Microsoft recommends enabling multi-factor authentication for Office 365. To do so, you must also disable basic or legacy authentication on Microsoft Exchange Server. Credit: Gerd Altmann Microsoft recently announced that 99.9% of the attacks on Office 365 credentials can be stopped by enabling multi-factor authentication (MFA). They should have made it clear that you need to take one more action and disable basic or legacy authentication.Basic or legacy authentication is what most people use when they log into websites and networks: a username and a password. If someone cracks that, has harvested the hash value and can reuse it, or used brute force and password spraying techniques to gain access, they are in. They often don’t even have to “crack” the password; they already have it. Most people reuse passwords, so once an attacker has breached a database, they can try that password on your server or other sites.So, you need to turn off legacy authentication when implementing MFA. What are the consequences to that? Third-party tools that plug into your online applications might no longer work. This is honestly a good thing, because you need to demand that vendors stop using an old insecure method to connect to your information. If they use legacy authentication, they are basically using IMAP, POP, SMTP and other older protocols to connect. Ensure that you are using newer Outlook clients to connect to Office 365. Outlook 2010 is no longer supported to connect to Office 365 even though some still use the platform. If you disable legacy authentication on Outlook 10, it won’t be able to connect. The user impact plays out in various scenarios.Disable basic authentication in Office 365 and ExchangeI described how to disable basic authentication on Office 365 earlier, but what about on-premises Microsoft Exchange? Doesn’t it have the same risks as cloud implementations of Exchange? In a word, yes. Attackers can use some of the same tools they use to evaluate risks on Office 365 on your on-premises Exchange Server. That’s why you should disable legacy authentication for it as well. You’ll need Exchange 2019 to do so. Prior versions of Exchange are not able to perform the settings. Let’s review what you need to do to disable the potential security hole. First, determine what version of Outlook or mail platforms you use to connect to Exchange. The following platforms can connect to Exchange without basic authentication. This is true for both Office 365 as well as Exchange 2019. You’ll need these updated clients to enable modern authentication.Outlook 2013 or laterOutlook 2016 for Mac or laterOutlook for iOS and AndroidMail for iOS 11.3.1 or laterFor Outlook 2013 you need to enable its ability to support modern authentication through a registry key. From the Registry Editor, go to “HK Current user,” then to “Software,” then to “Microsoft,” then to “Office,” then to “15.0,” then to “Common,” then to “Identity.” Add the value “EnableADAL” with the “Reg_Dword” value of “1.”HKCUSOFTWAREMicrosoftOffice15.0CommonIdentityEnableADALREG_DWORD1Next, set the following value. Go to “HK Current” user, then to “Software,” then to “Microsoft,” then to “Office,” then to “15.0,” then to “Common,” then to “Identity.” Add the value “Version” with the “Reg_Dword” value of “1.” HKCUSOFTWAREMicrosoftOffice15.0CommonIdentityVersionREG_DWORD1Push out the settings via Group Policy or registry keys. Susan BradleyDisable basic authentication using the Registry EditorNow that you have Outlook 2013 set to support modern authentication, you can also roll out the setting in either Office 365 or Exchange 2019. The mailboxes must be hosted on mailboxes that are on an Exchange 2019 CU2 server. To block legacy authentication, prepare authentication policies. In the Exchange management shell, enter the following PowerShell command:New-AuthenticationPolicy -Name "Block Legacy Auth" -BlockLegacyAuthActiveSync -BlockLegacyAuthAutodiscover -BlockLegacyAuthImap -BlockLegacyAuthMapi -BlockLegacyAuthOfflineAddressBook -BlockLegacyAuthPop -BlockLegacyAuthRpc -BlockLegacyAuthWebServicesThe command blocks the following protocols:BlockLegacyAuthActiveSync blocks the use of Exchange Active Sync (EAS), which some email clients use on mobile devices.BlockLegacyAuthAutodiscover blocks the use of Autodiscover to find and connect to mailboxes in Exchange. This also blocks attackers from being able to enumerate and discover mailboxes to more easily attack Exchange servers.BlockLegacyAuthImap blocks the use of IMAP email clients. Attackers often use IMAP in password spray attacks.BlockLegacyAuthMapi is used by Outlook 2013 and later for MAPI over HTTP.BlockLegacyAuthOfflineAddressBook blocks the ability to download address list collections that Outlook uses over basic authentication.BlockLegacyAuthPop is used by POP email clients.BlockLegacyAuthRpc is used by Outlook 2016 and earlier for Outlook anywhere (RPC over HTTP).BlockLegacyAuthWebServices blocks the use of a programming interface that’s used by Outlook, Outlook for Mac, and third-party apps as part of Exchange Web Services (EWS)Once you’ve set up the policy, then you need to assign the policy to users. You can assign the policy individually or via attributes. If your usernames do not have spaces, you can build a text file that injects the usernames into the script.$BLA = Get-Content "C:ScriptsListofUsersBlockLegacyAuth.txt"$BLA | foreach {Set-User -Identity $_ -AuthenticationPolicy "Block Legacy Auth"}Prepare a text file of all the users in your organization for whom you wish to block legacy authentication, save the list to ListofUsersBlockLegacyAuth.txt, and run the script.If you want to set this as the default policy, use the following command that all new users to the organization will only accept modern authentication.Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Legacy Auth"This sets the entire organization to block legacy authentication going forward.Bottom line, plan on a future where IMAP, POP and older protocols are banned from your network. Even if you can’t disable legacy authentication now, evaluate the potential in the future. Review all the third-party tools that you use to connect to Exchange or add to Exchange and review if they can work without IMAP or POP connectivity.As always, don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Malware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe