As time progresses Microsoft cloud first focus becomes clearer. The pace of Microsoft Exchange releases continues to decrease. Maintenance of the system becomes more reactive. The supporting infrastructure also becomes an ever-growing hassle.
If the Exchange support staff are not continuously monitoring Microsoft announcements, missing patches for zero-day exploits is almost a certainty. Should the system be compromised, what happens next, is there a plan in place? Also, as the release frequency decreases, is the hardware being refreshed as often? Does it have a current support contract? What do backups look like, and are they regularly tested?
As the COVID-19 pandemic showed, staff may be required to work remotely for an extended period, with little to no warning. Is the entire on-premises IT infrastructure that Microsoft Exchange depends upon ready to support this, for a month, a year, or years?
Security for Microsoft Exchange
Unlike most on-premises IT infrastructure, at least some of the Microsoft Exchange services need to be exposed to the Internet. Sending and receiving e-mail requires connections through the corporate firewall, even if using a “trusted” third party relay service. Additionally, most staff expect access to corporate e-mail on mobile devices, and while VPN services can provide protection, it also makes the devices more difficult to use and support.
As a system that is publicly exposed to some extent, zero-day security exploits are even more of an issue than with other IT infrastructure.
Zero-days in the last couple of years:
- March 2, 2021: HAFNIUM targeting Exchange Servers with 0-day exploits
- March 31, 2021 – CISA Orders Agencies to Conduct Fresh Scans of Microsoft Exchange Servers
- May 11, 2021 – Patch Tuesday – Microsoft Exchange Server vulnerability
- May 24, 2021 – Hackers started scanning for vulnerable Exchange servers minutes after patches were released
- June 8, 2021 – Microsoft June 2021 Patch Tuesday: 50 vulnerabilities patched, six zero-days exploited in the wild
- July 14, 2021 - Microsoft Exchange Server Remote Code Execution Vulnerability
- October 13, 2021 - Microsoft Exchange Server Elevation of Privilege Vulnerability
- November 11, 2021 - Microsoft Exchange Server Remote Code Execution Vulnerability
- January 11, 2022 - Microsoft Exchange Server Remote Code Execution Vulnerability
- March 9, 2022 - Microsoft Exchange Server Remote Code Execution Vulnerability
- May 10, 2022 - Microsoft Exchange Server Elevation of Privilege Vulnerability
- August 9, 2022 - Microsoft Exchange Server Elevation of Privilege Vulnerability
- October 3, 2022 - Microsoft Exchange Server Remote Code Execution Vulnerability
- November 9, 2022 - Microsoft Exchange Server Elevation of Privilege Vulnerability
Unfortunately, these are usually cumulative updates that effectively remove the Microsoft Exchange software (leaving the data behind) and install a “new” version of Exchange. This is often a multi-hour project, just to patch the server!
How much do you trust your backups? If you missed one of these patches, and your company e-mail is now public, does that matter? There are many remote code execution vulnerabilities, which could allow attackers further access to your network. Is that an issue?
Operations of Microsoft Exchange
If the Microsoft Exchange server is down, your company’s communications both internally, and externally are effectively off. Is the hardware hosting Exchange setup in a high availability setup, redundant storage, network, compute resources? Is it new? What is the service level agreement on hardware replacement? How broken can the hardware be, and still function? Additionally, what does the power look like, are there redundant UPS, and/or generators to keep the server running? Additionally, are redundant firewalls with redundant Internet access in place to keep the mail flowing?
All the Other Stuff
We have hit upon Microsoft Exchange, for which Microsoft 365 addresses ALL of the issues outlined above. The table below contains just a few of the many additional services that are included in Microsoft 365 beyond the built in, and fully managed electronic mail service. We would be happy to go over how these services and the others in Microsoft 365 can help your business thrive and grow.
Microsoft 365 |
Feature |
Outlook |
Electronic Mail |
Word |
Word Processing |
Excel |
Spreadsheet |
PowerPoint |
Presentation software |
Teams |
Online Meetings |
Teams |
Text Messaging |
Outlook |
Scheduling |
OneDrive / Sharepoint |
File Storage |
Forms |
Surveys and Questionnaires |
SharePoint |
Code Free Internal Websites |
OneNote |
Ad Hoc Notetaking |
SharePoint |
Search organizational content |
Power Automate |
Low code online automation |
Sway |
Collaborative Storytelling |
Endpoint Manager |
Device Management Security |
Compliance |
Electronic Discovery |
Delve |
Collaboration overview |
Access |
Local file database |
Bookings |
Tool for scheduling meetings |
Customer Voice |
Capture feedback |
Power Apps |
Mobile and Web application builder |
Power BI |
Ad hoc and dynamic data dashboards |
Costs of Microsoft Exchange
Never having to backup, patch, or monitor is worth much more than just the IT staff time saved to work on other projects. Having staff continuing to work, as well remotely as while in the office, and not having outages for maintenance is a much larger benefit. Also keeping hardware up to date, and even new Exchange licenses (if Microsoft releases a new version) are also costs that need to be considered as well.
Microsoft Exchange Migration
iuvo can efficiently, and reliably address this issue. Given our experience and seasoned IT Consultants, we will get the migration into Microsoft 365 right the first time. We can come up with the solution that works for your business, and not force you into a particular approach that works for us. We do this often, and when we are done you can be certain the security of your cloud-based mail system is correct, and your data can be accessed safely and reliably.
If you are interested in learning more, please contact us today to get started.
Related Content:
- Backup and Recovery Testing (iuvotech.com)
- Backup Best Practices (iuvotech.com)
- Best Practices for File Safety (iuvotech.com)