April 11, 2023 Means No More Support for Exchange 2013
Recently, my June 2022 article about the future of Exchange Server received several retweets. I’ve no idea why this happened. My more recent views on what might happen with Exchange Server concluded that it’s time to move on to the cloud. Of course, that depends if it’s possible for an organization to move off-premises. That isn’t always possible due to regulations, legal requirements, or even infrastructure issues. Personal choice also comes into the equation as some simply cannot countenance any prospect of using cloud services.
In any case, if you’re using Exchange 2013, some action is needed because exchange 2013 end of life is on April 11, 2023. That’s a big date because after it Microsoft will not release security patches or any other fix for Exchange 2013. Any attempt to get support will be rebuffed with a polite refusal, which is not a great state for a production system to be in.
Old Servers Continue Working After the Support Deadline
Just because software is out of support doesn’t mean that it stops working. Database Availability Groups don’t have a switch to halt log shipping on April 11, and the transport service will continue to accept outbound and inbound email for processing. Mailboxes will still be available, and people can continue to connect with MAPI, POP3, IMAP4, ActiveSync, and Exchange Web Services. Everything runs smoothly, especially if the latest cumulative update and security updates are deployed to servers, until something untoward happens.
Software Designed Over a Decade Ago Struggles with Today’s Threats
The old adage that brown smelly bovine emissions happens to comes to mind. The sad truth is that Exchange 2013 represents the state of the software engineering art for email servers as it existed a decade or more ago. I don’t believe that Microsoft would depend on features like Remote PowerShell and OWA virtual directories if designing a new email server from scratch today. Other features, like the DAG, have passed the test of time, but attackers have taken advantage of some of the characteristics exposed in Exchange 2013 and its successors in attacks like Hafnium (March 2021), an exploit so severe that the FBI eventually had to step in to patch vulnerable servers.
It would be nice to report that everything smoothened out after the effects of Hafnium subsided. However, further zero-day vulnerabilities continue to emerge, the latest of which caused Rackspace to decide to exit its Exchange Server hosting business. The fact that a company with the resources possessed by Rackspace can’t run Exchange Server in a safe and secure manner in a way that makes commercial sense should raise a big red flag for other customers.
The Options Open to Exchange Server 2013 Customers
So what next for Exchange 2013 customers? The decision is binary if you want to continue running supported software:
- Upgrade servers to Exchange 2019 (make sure that you keep the servers updated).
- Move to Exchange Online.
Both choices involve pain and cost (code words for migrations). Neither can happen overnight. Time is ebbing away before Exchange 2013 end of life, so hiding heads in the proverbial sand is no longer an available option.
My advice continues to be that organizations with no well-defined need to remain on-premises should move to Exchange Online. It’s the right decision in many respects, not least being that you’ll no longer have to worry about server maintenance. Exchange Online is more functional than any on-premises server and will continue to be so. Microsoft 365 is a safer environment too, assuming that you take the good advice to enforce multi-factor authentication for accounts, pay attention to audit logs, and contemplate the deployment of optional features available to Microsoft 365 customers, like conditional access policies. Exchange Online is not a panacea, and it has its own issues, but it’s the best choice for most organizations today.
Your Choice, Your Responsibility
I respect the choice to stay on-premises providing that the organization is willing to dedicate enough time, talent, effort, and investment to run Exchange Server in a secure manner. I don’t doubt that Exchange Server is a very fine email server. It is and has proven that fact over the years. I just worry about the lessons learned over the past few years that many servers are in a sad state of maintenance.
As Microsoft 365 becomes harder to penetrate, thanks to efforts like the campaign to eliminate basic authentication for email connection protections (now approaching completion), attackers will seek easier targets. Exchange Server has a big target painted all over its code because of the number of known vulnerabilities and the undeniable track record of administrators failing to deploy security updates in good time (which is how Rackspace fell down). Don’t be the next company to have its email woes discussed by the press. It’s not a good space to find yourself in.
It’s time to make the shift to Exchange Online Today!
Minimize the risk, time, cost and complexity associated with an Exchange migration through Quest Software’s Migration Planning and Consolidation Solutions