26 November 2013

Tightening Exchange Server 2010 security

Here's a quick checklist to tighten the security of Exchange server 2010.
The full article can be found here:

Don’t overlook these Exchange security vulnerabilities

Gaps in the patching process
Weak passwords
Leaving private data in public folders
Outlook Web Access and Outlook Web App
SMTP and POP3 access
Shared Exchange administrator accounts

Defending Exchange Server 2010 with native security tools

Transport security in Exchange 2010
Protecting Exchange 2010 users from spoofing
Exchange Server 2010 and Active Directory integration
Role Based Access Control (RBAC) in Exchange 2010
Client access server vulnerabilities
Protecting Exchange Server 2010 with ForeFront

Exchange Server 2010 post-deployment security checklist


All about Forefront Protection 2010 for Exchange


Custom email filtering with Forefront Protection 2010 for Exchange


Exchange wildcard certificates: Do the benefits outweigh the risks?


Responding to Outlook Web App 2010 security concerns

Addressing Outlook Web App 2010 security concernsPublic access security in OWA 2010

Information Rights Management protection in Exchange 2010 SP1
Outlook Web App and IRM aggravations

Discussing Exchange Server security risks and vulnerabilities

Authenticating to Exchange 2010 via NTLM: Smart move or security risk?





20 November 2013

Microsoft recommended Exchange 2010 settings but often forgotten

Set DAG network compression to enabled.


DAG network encryption

DAGs support the use of encryption by leveraging the encryption capabilities of the Windows Server operating system. DAGs use Kerberos authentication between Exchange servers. Microsoft Kerberos security support provider (SSP) EncryptMessage and DecryptMessage APIs handle encryption of DAG network traffic. Microsoft Kerberos SSP supports multiple encryption algorithms. (For the complete list, see section 3.1.5.2, "Encryption Types" of Kerberos Protocol Extensions). The Kerberos authentication handshake selects the strongest encryption protocol supported in the list: typically Advanced Encryption Standard (AES) 256-bit, potentially with a SHA Hash-based Message Authentication Code (HMAC) to maintain integrity of the data. For details, see HMAC.
Network encryption is a property of the DAG and not a DAG network. You can configure DAG network encryption using the Set-DatabaseAvailabilityGroup cmdlet in the Shell. The possible encryption settings for DAG network communications are shown in the following table.

DAG network communication encryption settings

Setting Description
DisabledNetwork encryption isn't used.
EnabledNetwork encryption is used on all DAG networks for replication and seeding.
InterSubnetOnlyNetwork encryption is used on DAG networks when replicating across different subnets. This is the default setting.
SeedOnlyNetwork encryption is used on all DAG networks for seeding only.
 

Set-DatabaseAvailabilityGroup -identity (DAGName) -NetworkEncryption enabled

Set DAG network encryption to enabled.


DAG network compression
DAGs support built-in compression. When compression is enabled, DAG network communication uses XPRESS, which is the Microsoft implementation of the LZ77 algorithm. For details, see An Explanation of the Deflate Algorithm and section 3.1.4.11.1.2.1 "LZ77 Compression Algorithm" of Wire Format Protocol Specification. This is the same type of compression used in many Microsoft protocols, in particular, MAPI RPC compression between Microsoft Outlook and Exchange.
As with network encryption, network compression is also a property of the DAG and not a DAG network. You configure DAG network compression by using the Set-DatabaseAvailabilityGroup cmdlet in the Shell. The possible compression settings for DAG network communications are shown in the following table.

DAG network communication compression settings

Setting Description
DisabledNetwork compression isn't used.
EnabledNetwork compression is used on all DAG networks for replication and seeding.
InterSubnetOnlyNetwork compression is used on DAG networks when replicating across different subnets. This is the default setting.
SeedOnlyNetwork compression is used on all DAG networks for seeding only.
Return to top

Set-DatabaseAvailabilityGroup -identity (DAGName)-NetworkCompression enabled

Configure Calendar Repair Assistant Settings.


The Calendar Repair Assistant (CRA) is a configurable mailbox assistant that runs within the Microsoft Exchange Mailbox Assistants service on Microsoft Exchange Server 2010 Mailbox servers. The CRA detects and corrects inconsistencies that occur in single and recurring calendar items for mailboxes that are homed on the Mailbox server that is running the CRA. The purpose of this process is to make sure that recipients won't miss meetings or have unreliable meeting information.
In Exchange 2010 Service Pack 1 (SP1), the CRA was changed from a time-based assistant to a throttle-based assistant.
By default, the CRA is not set to run automatically. To configure the CRA to run and repair calendar inconsistencies, use the set-mailboxserver cmdlet in the Exchange Management Shell to set the work cycle and work cycle checkpoint. The Exchange Management Console cannot be used to configure calendar repair log settings.
You must use the following Set-MailboxServer cmdlet parameters to configure the CRA settings:
  • CalendarRepairIntervalEndWindow   This parameter specifies the number of days into the future to repair calendars. For example, if this parameter is set to 90, the CRA repairs calendars on the Mailbox server 90 days from the date it was set. The default value is 30 days.
  • CalendarRepairMissingItemFixDisabled   This parameter specifies that the CRA won't fix missing attendee calendar items for mailboxes homed on this Mailbox server. If an attendee is missing a calendar item, the item will be re-created. The default value is $false.
  • CalendarRepairWorkCycle and CalendarRepairWorkCycleCheckpoint   These parameters work together. The CalendarRepairWorkCycle parameter specifies the time span in which all mailboxes on the specified server will be scanned by the CRA. For example, if you specify seven days for this parameter, the CRA will process all mailboxes on this server every seven days. Calendars that have inconsistencies will be flagged and repaired according to the interval specified by the CalendarRepairWorkCycleCheckpoint parameter. For example, if you specify one day for this parameter, the CRA will query every day for new mailboxes that require processing.
Get current settings:

Get-MailboxServer -Identity (mailboxserver) | fl name,calendar*

Set to enabled:

Set-Mailboxserver -Identity (mailboxserver) -CalendarRepairMissingItemFixDisabled $false

Set the CRA to check all mailboxes on the server MAILBOXSERVER every seven days and to process all calendars that require repairs every day in that seven day cycle.

Set-MailboxServer -Identity (mailboxserver) -CalendarRepairWorkCycle 7.00:00:00 -CalendarRepairWorkCycleCheckpoint 1.00:00:00

Set the number of days into the future that the CRA validates calendars to 90 days on Mailbox server MBX02.

Set-MailboxServer -Identity MBX02 -CalendarRepairIntervalEndWindow 90

Offline address book is not associated with a particular mailbox store


The Microsoft® Exchange Best Practices Analyzer Tool queries the Active Directory® directory service to determine whether the msExchUseOAB attribute in the msExchPrivateMDB class has been configured to use a specific offline address book for a particular mailbox store on a database. The msExchPrivateMDB class determines the configuration on a private database. The value of the msExchUseOAB attribute determines the specific offline address book that a particular mailbox store uses, and is the distinguished name of the offline address list that the users will download. If the Exchange Server Analyzer finds that the value for the offline address book for the mailbox store on the database is missing, the Analyzer tool displays an error message.
In Exchange 2000 Server and later versions, an offline address list is associated with all the users who are contained in an information store. Microsoft® Office Outlook® 2003 and later versions use the offline address book to provide offline access to directory information from the global address list (GAL) and from other address lists. A missing value for the msExchUseOAB attribute causes offline address book errors for users in this information store. To view the current value for this attribute, use the following procedure.
To view the msExchUseOAB attribute in Active Directory
  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK. For more information about how to install or use ADSI Edit, see ADSI Edit (adsiedit.msc).
  2. Under the Configuration object, expand the following path:
    • CN=Configuration,DC=contoso,DC=com
    • CN=Services
    • CN=Microsoft Exchange
    • CN=<OrganizationName> (for example, First Organization)
    • CN=Administrative Groups
    • CN=Exchange Administrative Group
    • CN=Servers
    • CN=<ServerName>
    • CN=InformationStore
    • CN=<StorageGroupName> (for example, First Storage Group)
  3. In the details pane, right-click CN=Mailbox Database, and then click Properties.
    Note   Notice that msExchPrivateMDB appears in the Class column for this object.
  4. On the Attribute Editor tab, click msExchUseOAB, and then click Edit.
  5. Note the value that appears in the Value box. For example:
    • <not set> (when the value is not set)
    • CN=Default Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com (when the value is set to the default offline address book)

To resolve this issue, associate the offline address book with a mailbox store by using the procedures below.
To associate the Offline Address Book with a particular mailbox store in Exchange 2007 or in Exchange Server 2010
  1. Start the Exchange Management Console.
  2. Expand Server Configuration, and then click Mailbox.
  3. In the details pane, click the Database Management tab.
  4. Under the appropriate storage group (for example, First Storage Group), right-click Mailbox Database, and then click Properties.
  5. Click the Client Settings tab, and then click Browse next to Offline address book.
  6. Click the appropriate offline address book, and then click OK two times.

DAG not in DAC mode.


Datacenter Activation Coordination Mode

Datacenter Activation Coordination (DAC) mode is a property setting for a database availability group (DAG). DAC mode is disabled by default and should be enabled for all DAGs with two or more members that use continuous replication. DAC mode shouldn't be enabled for DAGs in third-party replication mode unless specified by the third-party vendor.
If a catastrophic failure occurs that affects the DAG (for example, a complete failure of one of the datacenters), DAC mode is used to control the startup database mount behavior of a DAG. When DAC mode isn't enabled and a failure occurs that affects multiple servers in the DAG, and then when a majority of the DAG members are restored after the failure, the DAG will restart and attempt to mount databases. In a multi-datacenter configuration, this behavior could cause split brain syndrome, a condition that occurs when all networks fail, and DAG members can't receive heartbeat signals from each other. Split brain syndrome can also occur when network connectivity is severed between datacenters. Split brain syndrome is prevented by always requiring a majority of the DAG members (and in the case of DAGs with an even number of members, the DAG's witness server) to be available and interacting for the DAG to be operational. When a majority of the members are communicating, the DAG is said to have quorum.
For example, consider a scenario where the first datacenter contains two DAG members and the witness server, and the second datacenter contains two other DAG members. If the first datacenter loses power and you activate the DAG in the second datacenter (for example, by activating the alternate witness server in the second datacenter), if the first datacenter is restored without network connectivity to the second datacenter, the active databases within the DAG may enter a split brain condition.
 
How DAC mode works

DAC mode is designed to prevent split brain from occurring by including a protocol called Datacenter Activation Coordination Protocol (DACP). After a catastrophic failure, when the DAG recovers, it won't automatically mount databases even though the DAG has a quorum. Instead DACP is used to determine the current state of the DAG and whether Active Manager should attempt to mount the databases.
You might think of DAC mode as an application level of quorum for mounting databases. To understand the purpose of DACP and how it works, it's important to understand the primary scenario it's intended to handle. Consider the two-datacenter scenario. Suppose there is a complete power failure in the primary datacenter. In this event, all of the servers and the WAN are down, so the organization makes the decision to activate the standby datacenter. In almost all such recovery scenarios, when power is restored to the primary datacenter, WAN connectivity is typically not immediately restored. This means that the DAG members in the primary datacenter will power up, but they won’t be able to communicate with the DAG members in the activated standby datacenter. The primary datacenter should always contain the majority of the DAG quorum voters, which means that when power is restored, even in the absence of WAN connectivity to the DAG members in the standby datacenter, the DAG members in the primary datacenter have a majority and therefore have quorum. This is a problem because with quorum, these servers may be able to mount their databases, which in turn would cause divergence from the actual active databases that are now mounted in the activated standby datacenter.
DACP was created to address this issue. Active Manager stores a bit in memory (either a 0 or a 1) that tells the DAG whether it's allowed to mount local databases that are assigned as active on the server. When a DAG is running in DAC mode, each time Active Manager starts up the bit is set to 0, meaning it isn't allowed to mount databases. Because it's in DAC mode, the server must try to communicate with all other members of the DAG that it knows to get another DAG member to give it an answer as to whether it can mount local databases that are assigned as active to it. The answer comes in the form of the bit setting for other Active Managers in the DAG. If another server responds that its bit is set to 1, it means servers are allowed to mount databases, so the server starting up sets its bit to 1 and mounts its databases.
But when you recover from a primary datacenter power outage where the servers are recovered but WAN connectivity has not been restored, all of the DAG members in the primary datacenter will have a DACP bit value of 0; and therefore none of the servers starting back up in the recovered primary datacenter will mount databases, because none of them can communicate with a DAG member that has a DACP bit value of 1.
 
DAC mode for DAGs with two members

DAGs with two members have inherent limitations that prevent the DACP bit alone from fully protecting against application-level split brain syndrome. For DAGs with only two members, DAC mode also uses the boot time of the DAG's alternate witness server to determine whether it can mount databases on startup. The boot time of the alternate witness server is compared to the time when the DACP bit was set to 1.
  • If the time the DACP bit was set is earlier than the boot time of the alternate witness server, the system assumes that the DAG member and witness server were rebooted at the same time (perhaps because of power loss in the primary datacenter), and the DAG member isn't permitted to mount databases.
  • If the time that the DACP bit was set is more recent than the boot time of the alternate witness server, the system assumes that the DAG member was rebooted for some other reason (perhaps a scheduled outage in which maintenance was performed or perhaps a system crash or power loss isolated to the DAG member), and the DAG member is permitted to mount databases.
importantImportant:
Because the alternate witness server's boot time is used to determine whether a DAG member can mount its active databases on startup, you should never restart the alternate witness server and the sole DAG member at the same time. Doing so may leave the DAG member in a state where it can't mount databases on startup. If this happens, you must run the Restore-DatabaseAvailabilityGroup cmdlet on the DAG. This resets the DACP bit and permits the DAG member to mount databases.
 
Other benefits of DAC mode
 
In addition to preventing split brain syndrome at the application level, DAC mode also enables the use of the built-in site resilience cmdlets used to perform datacenter switchovers. These include the following:
  • Stop-DatabaseAvailabilityGroup
  • Restore-DatabaseAvailabilityGroup
  • Start-DatabaseAvailabilityGroup
Performing a datacenter switchover for DAGs that aren't in DAC mode involves using a combination of Exchange tools and cluster management tools.
 
Enabling DAC mode
 
DAC mode can be enabled only by using the Exchange Management Shell. Specifically, you can use the Set-DatabaseAvailabilityGroup cmdlet to enable and disable DAC mode, as illustrated in the following example.
Set-DatabaseAvailabilityGroup -Identity DAG2 -DatacenterActivationMode DagOnly
 
In the preceding example, the DAG DAG2 is enabled for DAC mode.
 

Configure Shadow Redundancy

 
Shadow redundancy in Microsoft Exchange Server 2010 provides a high availability mechanism for messages for the entire time that the messages are in transit. To learn more about shadow redundancy, see Understanding Shadow Redundancy. You can use the Exchange Management Shell to configure shadow redundancy in your organization.
 
Set-TransportConfig -ShadowRedundancyEnabled $true
Set-TransportConfig -ShadowHeartbeatTimeoutInterval 00:30:00

Set-TransportConfig -ShadowMessageAutoDiscardInterval 04:00:00
Set-ReceiveConnector "Custom App Receive Connector" -MaxAcknowledgementDelay 0


Enable Shadow Redundancy Promotion
To complete this procedure, you must have local administrator permissions on the Hub Transport server.
  1. Edit the Edgetransport.exe.config file. By default, this file is located in the C:\Program Files\Microsoft\Exchange Server\V14\Bin directory.
  2. In the Edgetransport.exe.config file, change the shadowredundancypromotionenabled key to true, and then save the changes.
  3. Restart the Microsoft Exchange Transport service (MSExchangeTransport.exe).
 


18 November 2013

Windows 2008 Scheduled tasks result codes

To trouble shoot your scripts started by the task scheduler, and trying to figure out why it doesn't work:

  • 0 or 0x0: The operation completed successfully.
  • 1 or 0x1: Incorrect function called or unknown function called.
  • 2 or 0x2: File not found.
  • 10 or 0xa: The environment is incorrect.
  • 0x41300: Task is ready to run at its next scheduled time.
  • 0x41301: Task is currently running.
  • 0x41302: Task is disabled.
  • 0x41303: Task has not yet run.
  • 0x41304: There are no more runs scheduled for this task.
  • 0x41306: Task is terminated.
  • 0x8004130F: Credentials became corrupted HOTFIX available
  • 0x8004131F: An instance of this task is already running.
  • 0x800704DD: The service is not available (is 'Run only when an user is logged on' checked?)
  • 0xC000013A: The application terminated as a result of a CTRL+C.
  • 0xC06D007E: Unknown software exception.
  • 12 November 2013

    Check OWA page with login and report when fails

    After the millionth time the helpdesk come complaining that OWA wasn't working, I made this script that checks the status of the OWA webpage by logging in and reporting back if the login attempt fails.

    The script:

    A few things are necessary;
    login.txt:      the user that logs in to OWA needs to have a mailbox and the password file needs to be generated every time the password is renewed.


    # Check if Outlook Webapp is online
    #
    # Use the 3 lines below to generate an encrypted password file for the user that will be logging into the site for this script
    # $MyPswd = "password"
    # ConvertTo-SecureString $MyPswd -AsPlainText -Force | `
    # ConvertFrom-SecureString | Out-File -FilePath "D:\Scripts\Login.txt"


    $username = "domain\username"  # user needs a mailbox
    $password = Get-Content "D:\Scripts\Login.txt" | ConvertTo-SecureString
    $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
    $logfile = "D:\Scripts\WebPageLoginResult.txt"

    if (Test-Path($logfile))
     {
      remove-item $logfile
     }

    Test-OWAConnectivity -url https://webmail.domain.com/owa -MailboxCredential:(Get-credential $cred) | fl url,scenario,result | out-file $logfile
    Test-OWAConnectivity -url https://webmail.domain.lan/owa -trustanysslcertificate -MailboxCredential:(Get-credential $cred) | fl url,scenario,result | out-file -append $logfile
      
    $Body = Get-Content $logfile

    Get-Content $logfile | where {$_ -match "skipped"} | foreach {Send-MailMessage -SmtpServer smtp.domain.lan -From OWA_Check@domain.com -To username@domain.com,username2@domain.com -Subject "Webmail is not working" -Body ( $Body | out-string )}
    Get-Content $logfile | where {$_ -match "failed"} | foreach {Send-MailMessage -SmtpServer smtp.domain.lan -From OWA_Check@domain.com -To username@domain.com,username2@domain.com -Subject "Webmail is not working" -Body ( $Body | out-string )}

    11 November 2013

    Remove activesync devices not synced for 60 days or more

    For Exchange 2010:


    Get all devices not synced for 60days or more:

    $DevicesToRemove = Get-ActiveSyncDevice -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-60")}

    Delete active sync devices from variable:

    $DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}

    Remove Active sync device for specific user:

    Get-ActiveSyncDevice -Mailbox "domain\username" | Remove-ActiveSyncDevice -Confirm:$true 


    And for Exchange 2013:


    Get all devices not synced for 60days or more:

    $DevicesToRemove = Get-MobileDevice -result unlimited | Get-MobileDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-60")}

    Delete active sync devices from variable:

    $DevicesToRemove | foreach-object {Remove-MobileDevice ([string]$_.Guid) -confirm:$false} 

    Remove Active sync device for specific user:

    Get-Mobile -Mailbox "domain\username" | Remove-MobileDevice -Confirm:$true

    06 November 2013

    Outlook web access opens in "Light mode" by default on Windows 8.1

    If you upgraded to Windows 8.1 and tried to access Outlook Web App with the new Internet Explorer 11, you probably noticed that the “Use the light version of Outlook Web App” checkbox is checked and disabled on the login page:

    owa-light

    That means that IE11 is willing to render only the basic version of OWA which was originally designed to target legacy browsers. This is quite embarassing, because IE11 is a really modern browser even in the preview!
    The solution is to force IE to render OWA in compatibility mode. You can add the site to the compatibility list in the Tools –> Compatibility View Settings dialog:

    compatibility-view-settings

    This didn’t solve my problem, because only top-level domains can be added to this list, but I could take the advantage of the fact that according to the first checkbox, intranet sites are by default rendered in compatibility view. So I added my OWA URL to the list of sites in the Intranet Zone in the Tools –> Internet Options –> Security –> Local intranet –> Sites –> Advanced dialog.
    According to some forum posts, the same issue arises with Office 365 and some popular websites like GitHub as well.

    Source

    04 November 2013

    This attachment was removed

    After applying a file extension filter in Forefront Protection for Exchange 2010 we got complaints about .PDF, LNK, and .ZIP files not getting through.

    The attachment would be removed and replace by a text file with the line "This attachment was removed" in it.

    The first thing that attracts attention is the line "This attachment was removed".
    This is not the standard text we configured in Forefront so it comes from another source.

    Turns out after a standard install of Exchange 2010 (Edge) server, under water there is also a file filter active: "Attachment Filtering agent"

    You can see this after running:

    Get-AttachmentFilterEntry |fl

    Type     : ContentType
    Name     : application/x-msdownload
    Identity : ContentType:application/x-msdownload

    Type     : ContentType
    Name     : message/partial
    Identity : ContentType:message/partial

    Type     : ContentType
    Name     : text/scriptlet
    Identity : ContentType:text/scriptlet

    Type     : ContentType
    Name     : application/prg
    Identity : ContentType:application/prg

    Type     : ContentType
    Name     : application/msaccess
    Identity : ContentType:application/msaccess

    Type     : ContentType
    Name     : text/javascript
    Identity : ContentType:text/javascript

    Type     : ContentType
    Name     : application/x-javascript
    Identity : ContentType:application/x-javascript

    Type     : ContentType
    Name     : application/javascript
    Identity : ContentType:application/javascript

    Type     : ContentType
    Name     : x-internet-signup
    Identity : ContentType:x-internet-signup

    Type     : ContentType
    Name     : application/hta
    Identity : ContentType:application/hta

    Type     : FileName
    Name     : *.xnk
    Identity : FileName:*.xnk

    Type     : FileName
    Name     : *.wsh
    Identity : FileName:*.wsh

    Type     : FileName
    Name     : *.wsf
    Identity : FileName:*.wsf

    Type     : FileName
    Name     : *.wsc
    Identity : FileName:*.wsc

    Type     : FileName
    Name     : *.vbs
    Identity : FileName:*.vbs

    Type     : FileName
    Name     : *.vbe
    Identity : FileName:*.vbe

    Type     : FileName
    Name     : *.vb
    Identity : FileName:*.vb

    Type     : FileName
    Name     : *.url
    Identity : FileName:*.url

    Type     : FileName
    Name     : *.shs
    Identity : FileName:*.shs

    Type     : FileName
    Name     : *.shb
    Identity : FileName:*.shb

    Type     : FileName
    Name     : *.sct
    Identity : FileName:*.sct

    Type     : FileName
    Name     : *.scr
    Identity : FileName:*.scr

    Type     : FileName
    Name     : *.scf
    Identity : FileName:*.scf

    Type     : FileName
    Name     : *.reg
    Identity : FileName:*.reg

    Type     : FileName
    Name     : *.prg
    Identity : FileName:*.prg

    Type     : FileName
    Name     : *.prf
    Identity : FileName:*.prf

    Type     : FileName
    Name     : *.pif
    Identity : FileName:*.pif

    Type     : FileName
    Name     : *.pcd
    Identity : FileName:*.pcd

    Type     : FileName
    Name     : *.ops
    Identity : FileName:*.ops

    Type     : FileName
    Name     : *.mst
    Identity : FileName:*.mst

    Type     : FileName
    Name     : *.msp
    Identity : FileName:*.msp

    Type     : FileName
    Name     : *.msi
    Identity : FileName:*.msi

    Type     : FileName
    Name     : *.psc2
    Identity : FileName:*.psc2

    Type     : FileName
    Name     : *.psc1
    Identity : FileName:*.psc1

    Type     : FileName
    Name     : *.ps2xml
    Identity : FileName:*.ps2xml

    Type     : FileName
    Name     : *.ps2
    Identity : FileName:*.ps2

    Type     : FileName
    Name     : *.ps11xml
    Identity : FileName:*.ps11xml

    Type     : FileName
    Name     : *.ps11
    Identity : FileName:*.ps11

    Type     : FileName
    Name     : *.ps1xml
    Identity : FileName:*.ps1xml

    Type     : FileName
    Name     : *.ps1
    Identity : FileName:*.ps1

    Type     : FileName
    Name     : *.msc
    Identity : FileName:*.msc

    Type     : FileName
    Name     : *.mdz
    Identity : FileName:*.mdz

    Type     : FileName
    Name     : *.mdw
    Identity : FileName:*.mdw

    Type     : FileName
    Name     : *.mdt
    Identity : FileName:*.mdt

    Type     : FileName
    Name     : *.mde
    Identity : FileName:*.mde

    Type     : FileName
    Name     : *.mdb
    Identity : FileName:*.mdb

    Type     : FileName
    Name     : *.mda
    Identity : FileName:*.mda

    Type     : FileName
    Name     : *.lnk
    Identity : FileName:*.lnk

    Type     : FileName
    Name     : *.ksh
    Identity : FileName:*.ksh

    Type     : FileName
    Name     : *.jse
    Identity : FileName:*.jse

    Type     : FileName
    Name     : *.js
    Identity : FileName:*.js

    Type     : FileName
    Name     : *.isp
    Identity : FileName:*.isp

    Type     : FileName
    Name     : *.ins
    Identity : FileName:*.ins

    Type     : FileName
    Name     : *.inf
    Identity : FileName:*.inf

    Type     : FileName
    Name     : *.hta
    Identity : FileName:*.hta

    Type     : FileName
    Name     : *.hlp
    Identity : FileName:*.hlp

    Type     : FileName
    Name     : *.fxp
    Identity : FileName:*.fxp

    Type     : FileName
    Name     : *.exe
    Identity : FileName:*.exe

    Type     : FileName
    Name     : *.csh
    Identity : FileName:*.csh

    Type     : FileName
    Name     : *.crt
    Identity : FileName:*.crt

    Type     : FileName
    Name     : *.cpl
    Identity : FileName:*.cpl

    Type     : FileName
    Name     : *.com
    Identity : FileName:*.com

    Type     : FileName
    Name     : *.cmd
    Identity : FileName:*.cmd

    Type     : FileName
    Name     : *.chm
    Identity : FileName:*.chm

    Type     : FileName
    Name     : *.bat
    Identity : FileName:*.bat

    Type     : FileName
    Name     : *.bas
    Identity : FileName:*.bas

    Type     : FileName
    Name     : *.asx
    Identity : FileName:*.asx

    Type     : FileName
    Name     : *.app
    Identity : FileName:*.app

    Type     : FileName
    Name     : *.adp
    Identity : FileName:*.adp

    Type     : FileName
    Name     : *.ade
    Identity : FileName:*.ade


    As shown above, the attachments .ZIP, .LNK, and .PDF are not shown.
    Problem is that the attachment gets identified as an "invalid attachment" by the "Attachment Filtering agent".

    Solutions;

    Disable-TransportAgent -Identity "Attachment Filtering agent"

    Restart-Service MSExchangeTransport

    Or:

    1.Stop the Microsoft Exchange Transport service.

    2.Locate the EdgeTransport.exe.config file. This file is located in the following path:
    drive:\Program Files\Microsoft\Exchange Server\Bin\
     
    3.Add the following entry between the <appSettings> element and the </appSettings>  element          of  the EdgeTransport.exe.config file:
      
    <add key="AllowInvalidAttachment" value="true" />
    4.Restart the Microsoft Exchange Transport service.

    Source 1


    Source 2