Outlook on the web (Need to be in “Folder” view)

Question 58

Q

What steps are involved in creating a Public Folder?

Answer

A

1) Create the Public Folder Mailbox to store the Public Folder Hierarchy
2) Create another Public Folder Mailbox to store the Public Folders and Public Folder contents
3) Create a Public Folder
4) Configure Folder Permissions as needed.

Question 59

Q

What is RBAC?

Answer

A

Role Based Access Control

The permissions model for Exchange (since Exchange 2010)
Provides granular control of permissions for administrative tasks
Allows us to apply a least privilege approach to administrative rights

Question 60

Q

What are the components / configuration elements that make up RBAC in Exchange?

Answer

A

Management role groups (“who”)
Management roles (“what”)
Management scopes (“where”)
Management role assignments

Question 61

Q

What are Management Role Groups?

Answer

A

Universal Security Groups in AD
They are assigned one or more Management Roles
Exchange Setup creates 12 pre-defined management role groups, in an OU called “Microsoft Exchange Security Groups”
Custom management role groups can also be created for specific requirements

Question 62

Q

What are Management Roles?

Answer

A

Collections of role entries
Typically assigned to Management Role Groups, though they can also be assigned directly to users
When assigned, they grant the group or user permission to perform the tasks defined in the role entries

Question 63

Q

What is a Management Role Entry?

Answer

A

A role entry defines a specific task or capability that administrators can perform
For example, role entries can define cmdlets or scripts that a role can run
They can even include and limit specific parameters for those cmdlets and scripts

Question 64

Q

What is a Management Scope?

Answer

A

Defines where a role group’s members will be able to perform their assigned roles.
The scope can be, or example, an OU, a server, a database, or recipient filter
The Pre-defined roles have a scope that includes all applicable objects, e.g. all Mail Contacts
You can define custom scopes when creating custom role assignments

Answer 65

A

They all have a scope that includes all applicable objects across the entire organization.
That is, none of them have a scope that is restrictive.

Answer 66

A

Connects management roles with users or role groups
Each pre-defined role group has a set of existing role assignments from the pre-defined roles Exchange creates
Custom role assignments can be created for either existing roles or custom roles
Custom role assignments can inherit the default scope for the role, or define a custom management scope

Answer 67

A

Assigned to mailboxes.
Each mailbox can only be assigned a single role assignment policy.
Defines what the user can manage for their own mailbox or distribution groups.
A default management role assignment policy exists in each Exchange organization.
Custom management role assignment policies can be created.

Answer 68

A

Allows user to view and modify their own:

Contact information, such as address and mobile phone number
Membership in distribution groups (provided those groups are “open”)
Custom Apps
Marketplace Apps

Answer 69

A

Role holders have access to the entire Exchange Server 2016 organization and can perform almost any task against any Exchange Server object.

(Includes managing role groups and their members.)

Answer 70

A

Role holders can only view the properties of any object in the organization.

Answer 71

A

Role holders have access to create, modify, or delete Exchange Server 2016 recipients within the Exchange Server organization, such as:

Mailboxes
Distribution Groups
Contacts

Answer 72

A

Role holders can manage the Unified Messaging (UM) features within the organization, such as UM server configuration, properties on mailboxes, prompts, and auto-attendant configuration.

Answer 73

A

Role holders can perform searches of mailboxes in the Exchange Server organization for data that meets specific criteria.

This role group is assigned these roles:
• Mailbox Search role
• Legal Hold role

Together, these allow eDiscovery queries to be performed, and InPlace holds created for those queries.

Answer 74

A

Role holders can configure compliance features, such as:

retention policy tags
message records management
message classifications
mailbox audit logging
journaling
transport rules

Answer 75

A

Role holders have access to Exchange Server configuration. They do not have access to administer recipient configuration.

Answer 76

A

Role holders can perform limited recipient management.

Answer 77

A

Role holders can manage public folders and databases on Exchange servers.

Answer 78

A

Role holders can deploy previously provisioned Exchange servers.

Answer 79

A

Role holders can configure and manage compliance settings, such as:

Data Loss Prevention (DLP) policies
Information Rights Management (IRM) configuration
Messaging Records Management (MRM)

Answer 80

A

Role holders have access to three groups of cmdlets:

Receive Connectors (create, modify, and delete)
Transport Hygiene (can manage anti-spam features and grant permissions for antivirus products to integrate with Exchange Server)
Transport Rules

Answer 81

A

Perform eDiscovery queries / searches.

Answer 82

A

Create a Litigation Hold (also known as an InPlace Hold without a query)

(If you also have the Mailbox Search role, then this role allows you to create a query-based InPlace Hold.)

Answer 83

A

Requires TPM chip (if needs for FIPS compliance, must be TPM 2.0.)
Encrypted volumes can automatically unlock using recovery info stored in AD

Answer 84

A

No TPM chip available
Therefore, if OS volume is encryped, recovery key must be entered manually at startup
If OS volume is not encrypted, system can boot but data volumes must be manually unlocked. (May be automated using a scheduled task).

Answer 85

A

For Exchange 2016 CU1 and earlier:

• The AutoReseed disk reclaimer IS NOT BitLocker-aware. So you need to either:

– Disable the disk reclaimer, and then manually format and encrypt spare disks in the DAG members, or:

– Leave disk reclaimer enabled, and after an AutoReseed event, manually encrypt the new volume

For Exchange 2016 CU2 and later:

The AutoReseed disk reclaimer IS BitLocker-aware.
Simply set the AutoDagBitLockerEnabled property of the DAG to $true
The Disk Reclaimer will then automatically encrypt the spare disks in an AutoReseed event.

Answer 86

A

Secure/Multipurpose Internet Mail Extensions

* A protocol for sending digitally signed and encrypted email messages

Answer 87

A

Sender uses a private key to add a digital signature to an email message.
That signature is based on the contents of the message itself
When the recipient receives the message, they receive the sender’s public key, to perform verification of the digital signature

Answer 88

A

Verifies that the sender is who they claim to be
Verifies that the message has not been changed since it was sent
Sender can’t claim they did not send it (non-repudiation)
Does NOT provide privacy or prevent message from being read by others (i.e., no encryption)

Answer 89

A

The sender retrieves the recipient’s public key, and uses it to encrypt the message that is being sent
When the recipient receives the message, they use their own private key to decrypt it

Answer 90

A

The message can only be decrypted and read by the recipient
Provides privacy of the message (although not for the metadata)
Verifies that message has not been changed since it was sent
Does NOT verify that the sender is who they claim to be
Does not provide non-repudiation

Answer 91

A

PKI infrastructure or 3rd-party certificate authority
Certificates must be issued to users who require S/MIME capabilities
Doesn’t work with all mail clients, servers, webmail systems, and mobile devices

Answer 92

A

1) Deploy PKI using AD Certificate Services
2) Create a user certificate template that is enabled for auto-enrollment
3) Create a Group Policy for certificate auto-enrollment
4) Deploy the S/MIME extension for OWA users (if needed)
5) Perform user training

Answer 93

A

When composing a new message in Outlook, on the Ribbon > Options tab, there is a button for Encrypt and for Sign.

If they do not appear there, they are also in the More Options > Security Settings.

When an encrypted message is received, it shows a padlock icon in Outlook. It decrypts automatically and seamlessly for the recipient.

When a signed message is received, it shows a certification ribbon icon.

Answer 94

A

Only Peach will be able to open it.

Toad will see the message arrive, with its sender and subject information, but will not be able to read the contents. Even though he has Full Access, he does not have Peach’s private key and will not be able to decrypt the message.

Answer 95

A

Information Rights Management

* A means of enforcing usage rights on digital content such as email messages and office documents.

Answer 96

A

Policy-based enforcement of protection and usage rights
The protection stays with the file itself, so it remains in place even if the file is taken offline or outside of the network.
It is not a built-in capability of Exchange. It requires AD RMS or Azure RMS to provide the rights management functionality.

Answer 97

A

Full Control
View
Edit
Save
Export
Print
Forward
Reply
Reply All
Extract
Allow Macros
View Rights
Edit Rights

Answer 98

A

It is not bullet-proof against deliberate attacks.

For example, it can prevent a user from printing a protected document, but it doesn’t stop them from taking a photograph of their screen.

Answer 99

A

Only on-prem servers

* Exchange, SharePoint, and file servers

Answer 100

A

Requires installation of highly available, on-prem servers

* Complex to configure for external sharing of protected content. It’s usually only used for internal-only content.

Answer 101

A

Azure RMS has these additional features over AD RMS:

Does not require on-prem servers (but does support them if you install a connector)
Supports Office 365 services
External sharing works by default (instead of requiring a complex configuration)
Includes two default policy templates (AD RMS includes none).
Supports mobile and Mac clients.
Allows document tracking or revocation.

Answer 102

A

Through Transport Rules

* Through Outlook Protection Rules

Answer 103

A

Apply rights management to content before email is sent.

* Only applies to messages sent from an Outlook client.

Answer 104

A

Only configurable through PowerShell, not EAC
New-OutlookProtectionRule
New rules and changes can take 24 hours for clients to receive, because clients poll Exchange Web Services only every 24 hours

Answer 105

A

If using Transport Rules instead of Outlook Protection Rules:

The sender isn’t aware / notified that rights management is applied to the message
The copy of the content in the sender’s Sent Items remains unprotected
There is no option to allow sender’s to override the protection when that is desired

Answer 106

A

You have a much more limited set of conditions for building the rules
Only applies to messages sent from an Outlook client.

Brainscape's Knowledge GenomeTM

Infrastructure, Recipients, Security Flashcards

Brainscape's Knowledge Genome^TM