Important Cycrest Security Bulletin July 21, 2022

Attention Clients using On-Premise Microsoft Exchange for their Email systems.

Note: This is 2 of 3 Security Bulletins we will be providing over the next 45 days pertaining to changes in the Cyber and Network Security arena.

If you, or your Organization is utilizing the Microsoft On-Premise Exchange Email System (Email on your own Company Server), please read this bulletin.

For over the past year, Microsoft has been very quiet about their intent about their On-Premise Exchange Email System. Microsoft has published articles saying that all support for On-Premise Exchange Email systems seemingly would end in 2025. The belief in the marketplace was that Microsoft would be, some-what, forcing people to migrate to their Office 365 Cloud Platform and no longer provide an On-Premise option.

With the advent of last years Microsoft Exchange Hafnium exploit, where every Microsoft On-Premise Exchange system in the World was attacked via a vulnerability, that attack, plus others, exposed foundational weaknesses in that product. Prior to that event, Microsoft was notified of that vulnerability. In January 2021, Microsoft patched their Office 365/Hosted Exchange product for that vulnerability, however, did not release that vulnerability patch for On-Premise Exchange Systems until March of 2021. This patch did not fix major foundational issues, only the one doorway used for this attack. The delay in releasing the patch for On-Premise systems only fueled the speculation that Microsoft was trying to push people to move to Microsoft’s Hosted Office 365/Cloud Exchange product so Microsoft would only have to support one Email Environment.

Last month in June 2022, for the first time in almost 2 years, Microsoft broke their silence and released information regarding their updated position regarding their On-Premise Exchange Email System.

In short, Microsoft has reversed their position on some areas, and announced new positions on others. Please find below a quick listing of those items:

  1. Microsoft will discontinue all support for Exchange Version 2013 by April 2023, and for Exchange Version 2016 by October 2025.
  2. Microsoft is going to end of life Exchange 2019, in 2025 at the same time as Exchange 2016. Microsoft has reversed their position and will now focus on enhancing, expanding, securing and fortifying Exchange 2019 going forward which will become the new Exchange Platform for Exchange 2025. They will release an update that will help cure main foundational issues, along with continuing to secure Exchange 2019. Microsoft will not be releasing any of those fixes for 2013 or the 2016 version. Microsoft has been keeping the 2019 security upgrade release date quiet due to the security protocols, but we are expecting these security updates to be available this year.
  3. Microsoft will release a new version of Exchange, called Exchange 2025, in late 2024 (estimated). This new version will not have an end of life, and will be sold as a subscription base only under Microsoft’s “Software Assurance” model. This will then allow that product to have continuous upgrades and enhancements on an on-going basis. It is unknown at this time if there will only be an annual subscription fee, or a subscription fee in addition to any fees for User and Server Licenses. Pricing will be announced sometime in 2024.
  4. Microsoft is recommending anyone with Exchange 2013 and Exchange 2016 to upgrade to the Microsoft 2019 Exchange Version at this time as Microsoft will only be releasing Security updates and Security upgrades (system hardening) for 2019. Microsoft will not be releasing any additional Security layers or options (software hardening), to Exchange 2013 or Exchange 2016.

5. For the future 2025 Exchange version, there will be an “in-place upgrade path” directly from that 2019 version to the 2025 Version in most, but not all, situations. (The upgrade paths from 2013 and 2016 to 2019 are manual and have labor costs associated with that process and have to be done in phases and in separate steps).

The good news is, Microsoft is now going to continue offering an On-Premise Email System for those Clients who desire one, and in addition, have agreed to now focus on securing that On-Premise platform going forward.

For those Organizations who wish to explore migrating to Microsoft’s Office 365 Hosted Exchange, and do away with their On-Premise email system, costs normally run about 4.00 per user, per month, plus one-time migration costs.

Emails and Email Systems are a top way for hackers, intruders, and malicious actors to gain access to your system. Holes in Microsoft Email systems, and Emails laced with malicious coding, infected attachments, and phony web links are used to entice Users to fall prey to a compromise. In addition, many hackers also try to gain access to your Email account or Email system as that gives them access to your personal contacts, the ability to intercept your Emails, the ability to send infected and compromised Emails on your behalf as well as the ability to mine the vast treasure troves of past Emails in your sent and deleted Email boxes.

Cycrest’s multi-layer Cyber and Network Security systems help mitigate many Email and other attack risks to help keep you and your Organization safe when it comes to sending and receiving clean Emails and accessing your system. However, the challenge is when the User’s Email account password or Organization Email system is hacked, stolen or comprised.

Most times, you access email after connecting to your company system, to help lessen the chance of an email or system compromise via stolen or hacked passwords, Cycrest continues to recommend a companywide 2 Factor/MFA system.

2 Factor/MFA system is a 2nd password that changes every 30 seconds and is entered after your primary User name and password is entered. This 2nd password is generated from a smart phone App (free), a USB token or a matchbook sized portable token (one-time cost of 55.00-65.00 per token). This process greatly reduces the chance of a hacker using your stolen, copied, or compromised passwords to gain access to your Email or Organizational systems.

In addition, as 2 Factor/MFA, has shown to reduce many threats, we are now seeing many of our Client’s insurance Organizations refusing to cover, or greatly increase premiums and deductibles for Clients that do not have a 2 Factor/MFA system installed on both their internal Organization network, as well as any Cloud provider they utilize such as Microsoft’s Cloud Services.

Installing a companywide 2 Factor/MFA system is a very strong tool to help thwart Hackers. To help keep install costs lower, Cycrest can provide you with a “how to” list that you may share with each User after the main platform has been setup and configured. Then for any User needing additional help, they may contact Cycrest.

When installing a companywide email system, most problems occur in situations where there are “shared” user logon accounts. Computers/Accounts where many users may use the same computer with the same logon name. In those cases, a USB or portable token is normally recommended. While accepted in past times, today, for Users in the Health Care Industry, or Industries subject to the CMMC Federal Government or other regulatory requirements, shared accounts are not compliant with those and Cycrest is here to help you navigate with other solutions.

Please call Sam at Cycrest at 509-747-9275 for any additional information to help answer any questions, and/or to discuss any Exchange upgrade options.

Thank you and take care.

Cycrest Systems, Inc.


<< Previous     Next >>