Microsoft To Target Insecure Exchange Server E-Mail Connections

IT pros may face deadlines after some recent Exchange team announcements regarding Exchange Online.

The to-do list for IT pros potentially includes the July 15, 2023 deprecation of the Remote PowerShell protocol for Exchange Online security. Also, there are updated September deadlines for migrating away from the deprecated Client Access Rules use with Exchange Online.

Additionally, organizations using Exchange Server to connect e-mails with the Exchange Online service will be facing patching and upgrading deadlines to avoid e-mail traffic throttling and blocking by Microsoft.

Exchange Server E-Mail Throttling
Microsoft announced this week that it is planning to throttle the e-mail traffic of organizations that connect insecure on-premises Exchange Servers using inbound connectors with Exchange Online. Organizations will be facing a new "transport-based enforcement system" that could eventually block e-mail traffic from out-of-support or unpatched Exchange Server installations.

Microsoft is planning to start implementing this enforcement mechanism first for those organizations that are still using Exchange Server 2007, which fell out of support back in 2017. No activation date was specified for the throttling to come, but IT pros will get a Message Center notice "30 days" before this enforcement mechanism gets enacted.

The enforcement mechanism will follow an eight-stage scheme outlined by Microsoft. Microsoft will first send a report to the Exchange Admin Center portal when traffic from a noncompliant server gets detected. After 30 days, if the server issues haven't been addressed (such as server patching or server replacement), then the throttling will take place at a rate that will "increase every 10 days over the next 30 days." If there's been no remediation within 60 days, then the next phase will be to block the e-mail traffic.

"If, after 90 days from detection, the server has not been remediated, it reaches Stage 8, and Exchange Online will no longer accept any messages from the server," the Exchange team explained.

IT pros can request a temporary pause on Microsoft's throttling and blocking, but it's just good for "90 days per year."

Microsoft plans to target organizations using Exchange Server 2007 first, which is being done to remove the most vulnerable server products and improve its throttling and blocking scheme. However, other Exchange Server products that use inbound connectors with Exchange Online likely also will follow this throttling and blocking model.

"Eventually, we will expand our scope to include all versions of Exchange Server, regardless of how they send mail to Exchange Online," the announcement explained.

In an FAQ section of the announcement, Microsoft asserted that its transport-based enforcement system isn't being implemented to get on-premises Exchange Server users to move to Exchange Online. It's being done to "protect Exchange Online recipients from potentially malicious messages sent from persistently vulnerable Exchange servers."

The FAQ also made it clear that the enforcement system just applies to outdated or unpatched Exchange Server implementations. Microsoft's approach isn't including the underlying Windows operating system as an enforcement factor, although Windows Server should be kept up to date, too.

Remote PowerShell Shift
Microsoft announced this week that it will "start deprecating the legacy RPS [Remote PowerShell] protocol in the Security and Compliance PowerShell module" on July 15, 2023.

Instead of using the Remote PowerShell module, Microsoft wants organizations managing Exchange Online to use "REST API-based cmdlets" for security and compliance tasks. There's no functional change with this switch as "the new REST API will have the same cmdlets available and will have feature parity with the RPS v1 cmdlets; thus, existing scripts and processes don't need to be updated," the announcement emphasized.

That said, there still isn't support yet for 17 eDiscovery cmdlets. Microsoft expects to have REST API support for them on "June 1, 2023."

Client Access Rules in Exchange Online
Microsoft last month updated its deprecation timeline for organizations using Client Access Rules with Exchange Online.

Microsoft still plans to deprecate Client Access Rules in September 2023, but just for those organizations lacking technical limitations. For organizations with technical problems, the Client Access Rules "retirement" is expected to occur in September 2024. Microsoft is giving such organizations a one-year grace period.

Microsoft wants Exchange Online users to switch to Continuous Access Evaluation instead of using Client Access Rules. The deprecation of Client Access Rules for Continuous Access Evaluation had originally been announced by Microsoft back in September.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube