back to article Microsoft uses carrot and stick with Exchange Online admins

Some Exchange Online users who have the RPS feature turned off by Microsoft can now have it re-enabled – at least until September when the tool is retired. Microsoft is moving all of its Exchange Online tenants from the legacy – and increasingly insecure – Remote PowerShell Protocol to the PowerShell v3 module. The first step …

  1. Ken Moorhouse Silver badge

    ...let us turn it off and wait to see what happens...

    That sounds very -er- scientific.

    1. J. Cook Silver badge

      Re: ...let us turn it off and wait to see what happens...

      We refer to it internal as the "scream test"- Turn it off and see who screams. :)

    2. Jou (Mxyzptlk) Silver badge

      Re: ...let us turn it off and wait to see what happens...

      Not much of a choice. We have to do it the same way: Warn, deadline, communicate and so on, but there are always those lazy users which ignore everything from IT.

      U: "Hey, it does not work"

      IT: "Yeah, it is called maintenance"

      U: "Need it now"

      ...etc...etc...

  2. spuck

    Zero-Trust model?

    > Such Exchange servers are not trusted within Microsoft's zero-trust security model.

    So by blocking e-mails from outdated versions of Exchange, Microsoft is admitting that Exchange Online, which is created, maintained, and patched by Microsoft themselves is not up to the challenge of handling e-mails from "untrusted" servers?

    I'm all for encouraging patching and maintenance, but deliberately breaking the underlying protocols that run the Internet is Not Cool, Microsoft.

    1. Roland6 Silver badge

      Re: Zero-Trust model?

      Don’t worry, Microsoft Defender will for reason unknown to MS tag any attempts to communicate with a non MS365 Exchange Server as potentially dangerous…

    2. Anonymous Coward
      Anonymous Coward

      Re: Zero-Trust model?

      This will only affect servers that are in hybrid mode, where the on premises servers have connectors to O365. They will not be throttling/blocking from on premises only servers (yet!).

      Regarding admitting that O365 is not up to the challenge. Nobody can be 100% certain they can catch everything, so taking action against unpatched on prem server seems fair enough to me. There are plenty of tools you can use to check & remediate on prem servers and the Exchange team generally do a very good job at keeping customers updated, unlike some other parts of Microsoft. If you manage Exchange or O365, keeping an eye on the official Exchange blog should be part of your daily routine.

      The most peculiar thing is their definition of zero-trust. This should mean treat absolutely EVERYTHING as hostile, regardless of patch status. So while I can see that the action they are taking is worthwhile it isn't because of a "zero trust model". It is more like a "provable trustworthiness model".

      1. 43300 Silver badge

        Re: Zero-Trust model?

        "Regarding admitting that O365 is not up to the challenge. Nobody can be 100% certain they can catch everything, so taking action against unpatched on prem server seems fair enough to me."

        Yes, indeed. Microsoft deserve criticism for lots of things but this actually seems a sensible step.

        Who doesn't patch their Exchange servers? Talk about asking for trouble!

        1. Diogenes8080

          Re: Zero-Trust model?

          Exactly. Anyone who has been obliged for commercial reasons to accept traffic from a legacy relay knows how miserable that is. The EXO team are merely getting peevish at the amount of tat relayed in from weak customers. The fact that the EXH server software has bugs to exploit is another question.

          For those looking for the EXO blog on throttling stale Exchange, it's here:

          https://techcommunity.microsoft.com/t5/exchange-team-blog/throttling-and-blocking-email-from-persistently-vulnerable/ba-p/3762078

  3. Jou (Mxyzptlk) Silver badge

    Article missing curcial details...

    Several times mentioning "old Exchange Servers", but never mentioning which Exchange Server and CU Level are, at least, expected. Which makes the article useless. As useless as Microsofts own information which does not have a clear written list but rather walls of text written by ChatGPT marketing functions - always including the "2 min read", which is not enough to actually interpret and understand what Microsoft writes in its perfectly convoluted way.

    1. 43300 Silver badge

      Re: Article missing curcial details...

      I assume they mean Exchange servers currently in support, which means 2016 or 2019 on the latest CU or the previous one.

      There's definitely room for improvement in the process for deploying CUs, which is basically a manual upgrade installation.

      1. keith_w

        Re: Article missing curcial details...

        I would assume they mean any version of Exchange that is not up to date with the latest CU no matter how old. There are lots of companies that won't pay for an upgrade unless they absolutely have to.

        1. 43300 Silver badge

          Re: Article missing curcial details...

          If it's older than 2016 it's out of support so they won't be issuing new patches or CUs any more.

          1. Anonymous Coward
            Anonymous Coward

            Re: Article missing curcial details...

            Exchange 2019 - Supported current or previous CU.

            Exchange 2016 - Supported current CU only.

            Exchange 2013 - End of life this week, along with Office 2013.

      2. Jou (Mxyzptlk) Silver badge

        Re: Article missing curcial details...

        Yep, that is exactly my point: We have to assume.

      3. Roland6 Silver badge

        Re: Article missing curcial details...

        2013 is still in support until April 11, 2023…

        I suspect there are many (probably SMEs) still running 2013, I interpret this as potentially being a bit of a kick to these users to migrate to M365 and Exchange Online and decommission (rather than retain) their WS2012 systems…

        1. 43300 Silver badge

          Re: Article missing curcial details...

          Even if you move the mailboxes to Exchange online, you still need a local Exchange server for account management if you use hybrid local / Azure AD user accounts.

          Well, you CAN get rid of the Exchange server, but creating and managing accounts without one creates a load of extra hassle which most would prefer to avoid!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like