Microsoft uses carrot and stick with Exchange Online admins

If you need extra time to dump RPS, OK, but email from unsupported Exchange servers is blocked till they’re up to date

Some Exchange Online users who have the RPS feature turned off by Microsoft can now have it re-enabled – at least until September when the tool is retired.

Microsoft is moving all of its Exchange Online tenants from the legacy – and increasingly insecure – Remote PowerShell Protocol to the PowerShell v3 module. The first step comes April 1, when Redmond begins blocking RPS connections for tenants created on or after April Fool's Day.

In June, Microsoft will begin disabling it for all Exchange Online customers. The RPS Module will be retired September 1 and all tenants will be turned off by October 1. However, for enterprises, the changeover is more than simply flipping a switch, so Microsoft is giving users a way to buy more time.

"Customers who need more time to make the switch can re-enable RPS (if we have disabled it for you) and use it for a little longer," the Exchange Online Team wrote in a blog post, pointing to a self-service tool in the Microsoft 365 and Exchange admin centers to use when requesting an extension or a re-enablement.

"We are adding this tool to help you minimize disruptions as you transition away from using RPS. We want you to use the tool only if you really need to use RPS, and not just because you think you might need to."

Hardening Exchange Online

The retirement of RPS is among a number of steps Microsoft is taking to harden Exchange Online against cyber threats. The protocol is used for client-to-server communications through PowerShell cmdlets and is the admin interface for managing Exchange Online via the command line.

However, in September 2022 Redmond launched the more modern PowerShell v3 module and started the clock ticking on RPS's demise.

PowerShell v3 promises significant upgrades in reliability and performance over RPS, such as REST API cmdlets to reduce failures caused by network delays or long query execution times. For security, a key is support for modern authentication methods – or Modern Auth – like multi-factor authentication (MFA).

The shift for Exchange Online is the latest instance of a portfolio-wide Modern Auth adoption by the software giant that began more than three years ago. Other applications – including Outlook Desktop and Outlook Mobile App – already have been updated.

Microsoft warned Exchange Online users in September and again earlier this month about the impending deadlines, but some have pushed back, convincing Redmond to put in place the extension and re-enablement process.

Steps to enablement

The vendor is outlining steps for enterprises to see if RPS has been disabled and, if so, how they can re-enable it.

"To reiterate, requesting an opt-out for RPS could put your tenant data at security risk," the Exchange Online Team wrote. "If you are not sure if you need RPS, let us turn it off and wait to see what happens. You can always re-enable it through September 2023 using the tool, and while this might cause some disruption, the upside is it will help define the work you need to do prior to October 2023."

Giving users extra time with RPS comes during a week of security news from the company's inaugural Microsoft Secure event and a week after it further hardened Exchange Online by blocking emails from unsupported and unpatched Exchange servers.

Get those Exchange servers up to date

Vulnerable on-premises Exchange servers are popular targets of criminals because of the critical data they hold. Thousands of such servers are still in use and Microsoft has urged admins to remediate them. Now it is promising to throttle or block email sent from the servers, which the company hopes will slow down communications and disrupt business operations enough to convince admins to update and patch them.

Such Exchange servers are not trusted within Microsoft's zero-trust security model.

"Therefore email messages sent from them cannot be trusted," the Exchange Online Team wrote. "Persistently vulnerable servers significantly increase the risk of security breaches, malware, hacking, data exfiltration, and other attacks."

"Many customers have taken action to protect their environment, but there are still many Exchange servers that are out of support or significantly behind on updates."

Microsoft is adding a mail flow report to the Exchange admin center that works with the Exchange Server Health Checker tool, which collects a range of information, including which servers are unsupported or unpatched. The mail flow report gives tenants details of such Exchange servers.

If a server isn't remediated, Exchange Online will slow down mail coming from it, using a retriable SMTP 450 error and forcing the server to retry the message later. Throttling times will get longer over time if the Exchange server isn't hardened.

If the admin still hasn't remediated the server after 30 days, Exchange Online shifts to blocking the messages, issuing a permanent SMTP 550 error and sending a non-delivery report.

"Enforcement actions will escalate over time (eg, increase throttling, add blocking, increase blocking, full blocking) until the server is remediated: either removed from service (for versions beyond end of life), or updated (for supported versions with available updates)," the Exchange Online Team wrote. ®

More about

TIP US OFF

Send us news


Other stories you might like