Exchange on-premises hack: who still has servers?

I started my career on Exchange 5.0 in late 1997, and the product became my main skill area for nearly 22 years. In that time, I experienced hacking attacks and website defacement of OWA, stability battles and architecture changes when Microsoft evolved the system towards cloud capability. When my career evolved from on-premises infrastructure through virtualisation to cloud services – I took this path because that is where I could see the rest of the industry was going. It made me wonder about who still has servers on-premises, and in particular Exchange servers?

For many years, Microsoft have been encouraging users of the world’s most popular email platform to migrate to the Exchange Online cloud. The architecture of Exchange was gradually changed from a proprietary MAPI to database connection, towards an HTTP request that would be directed to many highly available databases. This architecture change made it more possible for Outlook to connect to an Internet hosted system, decreasing the fork-lift upgrade impact for organisations – transition to a client that can do both MAPI and HTTP, then transition the servers to HTTP, then put the servers in the cloud.

Added to this client change, Microsoft have tied many of their Office 365 services to the identity of the user that is gained through Exchange being in the cloud. The easiest route for companies to get to Office 365 services was to begin with a migration of Exchange to Exchange Online. To make this easier still, Microsoft provided a migration wizard and a hybrid state that would allow the gradual low-impact transition to be performed over months without users being affected.

So, Exchange Online was easy, encouraged and integrated. Many businesses followed and moved their corporate email to the cloud, and much of their other data and services joined it.

However, some businesses did not migrate to Exchange Online. The last version of Exchange released for on-premises servers was Exchange 2019, but there are still some with Exchange 2010.

It came as a surprise to me when the recent vulnerability in Exchange on-premises was announced. I had assumed that most organisations had already made the move to Exchange Online, as Microsoft had made it so much easier to go to Exchange Online than it was to continue to maintain local Exchange servers.

So the ever-present requirement is that if you have on-premises systems, you need to continually patch the operating system, the applications, the drivers and firmware, and the tools that you use to manage them. Added to that, you need to ensure that you have perimeter protection, such as firewalls and reverse proxies, effective monitoring and audit of configuration and practices, and clear plans on how to deal with an attack. Or, you just move to a SaaS solution from a trusted cloud provider – who does all of that for you anyway.