Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

How Microsoft Disabled Legacy Authentication Across the Company

The process was not smooth or straightforward, employees say in a discussion of challenges and lessons learned during the multi-year project.

As more organizations adopt modern authentication protocols, legacy authentication poses a growing risk to those who lag behind. The problem is, making a business-wide transition to modern authentication is no easy feat, as Microsoft employees learned when they tackled it.

"About half of a percent of the enterprise accounts in our system will be compromised every month," Alex Weinert, director of identity strategy at Microsoft, said of its customer accounts. "Which is a really, really, really high number, if you think about it." In a business of 10,000 users, for example, 50 of them will be compromised in a month if the business is average and doesn't do anything additional, Weinart said in an RSA Conference talk on the topic last month. 

More than 1.2 million Microsoft customer accounts were compromised in January 2020, Weinert said. Of those, more than 99% did not have MFA enabled. "Multi-factor authentication would have prevented the vast majority of those one million compromised accounts last month," he explained.

About 40% of those January compromises, or 480,000 accounts, were due to password spray attacks and nearly all (99% of) password sprays leveraged legacy authentication protocols. The second most-common attack method was brute-forcing credentials across platforms. Nearly all (97% of) these "replay" attacks also use legacy authentication protocols, Weinert noted, and the probability of compromise jumped for users who relied on SMTP, IMAP, POP, and others.

"We know about 60% of users [overall] will reuse passwords; it's super common," he continued, adding that "people do reuse their enterprise accounts in non-enterprise environments."

"Legacy," or "basic" authentication refers to older protocols like POP, SMTP, IMAP, and XML-Auth, which don't allow for user interaction or MFA challenges, Weinert said. It is the predominant problem with deploying MFA and the preferred mechanism for attacking accounts. Attack tools are built on it; it works, and it's easy, he said. But disabling basic authentication protocols can make a significant difference: controlling for other variables, Microsoft found a 67% reduction in compromise for tenants that turned off legacy protocols.

To help defend its own employees against attacks targeting these protocols, Microsoft has rolled out modern MFA options compatible for phone, cloud, and on-prem environments over the years. Still, while it invested in these tools, it "really didn't pay attention to legacy authentication," said Lee Walker, identity architect on Microsoft's internal IT team. "We thought it would naturally go away." Still, many internal Microsoft employees continued to use legacy protocols. In 2018, company executives called for legacy authentication to be shut down across the organization.

Trial and (A Big) Error

Taking a broader look at Microsoft's environment, the team saw a few instances of legacy authentication but assumed the project wouldn't be intensive. It was primarily used in Azure Active Directory, in small tools people used to directly talk with Microsoft Graph and do basic information gathering in Azure, as well as in SharePoint, Skype for Business, and Exchange.

The team thought most of the upgrades would be for old Office 2010 or 2013 clients. "We knew those were using legacy authentication, but we knew the vast majority of people had been upgraded," said Walker. They expected these Office clients to be people with older personal machines at home, and they'd simply need to help the users upgrade.

There are several tools available to block legacy protocols; Lee and Walker demonstrated their process using one built into Azure Active Directory. It started out smoothly, they said. The IT and operations teams deployed legacy authentication disablement to 2,000 users in the organization and experienced minimal problems. "This gave us a lot of confidence that our deployment for legacy authentication blocking was going to proceed very quickly across Microsoft internally," said Walker, noting they expected the process to take two months.

"It didn't quite work out that way," he added.

The team deployed this disablement policy across its 60,000-person sales force. They left their desks that day in October 2018 and soon started getting calls in the middle of the night: the TeleSales app, used to contact customers and take orders, wasn't working among Australian users. "It's a critical app for our sales force, and when we looked into this, we discovered there's one account that was used to run the back end of all our TeleSales applications," said Walker. This account, hidden in the data, was being blocked by the legacy authentication policy.

This policy caused the app to break, which took down the sales force for effectively a whole day, considering the time difference and the time it takes to escalate issues. "They could not make money for a day, and that was a big deal," Walker noted.

Taking a New Approach

The team was told they couldn't move forward with the policy until they were sure the incident wouldn't happen again. "The reality is, we didn't really know what we were doing," said Weinert. They didn't have the data they needed to show where legacy authentication was being used in their environment; more importantly, they didn't have the insight to know what that data really meant. If they had, they would have seen the connection between the TeleSales app, the account behind it, and the hundreds of thousands of people who relied on it.

"We knew we needed more data, so we decided to keep a lot more data," said Weinert. The team logged 90 days of sign-in history to identify specific apps using legacy authentication. This timeframe was large enough to give them visibility into apps used on a daily basis and weekly basis; they could also see financial apps only used once per quarter.

They also decided to simulate the legacy authentication policy instead of enforcing it outright. "Report-only" mode gave the ability to deploy a simulated policy without blocking anything. As a result, users would see "we would have blocked this" instead of losing app functionality.

Then came the tedious part: the team had to track down individual owners of the apps relying on legacy authentication protocols, work with them to find the API that was prompting them for passwords, and find the modern equivalent of that API to fix it. By March 2019 the policy was enabled for 94% of users, but they still faced several exception requests per week.

"This was probably the biggest driver of work for our team," said Walker. Turning off legacy authentication didn't take much time; neither did collecting or analyzing data. Talking to app owners also wasn't time-consuming, but individual requests for rarely used apps "took a lot of time." It took about a year to run through exceptions and secure legacy authentication users.

"Human processes here are super important," said Walker. He advised IT and security teams to start testing with a small group, preferably their own, to learn the response process before rolling out a policy across the organization. He also encouraged RSAC attendees to start the process of eliminating legacy authentication as soon as possible: Microsoft has seen a ~3,000% increase in attack rate on Microsoft products and services in the past three years. Adopting modern authentication protocols can help defend against password sprays, credential reuse, and other common attack techniques.

"Organizations moving to a more secure protocol are getting out of harm's way and letting attackers harvest from those who haven't," he said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.