Microsoft is right to throttle outdated Exchange servers

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Harry

Member
Oct 13, 2020
19
3
I am happy that Microsoft will try to eliminate outdated Exchange servers, and many corporate email administrators probably also are. I spend a lot of my time on third-party risk and third-party breaches. Microsoft's stated reason for throttling outdated Exchange servers is the mail that they send. I'm more concerned about mail they receive, particularly from me. It is well documented that Exchange attacks like ProxyShell have led to loss of confidentiality and the installation of ransomware. Steve argues that organizations running outdated Exchange servers are perfectly happy with their old installations. I doubt it. The reality is that decision makers in the organizations with those servers do not care about security. They prioritize short term savings over the security and privacy of their customers and employees. Email admins and security people (if they exist) in those organizations have probably already made the case to upgrade for security reasons. Now Microsoft is helping them make it happen.

Think about why we have privacy laws. They exist because most organizations will not voluntarily enact burdensome and expensive privacy practices. Most organizations do what they have to do and not much more. I applaud Microsoft for taking this action. I don't want to have to send out a breach notification because one of our third parties and you shouldn't want to receive one.
 
Last edited:
Who coded the old software? (Hint: Microsoft did.) They released the software as fit for purpose and not dangerous to operate. If that software is, or has become, dangerous to operate, then Microsoft should be providing enough support to eliminate any danger in operating it... whether it is within warranty or not. Would you accept that your vehicle could suddenly have the steering wheel stop functioning safely while is use? If that could happen, would you consider it a design or manufacturing flaw and expect the manufacture to do a recall? I think the issue is the Microsoft it trying to shirk their legal duty to make sure their server software does not become a danger to its users. No doubt it would be cheaper for them to just give free upgrades to users that have entered into a dangerous situation.
 
  • Like
Reactions: SeanBZA
Who coded the old software? (Hint: Microsoft did.) They released the software as fit for purpose and not dangerous to operate. If that software is, or has become, dangerous to operate, then Microsoft should be providing enough support to eliminate any danger in operating it... whether it is within warranty or not. Would you accept that your vehicle could suddenly have the steering wheel stop functioning safely while is use? If that could happen, would you consider it a design or manufacturing flaw and expect the manufacture to do a recall? I think the issue is the Microsoft it trying to shirk their legal duty to make sure their server software does not become a danger to its users. No doubt it would be cheaper for them to just give free upgrades to users that have entered into a dangerous situation.
Should Microsoft continue to patch Windows 95?
 
I can see a good number of operations with old Exchange versions using them inside a semi transparent proxy, that handles things like handling known bugs, and handling known attacks, either by simply dumping the message, or rewriting it to a benign version. A feature they likely will do now is also handle outgoing email, rewriting headers to spoof that the sender is a current version, or simply not sending any header info other than the bare minimum required by the RFC to handle the message, or using the header from one of the open source options, as MS has to accept those, or risk having half the email servers never forward mail to them. or the organisations can pay the cheaper cost of having Google handle email transport, as that comes with a pretty good spam filter that always is current, and malware detection that actually works.
 
Something that was never mentioned in various reports is that it is limited to connections done through Inbound Connectors of the OnPremises (aka Your organization's email server) type, at least as of writing.

This is rather a significant nuance, because this is something that the Exchange Online (or Microsoft 365) tenant administrator will have configured manually. This does not touch any other connector type or pure Internet email (SMTP) connections. That's also something that should be within the organization's own control, as long as you control your own Exchange Online tenant and your own on-premises Microsoft Exchange servers.

The messaging around this change was... horrible at best, and it should have been better communicated by both Microsoft and tech journalists.
 
Last edited:
Should Microsoft continue to patch Windows 95?
Well an desktop OS can be taken offline and still remain a desktop OS. A mail server cannot (and still be what you purchased it for.) If any company creates a tool that is supposed to be an online server, then they should be required to continue to patch it minimally enough to not allow it to be a risk for the rest of the online community. One way to do that would be to set a hard STOP date when you create it... and say something like "this product comes with a predetermined end of life date of __date__ and it will completely cease to function at that time." At least that way it would be clear what you are purchasing.
 
Not to be beat this thing to death, but while I agree with a lot being said, 2 things are not that well known and deserve further details.
- The Exchange servers that are in-scope for now are part of Hybrid setups (which means the enterprise has at least partially moved on Office 365 and may have a few remaining mailboxes or even 0 mailboxes but just apps sending emails over) so only this onprem to online mail flow will be affected.
- @Steve for the same reason, I don't see it as a money grab since Coexistence / Hybrid servers have a free server license attached to the Office 365 subscription (https://techcommunity.microsoft.com...tive-updates-for-exchange-server/ba-p/3285026)
- lastly there is no way for Office 365 to know the real version of the Exchange server beside looking at the SMTP EHLO banner being sent by the server, which is modifiable via a simple command so people who actively want not to upgrade will still be able to keep their server. I thinks the goal is more to grab the attention of admin for those "unattended servers".

[for full disclosure I am a MS employee]
Guillaume