Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Microsoft Exchange Server

From Wikipedia, the free encyclopedia
Calendaring and mail server

Microsoft Exchange Server
Exchange Server 2019 logo
DeveloperMicrosoft
Initial releaseApril 2, 1996; 29 years ago (1996-04-02)[1]
Stable releaseSE Oct25SU15.2.2562.29 (14 October 2025; 39 days ago (2025-10-14)[2]) [±]
Operating systemWindows Server
Platformx64
TypeCollaborative software
LicenseProprietarycommercial software
Websitewww.microsoft.com/en-us/microsoft-365/exchange/email Edit this on Wikidata

Microsoft Exchange Server is amail server andcalendaring server developed byMicrosoft. It runs exclusively onWindows Server operating systems.

The first version was called Exchange Server 4.0, to position it as the successor to the relatedMicrosoft Mail 3.5. Exchange initially used theX.400 directory service but switched toActive Directory later. Until version 5.0, it came bundled with an email client calledMicrosoft Exchange Client. This was discontinued in favor ofMicrosoft Outlook.

Exchange Server primarily uses a proprietary protocol calledMAPI to talk toemail clients, but subsequently added support forPOP3,IMAP, andEAS. The standardSMTP protocol is used to communicate to other Internet mail servers.

Exchange Server is licensed both ason-premises software andsoftware as a service (SaaS). In the on-premises form, customers purchaseclient access licenses (CALs); as SaaS, Microsoft charges a monthly service fee instead.

History

[edit]
Main article:History of Microsoft Exchange Server

Microsoft had sold a number of simpler email products before, but the first release of Exchange (Exchange Server 4.0 in April 1996[1]) was an entirely newX.400-basedclient–server groupware system with a single database store, which also supportedX.500 directory services. The directory used by Exchange Server eventually became Microsoft'sActive Directory service, anLDAP-compliant directory service which was integrated intoWindows 2000 as the foundation ofWindows Server domains.

SE was released on 1 July 2025.

As of 2025, there have been eleven releases.

Current version

[edit]

The current version, Exchange Server 2019,[3] was released in October 2018. Unlike other Office Server 2019 products such asSharePoint andSkype for Business, Exchange Server 2019 could only be deployed on Windows Server 2019 when it was released. Since Cumulative Update 2022 H1 Exchange 2019 has been supported on Windows Server 2022.[4] One of the key features of the new release is that Exchange Server can be deployed onto Windows Server Core for the first time. Additionally, Microsoft has retired the Unified Messaging feature of Exchange, meaning that Skype for Business on-premises customers will have to use alternative solutions for voicemail, such as Azure cloud voicemail.

New features

[edit]
  • Security: support for installing Exchange Server 2019 onto Windows Server Core
  • Performance: supports running Exchange Server with up to 48 processor cores and 256 GB of RAM

Removed features

[edit]
  • Unified Messaging

Clustering and high availability

[edit]

Exchange Server Enterprise Edition supports clustering of up to 4 nodes when using Windows 2000 Server, and up to 8 nodes with Windows Server 2003. Exchange Server 2003 also introduced active-active clustering, but for two-node clusters only. In this setup, both servers in the cluster are allowed to be active simultaneously. This is opposed to Exchange's more common active-passive mode in which the failover servers in any cluster node cannot be used at all while their corresponding home servers are active. They must wait, inactive, for the home servers in the node to fail. Subsequent performance issues with active-active mode have led Microsoft to recommend that it should no longer be used.[5] In fact, support for active-active mode clustering has been discontinued with Exchange Server 2007.

Exchange's clustering (active-active or active-passive mode) has been criticized because of its requirement for servers in the cluster nodes to share the same data. The clustering in Exchange Server provides redundancy for Exchange Server as anapplication, but not for Exchangedata.[6] In this scenario, the data can be regarded as asingle point of failure, despite Microsoft's description of this set-up as a "Shared Nothing" model.[7] This void has however been filled by ISVs and storage manufacturers, through "site resilience" solutions, such as geo-clustering and asynchronous data replication.[8] Exchange Server 2007 introduces new cluster terminology and configurations that address the shortcomings of the previous "shared data model".[9]

Exchange Server 2007 provides built-in support for asynchronous replication modeled on SQL Server's "Log shipping"[10] in CCR (Cluster Continuous Replication) clusters, which are built on MSCS MNS (Microsoft Cluster Service—Majority Node Set) clusters, which do not require shared storage. This type of cluster can be inexpensive and deployed in one, or "stretched" across two data centers for protection against site-wide failures such as natural disasters. The limitation of CCR clusters is the ability to have only two nodes and the third node known as "voter node" or file share witness that prevents "split brain"[11] scenarios, generally hosted as a file share on a Hub Transport Server. The second type of cluster is the traditional clustering that was available in previous versions, and is now being referred to as SCC (Single Copy Cluster). In Exchange Server 2007 deployment of both CCR and SCC clusters has been simplified and improved; the entire cluster install process takes place during Exchange Server installation. LCR or Local Continuous Replication has been referred to as the "poor man's cluster". It is designed to allow for data replication to an alternative drive attached to the same system and is intended to provide protection against local storage failures. It does not protect against the case where the server itself fails.

