Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

How Microsoft Disabled Legacy Authentication Across the Company

The process was not smooth or straightforward, employees say in a discussion of challenges and lessons learned during the multi-year project.

As more organizations adopt modern authentication protocols, legacy authentication poses a growing risk to those who lag behind. The problem is, making a business-wide transition to modern authentication is no easy feat, as Microsoft employees learned when they tackled it.

"About half of a percent of the enterprise accounts in our system will be compromised every month," Alex Weinert, director of identity strategy at Microsoft, said of its customer accounts. "Which is a really, really, really high number, if you think about it." In a business of 10,000 users, for example, 50 of them will be compromised in a month if the business is average and doesn't do anything additional, Weinart said in an RSA Conference talk on the topic last month. 

More than 1.2 million Microsoft customer accounts were compromised in January 2020, Weinert said. Of those, more than 99% did not have MFA enabled. "Multi-factor authentication would have prevented the vast majority of those one million compromised accounts last month," he explained.

About 40% of those January compromises, or 480,000 accounts, were due to password spray attacks and nearly all (99% of) password sprays leveraged legacy authentication protocols. The second most-common attack method was brute-forcing credentials across platforms. Nearly all (97% of) these "replay" attacks also use legacy authentication protocols, Weinert noted, and the probability of compromise jumped for users who relied on SMTP, IMAP, POP, and others.

"We know about 60% of users [overall] will reuse passwords; it's super common," he continued, adding that "people do reuse their enterprise accounts in non-enterprise environments."

"Legacy," or "basic" authentication refers to older protocols like POP, SMTP, IMAP, and XML-Auth, which don't allow for user interaction or MFA challenges, Weinert said. It is the predominant problem with deploying MFA and the preferred mechanism for attacking accounts. Attack tools are built on it; it works, and it's easy, he said. But disabling basic authentication protocols can make a significant difference: controlling for other variables, Microsoft found a 67% reduction in compromise for tenants that turned off legacy protocols.

To help defend its own employees against attacks targeting these protocols, Microsoft has rolled out modern MFA options compatible for phone, cloud, and on-prem environments over the years. Still, while it invested in these tools, it "really didn't pay attention to legacy authentication," said Lee Walker, identity architect on Microsoft's internal IT team. "We thought it would naturally go away." Still, many internal Microsoft employees continued to use legacy protocols. In 2018, company executives called for legacy authentication to be shut down across the organization.

Trial and (A Big) Error

Taking a broader look at Microsoft's environment, the team saw a few instances of legacy authentication but assumed the project wouldn't be intensive. It was primarily used in Azure Active Directory, in small tools people used to directly talk with Microsoft Graph and do basic information gathering in Azure, as well as in SharePoint, Skype for Business, and Exchange.

The team thought most of the upgrades would be for old Office 2010 or 2013 clients. "We knew those were using legacy authentication, but we knew the vast majority of people had been upgraded," said Walker. They expected these Office clients to be people with older personal machines at home, and they'd simply need to help the users upgrade.

There are several tools available to block legacy protocols; Lee and Walker demonstrated their process using one built into Azure Active Directory. It started out smoothly, they said. The IT and operations teams deployed legacy authentication disablement to 2,000 users in the organization and experienced minimal problems. "This gave us a lot of confidence that our deployment for legacy authentication blocking was going to proceed very quickly across Microsoft internally," said Walker, noting they expected the process to take two months.

"It didn't quite work out that way," he added.

The team deployed this disablement policy across its 60,000-person sales force. They left their desks that day in October 2018 and soon started getting calls in the middle of the night: the TeleSales app, used to contact customers and take orders, wasn't working among Australian users. "It's a critical app for our sales force, and when we looked into this, we discovered there's one account that was used to run the back end of all our TeleSales applications," said Walker. This account, hidden in the data, was being blocked by the legacy authentication policy.

This policy caused the app to break, which took down the sales force for effectively a whole day, considering the time difference and the time it takes to escalate issues. "They could not make money for a day, and that was a big deal," Walker noted.

Taking a New Approach

The team was told they couldn't move forward with the policy until they were sure the incident wouldn't happen again. "The reality is, we didn't really know what we were doing," said Weinert. They didn't have the data they needed to show where legacy authentication was being used in their environment; more importantly, they didn't have the insight to know what that data really meant. If they had, they would have seen the connection between the TeleSales app, the account behind it, and the hundreds of thousands of people who relied on it.

"We knew we needed more data, so we decided to keep a lot more data," said Weinert. The team logged 90 days of sign-in history to identify specific apps using legacy authentication. This timeframe was large enough to give them visibility into apps used on a daily basis and weekly basis; they could also see financial apps only used once per quarter.

They also decided to simulate the legacy authentication policy instead of enforcing it outright. "Report-only" mode gave the ability to deploy a simulated policy without blocking anything. As a result, users would see "we would have blocked this" instead of losing app functionality.

Then came the tedious part: the team had to track down individual owners of the apps relying on legacy authentication protocols, work with them to find the API that was prompting them for passwords, and find the modern equivalent of that API to fix it. By March 2019 the policy was enabled for 94% of users, but they still faced several exception requests per week.

"This was probably the biggest driver of work for our team," said Walker. Turning off legacy authentication didn't take much time; neither did collecting or analyzing data. Talking to app owners also wasn't time-consuming, but individual requests for rarely used apps "took a lot of time." It took about a year to run through exceptions and secure legacy authentication users.

"Human processes here are super important," said Walker. He advised IT and security teams to start testing with a small group, preferably their own, to learn the response process before rolling out a policy across the organization. He also encouraged RSAC attendees to start the process of eliminating legacy authentication as soon as possible: Microsoft has seen a ~3,000% increase in attack rate on Microsoft products and services in the past three years. Adopting modern authentication protocols can help defend against password sprays, credential reuse, and other common attack techniques.

"Organizations moving to a more secure protocol are getting out of harm's way and letting attackers harvest from those who haven't," he said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
PUBLISHED: 2020-06-03
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
PUBLISHED: 2020-06-03
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.