Microsoft Exchange Server 2019 Upgrade, Exchange server 2025 SE and Security updates

Introduction

In this pivotal update by Scott Schnoll of Microsoft (Read the announcement here), significant developments are detailed concerning Microsoft Exchange Server’s future roadmap as it evolves to meet the demands of on-premises customers, hosted services providers, and partners in the UK. With a clear trajectory set towards enhancing security and operational efficiency, let’s delve into what these changes are and how they affect your business.

Key Announcements

1. Final Cumulative Update for Exchange Server 2019 (CU15)

As Microsoft gears up for its transition to the Exchange Server Subscription Edition, it is set to release one last significant Cumulative Update (CU) for Exchange Server 2019—CU15. This update, expected to roll out in the second half of 2024, encapsulates several vital enhancements and new features designed to bridge users to the new subscription-based model effectively while bolstering security and functionality for current environments.

New Features in CU15:

• Support for TLS 1.3:
• Transport Layer Security (TLS) 1.3 is the latest revision of the internet’s most critical security protocol, which ensures that communications between web services and clients are private and secure. By adding support for TLS 1.3, CU15 will significantly enhance the security posture of Exchange Server 2019 by eliminating obsolete cryptographic algorithms, speeding up connections, and minimizing the potential for misconfigurations that could lead to vulnerabilities.
• Certificate Management in the Exchange Admin Center (EAC):
• CU15 reintroduces expanded certificate management capabilities within the EAC. This enhancement will provide administrators with the ability to easily request new certificates, complete certificate requests after receiving them from the certification authority, export certificates as PFX files, and import certificates from PFX files. These features simplify the management of certificates, a critical component for securing Exchange servers.

System Compatibility and Updates:

• End of Support for Exchange 2013 Coexistence:
• Reflecting its commitment to modernize the infrastructure, CU15 will remove support for coexistence with Exchange Server 2013, which reached its end of life in 2022. This change means that organisations will need to remove any Exchange 2013 installations before upgrading to CU15 or later versions to avoid compatibility issues.
• Compatibility with Windows Server 2025:
  To stay aligned with the latest server technology, CU15 will introduce support for Windows Server 2025 upon its general availability. This ensures that organizations planning to upgrade their server infrastructure will continue to receive support on the latest platforms, thereby benefiting from newer technologies and security enhancements that Windows Server 2025 will offer.

Other Key Updates:

• Update to Visual C++ Redistributable: CU15 will include the latest version of the Visual C++ redistributable that ships with Visual Studio 2022, ensuring compatibility with modern development standards and security best practices.
• Removal of Deprecated Features: The update will remove support for the Unified Communications Managed API (UCMA) 6.0 and the instant messaging feature in Outlook on the web, streamlining the features and focusing on core functionalities.
• Improvements in Server Integration: The update will also remove the Windows Message Queuing (MSMQ) component from the setup, enhancing server performance and security.

Preparing for the Update:

Organisations are advised to prepare for the update by ensuring that all pre-requisites are met, including the removal of unsupported Exchange versions and assessing the impact of removing deprecated features. Additionally, system administrators should plan for a test deployment to ensure that the update process will not disrupt operational workflows.

2. Exchange Server Subscription Edition (SE)

As the digital workplace evolves, so does the infrastructure that supports it. Microsoft is poised to introduce the Exchange Server Subscription Edition (SE) in early Q3 of 2025, marking a significant shift in how organizations deploy and manage their email services. This new edition builds on the solid foundation of Exchange Server 2019, introducing a subscription-based model and several key enhancements to meet the modern enterprise's needs.

Overview of Exchange Server SE

Exchange Server SE represents the next generation of Microsoft's email server solutions, transitioning from a perpetual license model to a subscription-based approach. This aligns with Microsoft's broader strategy to offer more flexible and up-to-date service options, similar to those seen with SharePoint Server Subscription Edition. The licensing model requires active Software Assurance or subscription licenses, ensuring users receive continuous updates and support without the need for separate upgrade purchases.

Key Features and Innovations:

• Continued Support for Current Hardware and OS Requirements:
  Exchange Server SE will maintain the same hardware and operating system requirements as Exchange 2019 CU15. This includes support for the newly introduced Windows Server 2025, allowing organizations to leverage their existing infrastructure investments while benefiting from the latest software advancements.
• Modern Lifecycle Support Policy:
  The introduction of Exchange Server SE also comes with a commitment to the modern lifecycle support policy. This policy ensures that the product will receive continuous support and updates, which is crucial for maintaining security and compliance in an ever-evolving threat landscape.
• No Changes to Active Directory Schema:
  For organizations concerned about the complexity of upgrades, Exchange Server SE will not require any changes to the Active Directory schema beyond those already implemented in Exchange Server 2019. This simplifies the upgrade process and reduces the administrative overhead associated with deploying a new server edition.
• RTM Release Tied to Previous CU:
  The RTM (Release to Manufacturing) version of Exchange Server SE will be code equivalent to Exchange Server 2019 CU15, with only minimal changes such as the license agreement update, product name and version number adjustments. This ensures that the transition to the Subscription Edition is as smooth as possible, minimizing new learning curves and compatibility issues.

Upgrade Paths

• In-place Upgrade:
• The fastest and easiest method to transition from Exchange Server 2019 to the Subscription Edition is through an in-place upgrade. This process is designed to be as straightforward as installing a regular cumulative update, allowing IT administrators to upgrade with minimal disruption to operations.
• Legacy Upgrade:
• For organisations that need to overhaul their infrastructure—perhaps due to hardware upgrades or because they're running significantly older versions of Exchange—a legacy upgrade path is also supported. This involves setting up new server installations and migrating services and data accordingly, a more time-consuming but sometimes necessary approach.

Strategic Benefits
The shift to a subscription model offers several strategic advantages:

• Predictable Spending: Budgeting for server software becomes more predictable with subscription licensing, which includes ongoing updates and support.
• Always Up-to-Date: Subscribers will automatically receive the latest features, security updates, and performance improvements, ensuring that the server environment aligns with current standards.
• Scalability and Flexibility: As organizational needs change, the subscription model allows for easier scaling of services and quicker adoption of new capabilities without waiting for major release cycles.

Conclusion

The Exchange Server Subscription Edition is a forward-thinking solution designed to meet modern organizational demands for flexibility, security, and continual improvement. By maintaining compatibility with existing systems while also introducing a streamlined upgrade process and a subscription-based licensing model, Microsoft is ensuring that organizations can remain agile and secure in their communications infrastructure. As we approach its release, businesses should begin planning for the integration of Exchange Server SE into their IT ecosystems to leverage its full potential.

3. Security Updates and Zero-Day Vulnerabilities

As reported by Trend Micro's Zero Day Initiative and reported on by BleepingComputer, Exchange Server is vulnerable to  zero-day vulnerabilities allowing remote code execution (RCE) and data theft. Despite the authentication requirement, the severity of these vulnerabilities (ZDI-23-1578 through ZDI-23-1581) is high. Microsoft has provided patches for some and clarified the impacts of others.

Overview of Recent Zero-Day Vulnerabilities

A series of zero-day vulnerabilities reported by Trend Micro's Zero Day Initiative (ZDI) has underscored the potential risks facing Exchange servers. These vulnerabilities allow for remote code execution (RCE) and sensitive data disclosure, posing serious threats to organizations using affected Microsoft Exchange versions. The vulnerabilities are as follows:

• ZDI-23-1578: This remote code execution flaw exists in the 'ChainedSerializationBinder' class, where user data isn't adequately validated, allowing attackers to deserialize untrusted data and potentially execute arbitrary code with SYSTEM privileges.
• ZDI-23-1579: Found in the 'DownloadDataFromUri' method, this vulnerability arises from insufficient validation of a URI before resource access, which could be exploited to access sensitive information.
• ZDI-23-1580: Similar to ZDI-23-1579, this flaw in the 'DownloadDataFromOfficeMarketPlace' method also results from improper URI validation, potentially leading to unauthorized information disclosure.
• ZDI-23-1581: Present in the 'CreateAttachmentFromUri' method, this vulnerability shares similarities with the others, with inadequate URI validation potentially risking sensitive data exposure.
  These vulnerabilities, although requiring authentication for exploitation, emphasize the importance of securing Exchange environments, particularly against attacks that could leverage stolen credentials.

Microsoft's Response and Mitigation Strategies

Despite the initial decision by Microsoft not to immediately patch these vulnerabilities, due to their authentication requirement and perceived lower risk, the potential for these vulnerabilities to be exploited remains a significant concern. Microsoft has since taken steps to address some of these vulnerabilities, with patches and security updates incorporated into later releases. However, the need for organizations to take proactive security measures is clear.

Recommended Security Measures

To mitigate the risks associated with these vulnerabilities and enhance the overall security posture of Exchange Server installations, organizations should consider the following strategies:

• Apply All Available Security Updates Promptly:
  Ensure that all Exchange servers are up-to-date with the latest security patches, especially those that address known vulnerabilities.
• Implement Multi-Factor Authentication (MFA):
  MFA provides an additional layer of security by requiring multiple forms of verification to access accounts, significantly reducing the risk of unauthorized access even if credentials are compromised.
• Limit Exposure of Exchange Servers:
  Minimize the exposure of Exchange servers to the internet where possible, and implement strict access controls and use network segmentation/Zero Trust with Exchange Servers to reduce the attack surface on your internal environment.
• Regular Security Audits and Monitoring:
  Conduct regular security audits to identify and remediate potential vulnerabilities or misconfigurations. Continuous monitoring for suspicious activities can also help in early detection of potential security breaches.
• Education and Training:
  Regular training sessions for IT staff and end-users on the latest security threats and best practices can reduce the risk of security breaches due to human error or phishing attacks.

Conclusion

With the upcoming updates to Exchange server including the final Cumulative Update for Exchange Server 2019 (CU15) and the introduction of the Exchange Server Subscription Edition (SE) in 2025. These represent significant milestones designed to enhance operational efficiency, security, and adaptability for reliant organisations. These updates are crucial in ensuring that Exchange Server remains a robust, secure, and flexible platform that can meet the dynamic needs of modern enterprises, particularly in the UK.

The introduction of advanced security protocols such as TLS 1.3 in CU15, alongside improved certificate management and system updates, will bolster the security framework necessary to protect against emerging cyber threats. Additionally, the transition to a subscription-based model with Exchange Server SE offers a strategic advantage by ensuring that businesses can benefit from continuous updates and support, thereby maintaining compliance and leveraging the latest technological advancements without the need for extensive overhauls.

Moreover, the recent spotlight on zero-day vulnerabilities highlights the critical need for ongoing vigilance and proactive security measures. Organizations must prioritize regular updates, implement robust authentication methods, and adhere to best practices in cybersecurity to safeguard their infrastructures against potential threats.

With the upcoming end of life for older versions and new releases on the horizon, now is the optimal time for UK businesses to plan their upgrade to ensure continued compliance and enhanced security.

Due to ongoing threats of zero day vulnerabilities, we recommend that organisations read our articles on Cybersecurity For Financial Services and Cybersecurity for the Energy and Utilities Sector. Which discuss mitigation's for zero days including micro segmentation and zero trust networks.