Microsoft confirmed on Thursday that it will not offer extended support for Exchange Server 2013 after April 11.
The software giant encouraged customers to move to Exchange Online to benefit from cloud-driven performance and security updates. Microsoft also continues to support Exchange Server 2019 for customers with on-premises requirements.
According to an announcement earlier this week, after April 11 Microsoft will no longer offer technical support for problems that may occur, bug fixes for issues that may impact the stability and usability of the server, security fixes for newly-discovered vulnerabilities or time zone updates. Last year, the company developed an end of support roadmap to help prepare Exchange 2013 customers for the cut-off date. Those options include migrating to Microsoft 365 or upgrading on-premise Exchange servers to more updated 2019 version.
While Exchange Server 2013 will continue to run after April 11, because of the potential security risks, the company “strongly recommends” that businesses migrate as soon as possible.
"We strongly believe that you get the best value and user experience by migrating fully to Microsoft 365. But we understand that some organizations need to keep some Exchange servers on-premises," the road map states. "This might be because of regulatory requirements, to guarantee data isn't stored in a foreign datacenter, because you have unique settings or requirements that can't be met in the cloud, or because you need Exchange to manage cloud mailboxes because you still use Active Directory on-premises."
Phil Neray, vice president of cyber defense strategy at CardinalOps, said recent attacks on Exchange servers, such as the one perpetrated by the Play ransomware gang on Rackspace, highlight the continued vulnerability of these older on-premises systems.
“This trend points to the increased attractiveness of migrating to cloud-hosted messaging services like Microsoft Exchange Online or Office 365, which are much easier to maintain — and keep secure,” said Neray.
With updated versions of Exchange and Exchange Online being superior alternatives, there’s no reason to stay with Exchange 2013, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“The best option is to have replaced the application before it reaches the end of support,” said Parkin. “Most developers are up front about when a product is end-of-life and when it will reach end-of- support. This shouldn't be a surprise to anyone responsible for administering an organization's production applications. Unless there’s a very specific reason to keep an obsolete system in service, and the organization is willing to accept the risk, they should be replaced long before they become a security risk.”
Bud Broomhead, chief executive officer at Viakoo, said along with moving to Exchange Online or Exchange Server 2019, security teams should ensure that they have a plan for what to do if new vulnerabilities are found in those platforms. In the case of the 2021 Exchange Server data breach, one of the most concerning issues was the inability of organization to patch and remediate these systems quickly. it took months after the vulnerability was disclosed and a patch was available to get above 90% of systems remediated, he said.
“Very likely there are unpatched systems remaining in the wild because their operators lacked the visibility into those deployments or organizational capability to patch them. In a broader sense, this is an issue of lifecycle management," said Broomhead.