Thursday, December 27, 2018

Disable basic auth to improve Office 365 security


In a recent article:

Investigating an Office 365 account compromise

I detailed how, if you go into the Azure AD sign in logs for an individual user you’ll probably see a huge amount of failed logins because automated hacking tools are banging away trying to brute force access into these accounts.

Once you see the sheer volume of attempts, constantly trying to gain access, you’ll hopefully appreciate how important Multi Factor Authentication (MFA) is because it means that even if the password is guessed then to login there is a need for another factor, like a security PIN.

So you think your safe with just MFA eh? Well, perhaps not as safe as you may think, because there is a good chance that basic authentication is still enabled on the tenant. What is basic authentication? Simply a login and password. Why is it still on? Because enabling MFA for users doesn’t disable it, it remains in place as a fall back.

With basic authentication still in place, this allows bad actors to keep banging away on your tenant trying to brute force a password. If you haven’t got MFA enabled for users, it is probably only a matter of time before a user’s password gets brute forced. Even if you have MFA, it is better to not even provide bad actors the ability to get one step closer to actually logging in now is it?

If you are serious about security for your Office 365 tenant then you need to enable MFA AND also disable basic authentication. Is this going to break stuff? If you are using application prior to Office 2013, for example, then yes, but you shouldn’t really be using those anyway.

To understand how to disable basic authentication and the ramifications of doing that, have a look at the following article:

Disable Basic authentication in Exchange Online

Most security conscious people should be using modern applications that mean that switching off basic authentication shouldn’t cause an issue at all.

After you have disabled basic authentication, go back into your logs and see how all the attacks I’ve mentioned previous effectively cease. It ain’t magic, you’ve just hardened your tenant by reducing the risk surface area. For bonus credits on securing your tenant take a look at:

Azure AD and ADFS best practices: Defending against spray attacks

I also have the following script in my GitHub repo:

that will enable modern authentication in your tenant when run. However, beware of enabling this as it can cause issues, especially older (pre-Office 2013) applications.

So remember, yes enable MFA across your Office 365 organisation but ALSO disable basic authentication as well!