In November 2007, Microsoft released SP1 for Exchange Server 2007. This service pack includes an additional high-availability feature called SCR (Standby Continuous Replication). Unlike CCR, which requires that both servers belong to a Windows cluster typically residing in the same datacenter, SCR can replicate data to a non-clustered server, located in a separate datacenter.

With Exchange Server 2010, Microsoft introduced the concept of the Database Availability Group (DAG). A DAG contains Mailbox servers that become members of the DAG. Once a Mailbox server is a member of a DAG, the Mailbox Databases on that server can be copied to other members of the DAG. When a Mailbox server is added to a DAG, the Failover Clustering Windows role is installed on the server and all required clustering resources are created.

Licensing

[edit]

Like Windows Server products, Exchange Server requiresclient access licenses, which are different from Windows CALs. Corporate license agreements, such as theEnterprise Agreement, or EA, include Exchange Server CALs. It also comes as part of the Core CAL. Just like Windows Server and other server products from Microsoft, there is the choice to use User CALs or Device CALs. Device CALs are assigned to devices (workstation, laptop or PDA), which may be used by one or more users.[12] User CALs, are assigned to users, allowing them to access Exchange from any device. User and Device CALs have the same price, however, they cannot be used interchangeably.

For service providers looking to host Microsoft Exchange, there is a Service Provider License Agreement (SPLA) available whereby Microsoft receives a monthly service fee instead of traditional CALs. Two types of Exchange CAL are available: Exchange CAL Standard and Exchange CAL Enterprise. The Enterprise CAL is an add-on license to the Standard CAL.

Clients

[edit]

Microsoft Exchange Server uses aproprietaryremote procedure call (RPC) protocol calledMAPI/RPC,[13] which was designed to be used byMicrosoft Outlook. Clients capable of using the proprietary features of Exchange Server includeEvolution,[14]Hiri and Microsoft Outlook.Thunderbird can access Exchange server via the Owl Plugin.[15]

Exchange Web Services (EWS), an alternative to the MAPI protocol, is a documentedSOAP-based protocol introduced with Exchange Server 2007. Exchange Web Services is used by the latest version ofMicrosoft Entourage for Mac and Microsoft Outlook for Mac - since the release ofMac OS X Snow Leopard Mac computers running OS X include some support for this technology via Apple's Mail application.

E-mail hosted on an Exchange Server can also be accessed usingPOP3, andIMAP4 protocols, using clients such asWindows Live Mail,Mozilla Thunderbird, andLotus Notes. These protocols must be enabled on the server. Exchange Server mailboxes can also be accessed through a web browser, usingOutlook Web App (OWA). Exchange Server 2003 also featured a version of OWA formobile devices, called Outlook Mobile Access (OMA).

Microsoft Exchange Server up to version 5.0 came bundled with Microsoft Exchange Client as the email client. After version 5.0, this was replaced by Microsoft Outlook, bundled as part ofMicrosoft Office 97 and later.[16] When Outlook 97 was released, Exchange Client 5.0 was still in development and to be later released as part of Exchange Server 5.0, primarily because Outlook was only available for Windows. Later, in Exchange Server 5.5, Exchange Client was removed and Outlook was made the only Exchange client. As part of Exchange Server 5.5, Outlook was released for other platforms.

The originalWindows 95 "Inbox" client also used MAPI and was called "Microsoft Exchange". A stripped-down version of the Exchange Client that does not have support for Exchange Server was released asWindows Messaging to avoid confusion; it was included withWindows 95 OSR2,Windows 98, andWindows NT 4. It was discontinued because of the move to email standards such as SMTP, IMAP, and POP3, all of whichOutlook Express supports better than Windows Messaging.

Exchange ActiveSync

[edit]

Support forExchange ActiveSync (EAS) was added to Microsoft Exchange Server 2003. It allows a compliant device such as aWindows Mobile device orsmartphone to securely synchronize mail, contacts and other data directly with an Exchange server and has become a popular mobile access standard for businesses due to support from companies likeNokia andApple Inc.[17] as well as its device security and compliance features.

Support forpush email was added to it with Exchange Server 2003 Service Pack 2 and is supported by Windows Phone 7,[18] theiPhone andAndroid phones,[19] but notably not forApple's nativeMail app onmacOS.

