In this context, “current” means that servers run the latest available or the previous updates. What’s happening now is that Microsoft is saying that if these customers want to use on-premises Exchange to communicate with Exchange Online, they must run a recent version of Exchange Server and commit to keeping the software current with security updates and cumulative updates. Business and other requirements mandate that some need to remain on-premises. I have long said that the best course of action for most on-premises customers is to move to Exchange Online and Microsoft 365. Its truth is obvious to anyone who’s followed the history of recent attacks against Exchange Server like the two day-zero vulnerabilities discovered in September 2022. As each month goes by, the software becomes more liable to become a target for potential compromise. The three end-of-life versions of Exchange Server are out of support and don’t receive security or cumulative updates. Even companies with lots of experience running on-premises servers run into issues keeping systems updated. The problem is that a swelling bag of known attack techniques are available to anyone from script kiddies to nation state actors, all ready to deploy to inflict harm against old servers.Įven with the best will in the world, it’s not possible to upgrade these Exchange servers to cope with the known threats. Register Today! Unpatched, Weak, and Vulnerable On-Premises Serversīecause Microsoft wrote the software running on these servers at a time when few could imagine the current threat landscape, these versions of Exchange server are achingly vulnerable . Join Tony Redmond and other Microsoft MVPs on April 17-21 for practical security insights into hybrid AD and Microsoft 365. The Experts Conference 2023 European Roadshow Eventually, the set could include Exchange 2016 and Exchange 2019 servers that are not being updated. The set of vulnerable servers spans Exchange 2007, Exchange 2010, and Exchange 2013 (which becomes unsupported on April 11, 2023). One thing is for sure: far too many of the on-premises servers run obsolete and vulnerable versions of Exchange Server. They know about the servers that connect to Microsoft as part of an Exchange hybrid organization and have some idea about other servers from analyzing inbound SMTP traffic. Microsoft doesn’t know (or isn’t saying) exactly how many on-premises Exchange servers are in use. The FBI might have closed the gaps for U.S.-based servers, but that still leaves servers in other countries for attackers to target. Despite the widespread havoc wreaked by the Hafnium attackers, on-premises servers remain unpatched and exposed. The experience of the past few years beginning with the Hafnium attack of March 2021 influenced Microsoft’s plan. Instead of allowing the old servers to send email to Exchange Online, Microsoft says that they will start to protect their service by first throttling and then rejecting inbound messages from on-premises servers if the operators don’t keep their servers updated. Today, Microsoft announced that their tolerance for obsolete and unpatched on-premises Exchange servers is reaching an end, at least in terms of communicating with Exchange Online.
0 Comments
Leave a Reply. |