Methods to disable basic authentication - Services not being used Protocols/Services

%3CLINGO-SUB%20id%3D%22lingo-sub-1505926%22%20slang%3D%22en-US%22%3EMethods%20to%20disable%20basic%20authentication%20-%20Services%20not%20being%20used%20Protocols%2FServices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505926%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20guess%20one%20of%20the%20most%20common%20(and%20often%20successful)%20attacks%20we%20see%20is%20a%20simple%20brute%20force%2Fpassword%20spray%20against%20weak%20accounts%20-%20especially%20shared%20mailboxes.%20From%20that%20particular%20access%2C%20the%20most%20common%20next%20step%20attackers%20will%20take%20is%20to%20send%20out%20spam%2Fphishing%20emails%20from%20the%20compromised%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20with%20Modern%20Authentication%20and%20MFA%20enabled%2C%20I%20guess%20we%20are%20still%20open%20to%20types%20of%20attacks.%3C%2FP%3E%3CP%3EObviously%20basic%20authentication%20is%20enabled%20by%20default%2C%20and%20basic%20auth%20does%20not%20support%20MFA%20to%20begin%20with%20And%20essentially%20means%20that%20you%20can%20get%20in%20with%20nothing%20more%20than%20a%20username%20and%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20thought%20of%20having%20MFA%20not%20enabled%20just%20yet%2C%20switching%20completely%20to%20modern%20authentication%20and%20disabling%20basic%20is%20a%20major%20security%20improvement%20in%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20credentials%20in%20a%20modern%20auth%20compatible%20app%20are%20not%20stored%20on%20the%20client%20device%2C%20and%20when%20the%20connection%20state%20changes%20the%20client%20is%20required%20to%20re-authenticate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20currently%20has%20got%20me%20thinking%2C%20even%20with%20enabling%20MFA%20for%20all%20of%20our%20users%2C%20its%20still%20half%20the%20job%20complete%20-%20so%20I%20guess%20I%20boast%20the%20question%20to%20the%20greater%20community%20in%20regards%20to%20the%20best%20way%20to%20approach%20disabling%20the%20less%20secure%20protocols%20(IMAP%2FPOP%2FSMTP%20AUTH)%20MS%20Best%20practice%20would%20suggest%20to%20turn%20off%20any%20services%20which%20you%20are%20not%20using.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20do%20boast%20the%20question%20and%20we%20really%20want%20to%20make%20this%20roll%20out%20a%20streamlined%20as%20possible%20with%20the%20disabling%20of%20IMAP%2FPOP%2FSMTP%20AUTH%20firstly%2C%20we%20still%20have%20a%20few%20other%20services%20that%20users%20are%20grumpy%20about%20the%20disabling%20of.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20what%20method%20works%20best%3F%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Disabling%20IMAP%2FPOP%2FSMTP%20auth%20via%20Set-CasMailbox%20-%20although%20mailboxplans%20do%20not%20accept%20disabling%20SMTP%20auth%20at%20that%20level.%3C%2FP%3E%3CP%3E2.%20Creating%20a%20Authentication%20Policy%20and%20disable%20the%20protocols.%3C%2FP%3E%3CP%3E3.%20Using%20CA%20disabling%20all%20legacy%20authentication%20protocols.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20to%20suggestions%20-%20or%20open%20to%20anyone's%20recommendations%20when%20going%20through%20the%20above.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1505926%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

Hi All,


I guess one of the most common (and often successful) attacks we see is a simple brute force/password spray against weak accounts - especially shared mailboxes. From that particular access, the most common next step attackers will take is to send out spam/phishing emails from the compromised account.

 

Even with Modern Authentication and MFA enabled, I guess we are still open to types of attacks.

Obviously basic authentication is enabled by default, and basic auth does not support MFA to begin with And essentially means that you can get in with nothing more than a username and password.

 

With the thought of having MFA not enabled just yet, switching completely to modern authentication and disabling basic is a major security improvement in itself.

 

For example, credentials in a modern auth compatible app are not stored on the client device, and when the connection state changes the client is required to re-authenticate.

 

So it currently has got me thinking, even with enabling MFA for all of our users, its still half the job complete - so I guess I boast the question to the greater community in regards to the best way to approach disabling the less secure protocols (IMAP/POP/SMTP AUTH) MS Best practice would suggest to turn off any services which you are not using.

 

So I do boast the question and we really want to make this roll out a streamlined as possible with the disabling of IMAP/POP/SMTP AUTH firstly, we still have a few other services that users are grumpy about the disabling of.

 

So what method works best?

1. Disabling IMAP/POP/SMTP auth via Set-CasMailbox - although mailboxplans do not accept disabling SMTP auth at that level.

2. Creating a Authentication Policy and disable the protocols.

3. Using CA disabling all legacy authentication protocols.

 

Happy to suggestions - or open to anyone's recommendations when going through the above.

2 Replies
Highlighted

If you're only concerned with Exchange, use an auth policy - it blocks any attempts on the pre-auth layer, so they don't even reach Azure AD. Complementing this with a CA policy that blocks legacy auth is also a good idea. 

Highlighted

@Vasil Michev 

 

 Those protocols are only at the exchange levels, we have already implemented CA policies for elevated privilege accounts, which don't have any further services assigned.

 

Auth policy has me on the fence at this stage as the underlying attempt is blocked at the pre-auth layer, I would still like to review failed attempts as this is a requirement. So will most likely be leaning towards disabling at the cas level.

 

The other CA policy implemented is currently set on reporting, along with a workbook created in order to pull down the insights - so we can work towards disabling the other basic auth protocols.