Exchange ActiveSync Policies allow administrators to control which devices can connect to the organization, remotely deactivate features, and remotely wipe lost or stolen devices.[20]

Hosted Exchange as a service

[edit]
Main article:Hosted Exchange

The complexities of managing Exchange Server—namely running both one or more Exchange Servers, plus Active Directory synchronization servers—make it attractive for organisations to purchase it as a hosted service.

Third-party providers

[edit]

This has been possible from a number of providers[21] for more than 10 years, but as of June 2018 is that many providers have been marketing the service as "cloud computing" or "Software-as-a-Service". Exchange hosting allows for Microsoft Exchange Server to be running in the Internet, also referred to as the Cloud, and managed by a "Hosted Exchange Server provider" instead of building and deploying the system in-house.

Exchange Online

[edit]

Exchange Online is Exchange Server delivered as a cloud service hosted by Microsoft itself. It is built on the same technologies ason-premises Exchange Server, and offers essentially the same services as third-party providers which host Exchange Server instances.[22]

Customers can also choose to combine both on-premises and online options in a hybrid deployment.[23] Hybrid implementations are popular for organizations that are unsure of the need or urgency to do a full transition to Exchange Online, and also allows for staggeredemail migration.

Hybrid tools can cover the main stack of Microsoft Exchange,Lync, SharePoint, Windows, and Active Directory servers, in addition to using replica data to report cloud user experience.[citation needed]

History

[edit]

Exchange Online was first provided as a hosted service in dedicated customer environments in 2005 to select pilot customers.[24] Microsoft launched a multi-tenant version of Exchange Online as part of the Business Productivity Online Standard Suite in November 2008.[25] In June 2011, as part of the commercial release ofMicrosoft Office 365, Exchange Online was updated with the capabilities of Exchange Server 2010.

Exchange Server 2010 was developed concurrently as a server product and for the Exchange Online service.

Vulnerabilities and hacks

[edit]

2020

[edit]

In February 2020, anASP.NET vulnerability was discovered and exploited relying on a default setting allowing attackers to run arbitrary code with system privileges, only requiring a connection to the server as well as being logged into any user account which can be done throughcredential stuffing.[26][27]

The exploit relied on all versions of Microsoft Exchange using the samestatic validation key to decrypt, encrypt, and validate the 'View State' by default on all installations of the software and all versions of it, where the View State is used to temporarily preserve changes to an individual page as information is sent to the server. The default validation key used is therefore public knowledge, and so when this is used the validation key can be used to decrypt and falsely verify a modified View State containing commands added by an attacker.[26][27]

When logged in as any user, any.ASPX page is then loaded, and by requesting both thesession ID of the user login and the correct View State directly from the server, this correct View State can bedeserialised and then modified to also includearbitrary code and then be falsely verified by the attacker. This modified View State is then serialised and passed back to the server in aGET request along with the session ID to show it is from a logged-in user; in legitimate use, the view state should always be returned in aPOST request, and never a GET request. This combination causes the server to decrypt and run this added code with its own privileges, allowing the server to be fully compromised as any command can therefore be run.[26][27]

In July 2020,Positive Technologies published research explaining how hackers can attack Microsoft Exchange Server without exploiting any vulnerabilities.[28] It was voted into Top 10 web hacking techniques of 2020 according toPortSwigger Ltd.[29]

2021

[edit]
Main article:2021 Microsoft Exchange Server data breach

In 2021, criticalzero-day exploits were discovered in Microsoft Exchange Server.[30] Thousands of organizations have been affected by hackers using these techniques to steal information and install malicious code.[31] Microsoft revealed that these vulnerabilities had existed for around 10 years,[32] but were exploited only from January 2021 onwards. The attack affected the email systems of an estimated 250,000 global customers, including state and local governments, policy think tanks, academic institutions, infectious disease researchers and businesses such as law firms and defense contractors.[33]

In a separate incident, an ongoingbrute-force campaign from mid-2019 to the present (July 2021)[needs update], attributed byBritish and American (NSA,FBI,CISA) security agencies to theGRU, uses/used publicly known Exchange vulnerabilities, as well as already-obtained account credentials and other methods, to infiltrate networks and steal data.[34][35]

2023

[edit]

In September 2023, Microsoft was notified that Microsoft Exchange is vulnerable toremote code execution including data theft attacks. Microsoft has not fixed these issues yet.[36]

See also

[edit]

