Exchange Server 2007 is 12 year old technology. Retire it.
Do you know if you use Exchange Server 2007? Do you know what a secure site is? For most people, it simply means that they see the green “secure” notification next to the web address they just typed in, and they wouldn’t be wrong. When you visit a secure website, your web browser of choice makes a request to a web server over TCP port 443, which is synonymous for HTTPS and website trust. That “S” in HTTPS stands for secure.
What makes your email server or website secure?
Well, early in the history of the web, HTTPS used a protocol called SSL, or secure sockets layer. While it is possible to see SSL in use today, it’s largely been replaced with TLS or Transport Layer Security, meaning your web browser makes a secure connection using TLS. TLS has multiple different revisions in its history, starting with TLS 1.0, 1.1, and the current version of 1.2.
Why should you care about your email and website security?
It turns out that TLS 1.0 is used by a MASSIVE number of web server products and applications. For the purpose of this example, we’re going to focus on Microsoft’s Exchange Server 2007. That name alone, 2007, should be warning enough. Here we are in 2017, but a surprising number of Exchange 2007 servers are still in production. Of course, we can help you migrate from Exchange 2007 to Office 365 or Exchange 2016.
Website trust can effect on your business.
Do you own or operate a financial business where your business IT needs to pass quarterly PCI compliance scans? Are you using Exchange 2007? Well, I’m sorry to say that’s a problem. It turns out that the security protocol HARD CODED into Exchange 2007 is the ancient TLS 1.0. The PCI Council has stated that TLS is end of life as it provides relatively weak security, and it should be replaced. Because Microsoft retired Exchange 2007 from mainstream support (extended support ends in April of 2017), absolutely no feature updates will be made for the product. That means you can’t migrate to TLS 1.1 or 1.2 to solve the problem.
How Do You Solve the Exchange 2007 TLS1 problem?
You need to replace Exchange 2007 with a newer version that utilizes one of these newer protocols, or face failing your PCI scans. Thankfully, the PCI Council has given companies a grace period until June 30th of 2018, allowing companies to give details of their plan to move away from the product using TLS 1.0 instead of giving them a hard “fail” on their PCI scan. With that said, the clock is ticking.
A grace period doesn’t mean you should wait.
While the PCI Council has given leeway on products that use TLS 1.0, I’d like to point out that those of you that are still using Exchange 2007 still
- shouldn’t wait
. Remember when Microsoft decided to retire Windows XP? When they finally decided to pull the trigger and stop releasing updates, it took exactly 24 hours for that product to be compromised with a zero day attack. While you might have a little runway left with TLS 1.0 and the PCI Council, the runway for security updates on Exchange 2007 is nearly gone. April 11th, 2017, is that day for Exchange 2007. I don’t suggest you wait until April 12th, only to discover your e-mail server has been turned into a spam bot for a hacker somewhere in Eastern Europe.
Written by:
Patrick Massey
Partner of Network Medics
Minnesota Business IT Consultant
Questions about
