Microsoft Suggests Disabling Old Protocols with Exchange Server 2019 -- Redmondmag.com

Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

By Kurt Mackie
06/21/2019

The Exchange team, in a Friday announcement, explained how Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

CU2, released this week, notably brings the ability to disable old authentication protocols organizationwide, which is a new capability. The idea is to switch to using so-called "hybrid modern authentication" instead, which is deemed as being more secure.

By "hybrid," Microsoft typically means that an organization's servers connect in some way to Microsoft's "cloud"-based services, typically the Azure Active Directory identity provider service. The "modern" part of "hybrid modern authentication" is a reference to client applications that use the Active Directory Authentication Library (ADAL) for sign-ins.

Old Protocols
The old or "legacy" authentication protocols that Microsoft wants organizations to remove include the following, per the announcement:

Basic authentication
Digest authentication
Windows authentication (NTLM and Kerberos)

"Basic authentication" is just the requirement for a user name and password to verify access to Exchange e-mail. Basic authentication should be blocked because it's subject to "brute force or password spray attacks," Microsoft explained. A password spray attack is a method of trying weak passwords (such as "password" or "12345678") across an organization to gain a network foothold.

"Digest authentication" is an old challenge-and-response protocol for verifying user identities, according to Microsoft's glossary. The "NT LAN Manager" (NTLM) authentication protocol is another challenge-and-response protocol that gets used with Exchange, but it recently made the news as being potentially subject to relay attacks by remote attackers. Kerberos is a ticket-based authentication system for exchanging information.

The announcement listed a bunch of other old protocols to block when using Exchange Server 2019, including things like Exchange Active Sync, IMAP and POP3. IT pros can use PowerShell cmdlets to enforce the protocol blocking.

Modern Requirements
In contrast to those old protocols, hybrid modern authentication depends on having federated trust with the Azure Active Directory identity provider service for end users. Moreover, it involves exchanging tokens based on the Open Authentication (OAuth) protocol standard.

Here's how Greg Taylor, a principal program manager for Office 365, described it in an Exchange Team blog post on hybrid modern authentication (HMA):

HMA enables Outlook to obtain Access and Refresh OAuth tokens from Azure AD (either directly for password hash sync or Pass-Through Auth identities, or from their own STS for federated identities) and Exchange on-premises will accept them and provide mailbox access.

Organizations wanting to use hybrid modern authentication need to be using at least Exchange Server 2013 with CU19 or greater installed and/or Exchange Server 2016 with CU8 and/or Exchange Server 2019. It doesn't work with Exchange Server 2010.

E-mail clients need to support ADAL for hybrid modern authentication, which additionally lets them "use sign-in features such as Multi-Factor Authentication (MFA), smart card and certificate-based authentication," according to this Microsoft document. Multifactor authentication is a recommended approach by Microsoft that requires a secondary means of verifying a user's identity besides a password. The secondary means might be a user response to a text message or automated cell phone call, or the use of PIN.

Given the ADAL requirement, specific e-mail clients need to be in place to use hybrid modern authentication with Exchange Server. Those clients, per the announcement, include:

Outlook 2013 or later (Outlook 2013 requires a registry key change)
Outlook 2016 for Mac or later
Outlook for iOS and Android
Mail for iOS 11.3.1 or later

Getting to modern hybrid authentication requires carrying out lots of steps, as outlined by Taylor. Even Microsoft has messed it up, he confessed:

Like all changes, it [modern hybrid authentication] requires careful planning and execution, and particularly when messing with auth, be super careful, please. If people can't connect, that's bad. We've been running like this for months inside Microsoft, and we too missed an SPN when we first did it, so it can happen.

Microsoft recommends testing hybrid modern authentication out first in a lab environment before trying to turn it on.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.