Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Guidance for Hosted End-Of-Life Microsoft IIS 8.5

Security Alert: Guidance for Hosted End-Of-Life Microsoft IIS 8.5

Update as of February 1, 2024

As of January 2, 2024, Microsoft removed the DNS entry for webdir.online.lync.com that was used in configuring the lyncdiscovery DNS entry for Teams. As such, findings that could not be controlled by policyholders were remediated at that time.

Microsoft Internet Information Services (IIS) is the default web server technology for the Microsoft ecosystem and accounts for more than 5% of website hosting globally. Additionally, all Microsoft products with web interfaces are served by IIS.

Initially released in 1995, Microsoft IIS has undergone significant changes over the years. As new versions are released, other older versions are transitioned to end-of-life (EOL) status, meaning they are no longer supported or updated by Microsoft. 

Unfortunately, EOL software products are highly vulnerable to cyber-attacks as businesses continue to use unsupported versions, making them a target for cybercriminals. In fact, Coalition claims data has shown that policyholders using EOL software were three times more likely to experience a cyber insurance claim

What happened?

As a standard practice, Coalition provides a one-month grace period after the software reaches EOL status before notifying policyholders. At the end of that grace period, we notify policyholders if they are running an EOL software product so they can take action to mitigate the risks.

Microsoft IIS 8.5 shipped in 2013 as part of Windows Server 2012 R2 and was transitioned to EOL status on October 10, 2023. So, following our standard practice and using Coalition Control™, our cyber risk management platform, we began notifying policyholders running Microsoft IIS 8.5 one month later on November 10, 2023. 

Control generated a significantly larger volume of notifications than anticipated, and upon further investigation, we found a surprising cause. We discovered that some policyholders who received an EOL notification for Microsoft IIS 8.5 were not self-hosting Microsoft IIS 8.5 but were, in fact, customers of Microsoft Teams. These customers had followed installation instructions for Teams-only installs and configured a DNS entry pointing to this system: webdir.online.lync.com

Microsoft hosts this system, which continues to run EOL IIS 8.5 as shown by the output below:

% curl -ki webdir.online.lync.com

HTTP/1.1 200 OK

Server: Microsoft-IIS/8.5

Date: Tue, 19 Dec 2023 14:27:07 GMT

Content-Length: 0

What to do moving forward

Coalition has contacted Microsoft for an update on when they plan to address this issue for our mutual customers. In the interim, we have temporarily halted our detection of Microsoft IIS 8.5 as an EOL technology, as Microsoft Teams is a supported application. This change will be reflected in scan updates through the end of this week, after which affected policyholders should no longer see this issue or receive notifications while we work with Microsoft on a resolution.

Understandably, some policyholders have been confused by this detection and notification as they cannot take action to resolve the issue on their own. When in doubt, brokers and policyholders can open a ticket or schedule a call with Coalition's Security Support Center for assistance. 

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.