Microsoft’s new feature in Exchange Online will soon make it impossible for unsupported or unpatched on-premises Microsoft Exchange servers to use the Exchange Online hosted cloud service to deliver email. The software company is enabling a transport-based enforcement system in Exchange Online to address the problem of persistently vulnerable Exchange servers that cannot be trusted. In this article, we will discuss how this enforcement system works and what it means for IT admins.
Transport-Based Enforcement System
The new enforcement system has three primary functions: reporting, throttling, and blocking. The system alerts an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). If a server is not remediated or upgraded, mail flow from that server will be throttled and eventually blocked.
Notification for Admins
When Exchange Server admins log onto Exchange management tools, they will see notifications about unsupported or out-of-date servers. Emails sent from persistently vulnerable servers are a danger to all Exchange Online cloud instances as well as email recipients.
Progressive Enforcement
The progressive enforcement actions are designed to escalate until the vulnerable Exchange servers are remediated by removal from service or patching. The stages involve increasing periods of just throttling or throttling and blocking. If the admin of a server hasn’t moved to patch or upgrade the server in 90 days, Exchange Online will no longer accept any messages from the server.
Supported Versions
Microsoft won’t end support for newer versions of Exchange servers. Customers are not required to replace unsupported versions of Exchange with a newer one. However, unpatched Exchange 2016 and Exchange 2019 servers are also persistently vulnerable to known attack vectors, including the Hafnium hacks that started in March 2021.
First Wave of Affected Customers
The first wave of affected customers will see the new mail flow report and alerts on May 23. Microsoft’s goal is to protect its internal infrastructure and to raise the security profile of the Exchange ecosystem.
IT Admins Can Request Pause
IT admins can request a temporary enforcement pause for up to 90 days per calendar year. But customers who continue to use outdated on-premises Exchange servers, the blocking process will resume from the same point where it was paused.
Title: Microsoft Encourages Upgrade to Supported Version of Exchange Server
With thousands of on-premises customers running outdated versions of Exchange Servers, including Exchange 2007, Exchange 2010, and Exchange 2013 which will become unsupported next month, Microsoft is taking action. In this article, we’ll discuss how Microsoft is implementing a transport-based enforcement system in Exchange Online to encourage organizations to upgrade to a supported version of Exchange Server.
Change Aimed at Addressing Problem
The change aims to address the problem of thousands of on-premises customers running outdated versions of Exchange Servers, including Exchange 2007, Exchange 2010, and Exchange 2013 which will become unsupported next month. Unpatched Exchange 2016 and Exchange 2019 servers are also persistently vulnerable to known attack vectors, including the Hafnium hacks that started in March 2021.
Notification for Admins
The transport-based enforcement system will report, throttle, and block messages sent from Exchange 2007 Servers over an inbound On-Premises type of connector. The system will alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching).
Progressive Enforcement Process
The enforcement process will be divided into 30-day chunks that involve reporting, throttling, and blocking. It will be implemented in a progressive manner to cover other versions of Exchange Server. Microsoft advises patching vulnerable on-premises Exchange Servers and urges organizations to upgrade/patch their vulnerable servers.
Temporary Enforcement Pause
IT admins can request a temporary enforcement pause for up to 90 days per calendar year, but for customers who continue to use outdated on-premises Exchange Servers, the blocking process will resume from the same point where it was paused.
AMA Session
Microsoft plans to hold an AMA session to inform customers about these changes on May 10, 2023, at 9 AM PT. Customers are urged to participate and ask questions about how they can upgrade, patch, or remediate their on-premises Exchange Servers.
Image Source: Wikimedia Commons