How to disable basic or legacy authentication to set up MFA in Office 365


Susan Bradley again for CSO online reminding
you of why disabling basic authentication is really important. We talked about it earlier
in regards to Office 365. And now we’re going to talk about on premise exchange and how
you can do it with exchange 2019. But first how about a little reminder of why passwords
are quite frankly so easy for attackers to get to. Recently there was a Microsoft blog
put out that really showcases how easy it is for attackers to get our credentials. Let’s
start out with credentials stuffing where basically they have already got our password.
Why did they already have it. Because we reuse passwords so often we go to a Web site we
put in a user name. We put the same password in because we don’t see it as being that important
of a site. And then we reuse that password over and over again. Then comes along an attacker.
They attack the site they grab the database of passwords of the hash values and then they
can go through and say hey let’s try and reuse those passwords in all sorts of other locations.
So do they need to spend a lot of energy trying to break that password. No. Because they already
have it. What about phishing. How easy is it to trick somebody to handing over your
credentials. Unfortunately all too easy. About point five percent of all inbound e-mails
are phishing attacks. Keystroke logging discovery extortions password spray attacks the list
goes on of what attackers can do to get your information. And if you ever think oh no it can’t be me
my password isn’t out there. Just go out to the site. Have I been pwned.com and put in
your username. And see how often that password has been. Owned in various different Database
breaches. For example my personal email account has been breached 19 times on various sites
Adobe’s breach was being the first. In fact when you scroll down the list and see all
the different sites that my email account has been breached some of them I don’t even
remember and I don’t. think I’ve signed up for but because they shared information with
other databases. My email account and my my password. Got compromised. Look at all the
different places. Scary huh. And a reminder that if you use a user name and a password.
Better known as basic authentication and Office 365. The attacker can use it too. So. What
can we do. Remember we’ve already discussed how to disable basic authentication and Microsoft
Office 365. But for those of you for on premise exchange what options do you have. You do
have an option. For those of you deploying exchange 2019 it now provides the best ability
to disable legacy authentication. With the second cumulative update (CU2) for exchange
2019. You can do the same thing that you can do in office 365 and disable that legacy and
authentication method. Now before we disable legacy authentication let’s make sure that
we’ve got some things in mind. You want to make sure that you understand the impact your
environment. So look to see if there’s any applications that you use. Or. Or additions
to exchange that rely on basic authentication. Talk to your vendors. Do the research ahead
of time. Make sure that the clients and all the different applications that you’re using
to connect your exchange also support modern authentication. So for example you need to
meet make sure that you’re on Outlook 2013 or later. Outlook 2016 for Macintosh your
later. Outlook for OS and Android. Or mail for IOS eleven point three point one or later
if you’re not on those versions you can’t support the modern authentication. You’ll
also have to make sure that hybrid authentication is working in your exchange environment. And
if you still do use Outlook 2013 you’ll have to make sure certain registry keys are in
place. For example you’ll have to enter two registry keys under HKey current user software.
Microsoft Office 15.0 common identity and then enable a Dword value of 1. And then go
down to version. And make sure you’ve got a D word value of 1. Now once you have all
that in place you can go into the exchange powershell. And put in place a policy. So
what you’re doing here is you’re building a new authentication policy with a name like
block legacy auth. And you’re setting up that all the different. Ways that they that you
connect and to exchange use. Or I should say block the legacy authentication method. So
for example here we are blocking Auto discover, Imap, Offline address book, Pop, Legacy Web
services are all turned off to make sure that legacy is not used anymore. Then the next
step. Is what you build a list of all the users in your organization and you insert
into the script. If it’s a brand new exchange 20 19 deployment you can set it to block it
from the get go. It just depends on how you set up exchange. So keep in mind that multi
factor authentication blocks ninety nine point nine percent of the attacks out there. Let
me restate that again. As they say here in the blog post your account is more than ninety
nine point nine percent less likely to be compromised if you use multi factor. So whether
it’s Office 365 or on premise e-mail. Look to see if you can rollout multi factor authentication.
It’s very key in today’s environment. So until next time. Don’t forget to sign up for the
tech talk from IDG from the youtube channel. This is Susan Bradley signing off for CSO
Online. Thanks again.

, , , , , , , , , , , , , , , ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *