Wired Calls Exchange Server a Security Liability
In March 2021, during the middle of the Hafnium attack against Exchange servers, I said that the attack gave impetus for on-premises customers to move to the cloud. Eighteen months later, things have not improved. If anything, they might be even worse despite Microsoft’s best efforts to mitigate attack vectors and close off holes in the venerable Exchange code base.
Recent day-zero vulnerabilities underline the point. But you know things have reached a critical point when Wired magazine calls Exchange server a security liability in a well-argued article by Andy Greenberg, summarized with “it’s time to say goodbye to on-premise(s) Exchange.”
Greenberg points to a stream of vulnerabilities (like ProxyRelay, described by researcher Orange Tsai), ongoing hacking campaigns, and the difficulty organizations often experience when they try to patch Exchange servers. These are facts. Exchange Server is a huge target for attackers because it was such a popular on-premises email server. Although the number of servers is gradually reducing, there’s still a lot of servers out there for attackers to pursue.
Five Reasons Why Exchange Server is Vulnerable
Customers might have some questions about why Exchange Server is so vulnerable. I think it boils down to five factors:
The age of the code base. No version of Exchange Server was designed to deal with the kind of threat-filled environment now prevalent on the internet. The web components in the current release (Exchange 2019) use an architecture laid down fifteen or more years ago (arguably for Exchange 2003 but definitely for Exchange 2007). The dependency on IIS and the difficulty in configuring web virtual directories to make sure that OWA is secure reflects thinking that wouldn’t happen today.
The reluctance of the installed base to move to new server versions. Even if Microsoft closes holes and improves the security of Exchange Server, their efforts are worth precisely zero if customers don’t upgrade their servers. Exchange has always been a slow application in terms of moving forward, largely because of the requirement for new hardware.
For example, Exchange 2019 mail servers have a recommended memory of 128 GB to allow Exchange to cache “hot mailbox data” and improve performance. Many organizations run Exchange on virtual machines hosted on VMware or Hyper-V, introducing another complication in the upgrade process.
The fragility of the upgrade/patch process: It takes too long to apply security updates or the regular quarterly cumulative updates. Servers must be taken offline, and everything must be right (including Windows patches) before an update will install. Even then, odd things can happen to prevent an update from completing. These things work out in the end, but update difficulties have caused too many grey hairs for Exchange administrators, as I know to my cost.
The detachment of the Exchange engineering team: There was a time when the Exchange engineering team was very connected to its customers. I don’t believe this is the case any longer for two reasons. First, the most experienced engineers have moved to new positions within Microsoft in roles that concentrate on the Microsoft 365 substrate or Exchange Online. These folks knew the product inside out. They also had great connections with customers and MVPs and a genuine appreciation of operational challenges. The current engineering team responsible for Exchange Server just doesn’t possess this background. They are talented people, but their connectivity with the real world is not the same as it was.
The lack of connection with their base is compounded by the demise of the in-person Ignite conference. Traditional Ignite conferences allowed engineers to interact with customers in a very personal manner. People brought technical issues to the conference to debate with engineers. It was a perfect two-way learning conduit that hasn’t happened since 2019. The recent “hybrid Ignite” is not the same. The rumor is that Microsoft will try and bring back an in-person Exchange Conference (MEC) in 2023. That might help, but I suspect that the content will focus on Exchange Online because that’s where Microsoft’s future lies.
Microsoft’s use of Exchange Online: Microsoft eats its own dog food, but the current dog food is cloud-flavored. If Microsoft used Exchange Server as its mail server, we might see more aggressive action to harden the server, close holes as they emerge, and introduce new software solutions to improve updates and patches. For instance, Microsoft might have been as assiduous in removing basic authentication from Exchange Server as they have been for Exchange Online.
Microsoft generates $100-plus billion annually from cloud services, and that’s where its focus will remain. The number of resources Microsoft assigns to on-premises server engineering will only decrease over time.
Exchange Online is very different from Exchange Server, and the gap widens all the time, not least because of the central role Exchange Online plays for the Microsoft 365 substrate. Although Exchange Online spans over 200,000 physical mailbox servers, the risk of compromise is much lower than for any on-premises environment because of the security resources Microsoft dedicates to protecting its cloud infrastructure. Quite simply, few other companies could afford to erect and manage the same kind of defenses.
Time to Take the Migration Pain
I don’t know how many Exchange servers remain operational in on-premises organizations. The FBI found tens of thousands of servers to patch last year. Given that Office 365 has more than 345 million paid seats (almost all of whom use Exchange Online), the bulk of the migration from on-premises Exchange is over.
Some organizations that remain absolutely need to run on-premises (military servers are the classic example, including those on submarines). Many of those organizations have the security smarts to be able to defend their infrastructures. Others don’t, and that fact is obvious because of the ongoing level of attacker interest in exploiting Exchange flaws. Putting the special cases to one side, any regular commercial implementation of Exchange Server must ask if things have become so bad that they should migrate ASAP, even if they follow Paul Robichaux’s security principles for Exchange Server.
Different circumstances affecting companies will influence the decision, but at this point, it just makes sense to remove themselves from the target list and migrate. Migrations are painful and costly, but a compromised Exchange server is so much worse (as people discover on an all-too-frequent basis).