Why you should block legacy authentication

Currently, we could say that Legacy Authentication is one of the most compromising sign-in, luckily for us, older protocols have been replacing with modern authentication services, taking the advantage that MA supports MFA, while Legacy Authentication refers to all protocols that use Basic Authentication, and only requires one method of authentication.

So, it is important thar for security reasons we need to disable legacy authentication in our environments, why? Because enabling MFA isn’t effective if legacy protocols are not blocked. For example, the following options are considered legacy authentication protocols:

  • Authenticated SMTP – Used by POP and IMAP clients to send email messages.
  • Autodiscover – Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.
  • Exchange ActiveSync (EAS) – Used to connect to mailboxes in Exchange Online.
  • Exchange Online PowerShell – Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect.
  • Exchange Web Services (EWS) – A programming interface that’s used by Outlook, Outlook for Mac, and third-party apps.
  • IMAP4 – Used by IMAP email clients.
  • MAPI over HTTP (MAPI/HTTP) – Used by Outlook 2010 and later.
  • Offline Address Book (OAB) – A copy of address list collections that are downloaded and used by Outlook.
  • Outlook Anywhere (RPC over HTTP) – Used by Outlook 2016 and earlier.
  • Outlook Service – Used by the Mail and Calendar app for Windows 10.
  • POP3 – Used by POP email clients.
  • Reporting Web Services – Used to retrieve report data in Exchange Online.
  • Other clients – Other protocols identified as utilizing legacy authentication

How can we monitor the usage of legacy authentication in Azure AD?

Thanks to Log Analytics, Insights and workbooks, we are able to monitor the use of those protocols, for instance:

And check the non-interactive sign-ins (be careful with ADConnect sync accounts):

What we can do to avoid this?

The best way to block or report legacy authentication for users is use Conditional Access policies (Does my organization need Azure AD Conditional Access? – Albandrod’s Memory (albandrodsmemory.com) & Enabling zero trust security in your environment – Albandrod’s Memory (albandrodsmemory.com)

But the best way is creating a CA policy:

My final advice

Legacy authentication must be disabled to protect our environments, but first, start small and analyse the impact in your organization.

Till next time!

Best practices when updating Lync Server

Cumulative Updates (CU) are kind of a service pack that comes out quarterly for Lync Server and the clients. It includes fixes and some times new functionality is added.

For Lync Server 2010 is it possible to download from the following url: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11551

For Lync Server 2013, is the following: http://www.microsoft.com/en-us/download/details.aspx?id=36820

As you can see there are a lot of files to download and you could just download and update specific components or you can download the LyncServerUpdateInstaller.exe package that includes all the latest updates. So go ahead and download it and then copy the file to your Lync Servers.

To start the update process log in to your server. And start the Lync Server Management Shell

First, check that no users are talking on the phone or are in a meeting before you start the update. You can do this by running Get-CsWindowsService

l1
The next command would be to prevent new sessions for a while and drain the active connections. This can be done running Stop-CsWindowsService –Graceful
l2
As seen in the picture the services is now stopped.

3.Next thing would be to stop the World Wide Web service. By typing: net stop w3svc
4.Now Close all Lync Server Management Shell windows.
5.Install the cumulative update for Lync Server 2010 by running LyncServerUpdateInstaller.exe

l3
This will start the update tool and you should se what updates are needed and what version is already installed. (As you can see in the picture I have already installed the latest update package and it shows a green checkmark at every line. If there were some services that wouldn’t be updated this would show a red stop mark instead.)

Restart the computer if you are prompted to do so
he next step is something that is almost always forgotten. To update the Lync Server Databases (this step is normally not done if you just used Windows Update to update your Lync server and should then be done manually after Windows Update has updated your server.)

1.Start the Lync Server Management Shell: (Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.)
2.To apply the changes made by LyncServerUpdateInstaller.exe to the SQL Server databases do one of the following:
1.On Standard Edition Server and Enterprise Edition: Front end servers, once you have installed update for core components, the updated sql files will be dropped on the server. Then run the following cmdlet to apply the changes:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn -UseDefaultSqlPaths

If the RTCDyn databases are removed after you run the cmdlet without the UseDefaultSqlPaths parameter, run the following cmdlet to restore the RTCDyn databases:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn -DatabasePaths

7.Now when the database is also up to date, its time to start the IIS & Lync Server services. At the command line, type:
net start w3svc
Start-CsWindowsService

And that’s all!