Guidance for Hosted End-Of-Life Microsoft IIS 8.5
Update as of February 1, 2024
As of January 2, 2024, Microsoft removed the DNS entry for
m that was used in configuring the lyncdiscovery DNS entry for Teams. As such, findings that could not be controlled by policyholders were remediated at that time.
Microsoft Internet Information Services (IIS) is the default web server technology for the Microsoft ecosystem and accounts for more than 5% of website hosting globally. Additionally, all Microsoft products with web interfaces are served by IIS.
Initially released in 1995, Microsoft IIS has undergone significant changes over the years. As new versions are released, other older versions are transitioned to end-of-life (EOL) status, meaning they are no longer supported or updated by Microsoft.
Unfortunately, EOL software products are highly vulnerable to cyber-attacks as businesses continue to use unsupported versions, making them a target for cybercriminals. In fact, Coalition claims data has shown that policyholders using EOL software were three times more likely to experience a cyber insurance claim.
As a standard practice, Coalition provides a one-month grace period after the software reaches EOL status before notifying policyholders. At the end of that grace period, we notify policyholders if they are running an EOL software product so they can take action to mitigate the risks.
Microsoft IIS 8.5 shipped in 2013 as part of Windows Server 2012 R2 and was transitioned to EOL status on October 10, 2023. So, following our standard practice and using Coalition Control™, our cyber risk management platform, we began notifying policyholders running Microsoft IIS 8.5 one month later on November 10, 2023.
Control generated a significantly larger volume of notifications than anticipated, and upon further investigation, we found a surprising cause. We discovered that some policyholders who received an EOL notification for Microsoft IIS 8.5 were not self-hosting Microsoft IIS 8.5 but were, in fact, customers of Microsoft Teams. These customers had followed installation instructions for Teams-only installs and configured a DNS entry pointing to this system:
Microsoft hosts this system, which continues to run EOL IIS 8.5 as shown by the output below:
% curl -ki webdir.online.lync.com
HTTP/1.1 200 OK
: Tue, 19 Dec 2023 14:27:07 GMT
What to do moving forward
Coalition has contacted Microsoft for an update on when they plan to address this issue for our mutual customers. In the interim, we have temporarily halted our detection of Microsoft IIS 8.5 as an EOL technology, as Microsoft Teams is a supported application. This change will be reflected in scan updates through the end of this week, after which affected policyholders should no longer see this issue or receive notifications while we work with Microsoft on a resolution.
Understandably, some policyholders have been confused by this detection and notification as they cannot take action to resolve the issue on their own. When in doubt, brokers and policyholders can open a ticket or schedule a call with Coalition's Security Support Center for assistance.