I saw a tweet earlier today from Alex Weinert (Director of Identity Security at Microsoft), drawing attention to a post that was published yesterday on the Exchange Team Blog. The post highlights some changes being made to the authentication model for Exchange Online, building on a previous announcement from last year. To repeat Alex’s words, it’s a huge deal. It’s also very good news from a security perspective.
Back at the beginning of last year Microsoft announced that they were going to deprecate Basic Authentication for Exchange Web Services as of October 2020. This will actively block connections from legacy clients that don’t support Modern Authentication. Yesterday’s post extends that deprecation to other Exchange services including ActiveSync, POP, IMAP, and Remote PowerShell.
What’s Basic Authentication?
Basic Auth (also referred to as Legacy Authentication) has been around for years. In simple terms it requires that a username and password combination be transmitted to an application with each request. This renders a users credentials vulnerable to interception (when not transmitted securely), and leaves services open to brute force or password spray attacks. You can read more about these types of attacks here.
By contrast, Modern Authentication is based on OAuth 2.0. Rather than sending credentials with each request, the authentication process results in the issuing of an access token. This token can be time limited and granted to specific applications or services. It’s also easily integrated with other security measures such as Conditional Access and Multi-Factor Authentication. It’s significantly more secure, and a key element in the step towards intelligent security that enables context aware decisions to be made on devices and users accessing company information.
Great, you might say… why don’t I (or Microsoft) enforce it everywhere already? Well, there’s a catch. Not all clients are supported. You need to take steps to ensure you are prepared.
What should you do?
You could wait for next October. The 13th to be precise. Hope for the best, and assume nothing will break. For obvious reasons, that’s not a stance I’d advocate…
There’s a good chance you’ll know if you have a significant problem when it comes to your client estate. Obvious concerns aside, you’ll need to consider applications that authenticate directly against Exchange Online to ensure compatibility. Additional tools will be made available in the near future to aid the identification of users still utilising Basic Auth.
If you know you’re in a good place you can take steps today to block Legacy Authentication, ahead of time. This is advantageous in terms of readiness, but more importantly will enhance your security posture immediately. With Basic Auth disabled you ensure that Conditional Access policies designed to enforce MFA cannot be circumvented. You also reduce the risk of compromise through some of the password attacks referenced previously.
You can enforce Modern Authentication in a couple of ways. One option is to adopt custom Authentication Policies in Exchange Online. These can be applied to specific users to support testing, and also provide the flexibility to block Basic Authentication against specific protocols. Useful if you have a short-term need to retain it for certain systems. Microsoft have published an excellent guide for disabling Basic Authentication in Exchange Online which covers this approach in detail.
An alternative approach is to block via Conditional Access. I made reference to a number of new baseline policies in a recent blog post, one of which is aimed specifically at this problem. By enabling the “Baseline Policy: Block Legacy Authentication” policy, you can enforce Modern Authentication for all users:
Custom policies can achieve the same thing, with a little more flexibility.
An exception to Basic Authentication which I haven’t addressed (that may have been ringing some mental alarm bells), relates to SMTP. Many peripheral devices (scanners, monitoring devices etc.) rely on Basic Authentication for mail transition. This will continue to be supported for SMTP, with further updates on this due soon from Microsoft.
Hopefully this has proved a useful read. The move away from Basic Authentication for these protocols is a significant one, but is a positive move from a security perspective. Whilst there’s the potential for some disruption, there’s also ample time to prepare and transition to Modern Auth over the next year. The end result will be a dramatic reduction in the likelihood of authentication based compromise.
Feel free to get in touch if you have questions, or want to know more. Good luck with your own implementations!