Microsoft Exchange 2010 support ends in a matter of days and there are 139,000 internet-facing servers still up
Research finds orgs taking big chances with unpatched email relays
Security company Rapid7 reports that there are more than 139,000 Microsoft Exchange 2010 servers with internet-facing services (Outlook Web Access or OWA) despite the application going out of support this month.
Exchange 2010 was initially due to go end-of-life in January this year, but Microsoft extended support to 13 October. After this date the application will continue to run but "Microsoft will no longer provide technical support … including bug fixes, security fixes, and time zone updates." It will have been supported for nearly 11 years, having been released on 9 November 2009.
Exchange 2013 support ends in April 2023, while Exchange 2016 and 2019 will be abandoned together in October 2025.
But the out-of-support problem is coming to an end – kind of – since Microsoft will no longer sell permanent licences when the next Exchange, currently known as "vNext," is released in the second half of 2021. It will be a subscription-only product and therefore be kept up to date automatically.
There will be an in-place upgrade from Exchange 2019 so the migration path is either to install vNext into an organisation and migrate the mailboxes, or upgrade Exchange in-place to 2019 and then to vNext. A twist is that the in-place upgrade to vNext is only supported for two years from release.
Long tail problem
Does anyone still run Exchange 2010? Indeed they do, said Tom Sellers, principal security researcher at Rapid7. Using an internet-scanning tool, the company detected 139,711 instances of OWA published by Exchange 2010. It would also be a mistake to think that these servers are conscientiously maintained and patched, he opined.
"Nearly 54,000 of these have not been updated in six years," Sellers said.
If that is not enough to worry about, Rapid7 also identified 16,577 instances of OWA published by Exchange 2007 on the public internet. "This product has been out of support for over three years," Sellers said. "Additionally, the newest version of Windows Server that Exchange 2007 runs on is 2008 R2, which reached end of support in January 2020."
What is perhaps surprising is that there are fewer Exchange 2013 instances out there than 2010, according to Rapid7, with only 102,593 detected, and around 66 per cent are old and unsupported versions of that product.
Organisations are also doing a poor job of keeping Exchange 2016 and 2019 up to date, with 87 per cent of the former and 77 per cent of the latter missing the most recent updates, Sellers said. Of 2019, "there are nearly 2,100 that as far as we can tell have never had updates installed."
The situation may not be as bad as it first appears, in that Rapid7 is not able correlate the data with any information on the number of users on these servers. Some may be test installs, or servers that are out of use following migration to Microsoft 365 or Google Mail.
Some credit is due to Microsoft too: Outlook Web Access has a relatively good record for fixing security, with 59 CVE entries since 1999.
Why are there so many old versions of Exchange out there? One of the factors is that Exchange isn't trivial to upgrade. Exchange 2010 was easier to deploy, and there is no in-place upgrade from 2010 to 2013, which may explain why there are so many still out there.
Admins need to think about versions of Windows Server, versions of Active Directory, fiddly issues with public folders, and implications for anti-spam and anti-malware. Email is messy and difficult to manage.
There are times, times, of course, when maintaining a mail server on-premises seems like a smart move, but the cost in terms of admin resources may be high. Although Exchange is among Microsoft's more reliable products, outages happen on-premises too, and probably more often, though they do not attract the same global attention.
Microsoft has also made its cloudy services hard to avoid, with things like ceasing to update the anti-spam feature in on-prem Exchange and recommending cloud-based Exchange Online Protection instead – landing organisations with the same cloud dependency that they were, perhaps, trying to avoid.
Curiously, Microsoft also makes running at least one Exchange server on-premises hard to avoid for many. Firms that use Azure Active Directory Connect, in order to synchronize Active Directory on-premises with its cloudy equivalent, are required to manage email recipients in an on-premises Exchange server, which then syncs changes to Exchange Online. A free licence is on offer, but it remains an administrative burden.
"We completely understand that this is difficult and expensive to do," said Greg Taylor, Exchange director of product marketing, during the Ignite virtual event last month. "We have a solution in mind and are working towards it." More news is promised in Spring 2021.
Taylor also noted that Microsoft continues to work towards turning off basic authentication in Exchange Online, and highlighted new features on the way for Exchange admins, such as a completely new admin center dashboard.
One tip that some have missed: plus addressing, which lets users add throwaway email addresses including a + character for signing up to possibly dodgy websites or mailing lists, is now generally available, though admins need to enable it via PowerShell. One more reason to migrate from Exchange on-premises. ®