References

[edit]
  1. ^ab"Microsoft Exchange Server Available".Microsoft. April 2, 1996. RetrievedFebruary 5, 2023.
  2. ^"Exchange Server build numbers and release dates". Microsoft Support. RetrievedOctober 14, 2025.
  3. ^"Microsoft kündigt Exchange 2019 an". September 26, 2017.
  4. ^"Released: 2022 H1 Cumulative Updates for Exchange Server".TECHCOMMUNITY.MICROSOFT.COM. April 20, 2022. RetrievedApril 21, 2022.
  5. ^"Considerations when deploying Exchange on an Active/Active cluster". Microsoft. RetrievedOctober 28, 2012.
  6. ^"The benefits of Windows 2003 clustering with Exchange 2003". The Exchange Team Blog. June 9, 2004. RetrievedOctober 28, 2012.
  7. ^"Exchange Clustering Concepts". TechNet. February 9, 2006. RetrievedOctober 28, 2012.
  8. ^"Storage Glossary: Basic Storage Terms".TechNet.Microsoft. March 8, 2005. Archived fromthe original on July 15, 2007. RetrievedOctober 28, 2012.
  9. ^"High availability". TechNet. March 8, 2005. RetrievedJuly 2, 2007.
  10. ^"Frequently asked questions—SQL Server 2000—Log shipping". Microsoft. March 8, 2005. RetrievedOctober 28, 2012.
  11. ^"An update is available that adds a file share witness feature and a configurable cluster heartbeats feature to Windows Server 2003 Service Pack 1-based server clusters". Microsoft. RetrievedOctober 28, 2012.
  12. ^"Top 75 Microsoft Licensing Terms – A Glossary From A(ntigen) To Z(une)". OMTCO, omt-co Operations Management Technology Consulting GmbH. RetrievedApril 24, 2013.
  13. ^"Exchange Server Protocols". Microsoft. November 7, 2008. RetrievedOctober 28, 2012.
  14. ^"Evolution/FAQ - GNOME Live!". Microsoft. RetrievedOctober 28, 2012.
  15. ^Beonex."Owl for Exchange".Owl for Exchange. RetrievedFebruary 21, 2020.
  16. ^"What is the Microsoft Exchange client?".
  17. ^"Microsoft Exchange ActiveSync Licensees". Microsoft. RetrievedOctober 28, 2012.
  18. ^"Exchange ActiveSync: Frequently Asked Questions". TechNet. RetrievedOctober 28, 2012.
  19. ^"Exchange ActiveSync". Apple. RetrievedOctober 28, 2012.
  20. ^"Apple - iPhone in Business". TechNet. RetrievedOctober 28, 2012.
  21. ^"Hosted Exchange Partner Directory". Microsoft. RetrievedOctober 28, 2012.
  22. ^"Microsoft Exchange Online for Enterprises Service Description". Microsoft. RetrievedOctober 28, 2012.
  23. ^Puca, Anthony (2013).Microsoft Office 365 Administration Inside Out. Microsoft Press. pp. 459–462.ISBN 978-0735678231.
  24. ^Ina Fried (March 10, 2005)."Microsoft hops into managed PC business". CNET News. RetrievedOctober 28, 2012.
  25. ^"Microsoft hops into managed PC business". Microsoft. November 7, 2008. RetrievedOctober 28, 2012.
  26. ^abc"Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!".BleepingComputer. RetrievedMarch 20, 2021.
  27. ^abcNusbaum, Scott; Response, Christopher Paschen in Incident; Response, Incident; Forensics (February 28, 2020)."Detecting CVE-2020-0688 Remote Code Execution Vulnerability on Microsoft Exchange Server".TrustedSec. RetrievedMarch 20, 2021.
  28. ^Sharoglazov, Arseniy (July 23, 2020)."Attacking MS Exchange Web Interfaces".PT SWARM. RetrievedJune 18, 2022.
  29. ^"Top 10 web hacking techniques of 2020".PortSwigger Research. February 24, 2021. RetrievedJune 18, 2022.
  30. ^"HAFNIUM targeting Exchange Servers with 0-day exploits".Microsoft Security. March 2, 2021. RetrievedMarch 14, 2021.
  31. ^"Exchange email hack: Hundreds of UK firms compromised".BBC News. March 11, 2021. RetrievedMarch 12, 2021.
  32. ^"Microsoft's big email hack: What happened, who did it, and why it matters". CNBC. March 9, 2021. RetrievedMarch 14, 2021.
  33. ^"Here's what we know so far about the massive Microsoft Exchange hack". CNN. March 10, 2021. RetrievedMarch 14, 2021.
  34. ^"NSA, Partners Release Cybersecurity Advisory on Brute Force Global Cyber Campaign".nsa.gov.National Security Agency. Archived fromthe original on July 2, 2021. RetrievedJuly 2, 2021.
  35. ^"Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments"(PDF).Defense.gov. Joint publication form US/UK security agencies. RetrievedJuly 3, 2021.
  36. ^New Microsoft Exchange zero-days allow RCE, data theft attacks

External links

[edit]
Open source
Current
Discontinued
Email
Proprietary
Related technologies
Related articles
Retrieved from "https://en.wikipedia.org/w/index.php?title=Microsoft_Exchange_Server&oldid=1321064148"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp