Microsoft uses carrot and stick with Exchange Online administrators • The Register

Some Exchange Online users who have disabled Microsoft’s RPS feature can now have it re-enabled — at least until September, when the tool is retired.

Microsoft is moving all of its Exchange Online tenants from the legacy – and increasingly insecure – Remote PowerShell Protocol to the PowerShell v3 module. The first step will occur on April 1st, when Redmond will begin blocking RPS connections for tenants created on or after April 1st.

In June, Microsoft will begin disabling it for all Exchange Online customers. The RPS module will be retired on September 1st and all tenants will be shut down by October 1st. For businesses, however, the transition is more than just the flick of a switch, so Microsoft is giving users an opportunity to buy more time.

“Customers who need more time to transition can turn RPS back on (if we’ve turned it off for you) and use it a little longer,” the Exchange Online team wrote in a blog post, linking to a self-service tool in The Microsoft 365 and Exchange admin centers for use when requesting renewal or reactivation.

“We’re adding this tool to help you minimize disruption when you step away from using RPS. We want you to use the tool only when you really need to use RPS, and not just because you think you will could must.”

Hardening exchange online

The discontinuation of RPS is one of a number of measures Microsoft is taking to secure Exchange Online against cyber threats. The protocol is used for client-to-server communication via PowerShell cmdlets and is the management interface for managing Exchange Online from the command line.

However, in September 2022, Redmond released the more modern PowerShell v3 module and set the clock ticking for the demise of RPS.

PowerShell v3 promises significant reliability and performance upgrades over RPS, such as: B. REST API cmdlets to reduce errors caused by network delays or long query execution times. For security reasons, a key is supporting modern authentication methods – or Modern Auth – like Multi-Factor Authentication (MFA).

The move to Exchange Online is the latest instance of a portfolio-wide rollout of Modern Auth by the software giant that began more than three years ago. Other applications – including Outlook Desktop and Outlook Mobile App – have already been updated.

Microsoft warned Exchange Online users about the upcoming deadlines in September and again earlier this month, but some have pushed back, convincing Redmond to roll out the renewal and reactivation process.

Steps to Empowerment

The vendor outlines steps companies can take to determine if RPS has been disabled and, if so, how to re-enable it.

“To reiterate, requiring an opt-out for RPS could expose your tenant data to a security risk,” the Exchange Online team wrote. “If you’re not sure if you need RPS, let’s turn it off and see what happens. You can always re-enable it using the tool until September 2023, and while that may cause disruption, the upside is that it does help define the work you need to do before October 2023.”

Giving users extra time with RPS comes during a week of security news from the company’s first Microsoft Secure event and a week after Exchange Online was further hardened by blocking email from unsupported and unpatched Exchange servers.

Bring these Exchange servers up to date

Vulnerable on-premises Exchange servers are popular targets for criminals because of the critical data they store. Thousands of such servers are still in use, and Microsoft has urged administrators to fix them. Now there’s promise in throttling or blocking emails sent from the servers, which the company hopes will slow down communications and disrupt business operations enough to convince admins to update and patch them.

Such Exchange servers are not trusted in Microsoft’s Zero Trust security model.

“As a result, email messages sent by them cannot be trusted,” the Exchange Online team wrote. “Persistently vulnerable servers greatly increase the risk of security breaches, malware, hacking, data exfiltration, and other attacks.”

“Many customers have taken steps to protect their environment, but there are still many Exchange servers that are no longer supported or are significantly behind in updates.”

Microsoft is adding a mail flow report to the Exchange admin center, which works with the Exchange Server Health Checker tool, which collects a range of information, including servers that are unsupported or unpatched. The mail flow report contains tenant details about such Exchange servers.

If a server isn’t repaired, Exchange Online slows down email coming from it by using a repeatable SMTP 450 error and forcing the server to resend the message later. Throttling times will increase over time if the Exchange server is not hardened.

If the administrator still hasn’t repaired the server after 30 days, Exchange Online will switch to blocking the messages, issue a permanent SMTP 550 error, and send an NDR.

“Enforcement actions will escalate over time (e.g. increase throttling, add blocking, increase blocking, full blocking) until the server is resolved: either decommissioned (for end-of-life versions) or updated (for supported versions with available updates )”, wrote the Exchange Online team. ®