As organizations migrate to the cloud and adopt hybrid environments, centralizing authentication through Single Sign-On (SSO) is crucial for robust security. However, as threats become increasingly sophisticated, many may overlook legacy authentication methods, which can pose significant risk. This article addresses these dangers and emphasizes that SSO can provide strong security only when combined with effective measures to block legacy authentication.
It’s worth noting that this article isn’t meant to convince anyone of SSO’s merits; most security professionals are already aware of its benefits and drawbacks. Instead, the goal is to encourage security teams to assess vulnerable authentication protocols in their environments. By proactively identifying and addressing these weaknesses, organizations can enhance their security posture, increase their cybersecurity maturity, and mitigate the risks associated with legacy authentication before it’s too late.
The Hidden Dangers of Legacy Authentication
Lack of Multi-Factor Authentication (MFA) Support
A major shortcoming of legacy authentication is its inability to support multi-factor authentication (MFA). As modern security practices emphasize MFA to prevent unauthorized access, the absence of this capability leaves organizations vulnerable to credential theft and breaches.
Challenges in Monitoring and Auditing
Legacy authentication methods often fail to integrate with modern security monitoring tools, creating blind spots in an organization’s security posture. This affects the ability to track access attempts and audit logs, delaying incident response and the detection of potential breaches.
Incompatibility with Modern Security Controls
As organizations adopt advanced security solutions, legacy authentication methods frequently lack compatibility. This undermines the effectiveness of modern security measures and complicates user access management across platforms.
Vulnerability to Attacks
Legacy authentication can serve as a back door for attackers, making them susceptible to various attacks, including password spray and brute-force attempts. Lacking advanced security features, these methods enable attackers to exploit weak or guessable credentials and navigate networks undetected, potentially compromising sensitive information.
Detecting Legacy Authentication Protocol in your Organization
Detecting legacy authentication methods is crucial for enhancing an organization’s security posture. Here are some effective techniques for identifying these outdated protocols:
The Active Approach
The active approach involves using tools to directly assess and authenticate with existing authentication methods. As a red teamer, I employ this strategy in nearly every assessment to identify legacy authentication methods and uncover potential vulnerabilities. I highly recommend the open-source tool MFASWEEP for this purpose.
MFASWEEP is a PowerShell script that logs into various Microsoft services using valid credentials to check if multi-factor authentication (MFA) is enabled. Depending on conditional access policies, some protocols may still allow single-factor authentication.
MFASWEEP currently supports login to the following services:
- Microsoft Graph API
- Azure Service Management API
- Microsoft 365 Exchange Web Services
- Microsoft 365 Web Portal (supports six device types: Windows, Linux, macOS, Android, iPhone, Windows Phone)
- Microsoft 365 Active Sync
- Active Directory Federation Services (ADFS)
WARNING: This script attempts to log in to the provided account up to 11 times. Entering an incorrect password may lock the account.
Using MFASWEEP, you can identify ways to penetrate your enterprise organizations. The most common issues are:
- Active Sync: This protocol is often enabled but does not support 2FA at all. When Active Sync is open, it can be exploited for password spraying and similar attacks. Additionally, it may allow the synchronization of user mailboxes without 2FA.
- Graph API: While this protocol supports 2FA, organizations sometimes fail to enforce it, relying only on Azure portal logins. Additionally, 2FA may sometimes be enforced from external access but not from the internal network, allowing an attacker with internal access to jump to Azure without 2FA.
- Microsoft 365 Exchange Web Services (EWS): While EWS can support modern authentication methods, it might still be configured to allow legacy authentication. If not properly secured, attackers can exploit EWS for account enumeration or unauthorized mailbox access.
- Microsoft 365 Web Portal: Even if 2FA is enforced, there may be specific scenarios—such as device types or network locations—where enforcement is inconsistent due to conditional access misconfigurations, allowing attackers to access user accounts without 2FA under certain conditions.
The Passive Approach
The passive approach focuses on monitoring and analyzing existing data and configurations to identify legacy authentication methods without direct intervention.
Log Analysis
Regularly review authentication logs from identity providers and SIEM systems. Look for entries associated with known legacy protocols, such as NTLM and Active Sync. Anomalies in login patterns can indicate the use of outdated authentication methods.
Network Traffic Monitoring
Use network traffic analysis tools to capture and analyze traffic patterns. Monitor for specific traffic signatures linked to legacy authentication protocols. Unencrypted communications may also reveal the use of outdated methods.
Conditional Access Review
Regularly assess your conditional access policies to ensure they are effectively enforcing MFA across all services and locations. Review any exceptions or gaps in enforcement that could leave systems vulnerable to attacks exploiting legacy authentication methods.
By employing these passive detection techniques, organizations can proactively identify and address the risks associated with legacy authentication methods, strengthening their overall security posture.
Blocking Legacy Authentication Using Conditional Access
There are multiple ways to disable legacy authentication in Microsoft 365. If security defaults are set in Office 365 (whether manually or for tenants established after October 2019), legacy authentication is automatically restricted at the tenant level. You can also manage and disable legacy authentication directly within the Admin Center of Azure Active Directory, Microsoft 365, or Exchange Online.
1. Create a New Conditional Access Policy
-
- Go to Azure Active Directory Home.
- Select Security > Conditional Access > Policies.
- Click New policy and name it (e.g., [BLOCK] Legacy Authentication).
2. Assign Users
-
- Under Assignments, select Users and groups.
- Click Include and choose All users, or select specific groups as needed.
3. Specify Cloud Apps
Determine which applications will be affected by the policy:
-
- Click on Cloud apps.
- Select Include and choose All cloud apps or specific apps.
4. Define Access Conditions
Define conditions for the policy:
-
- Go to Conditions > Client apps and toggle to Yes.
- Select Mobile clients and Desktop clients, including Exchange ActiveSync.
5. Apply and Activate the Policy
Finalize the policy settings:
-
- Click on Grant and select Block access.
- Toggle the policy to On (or Report Only).
- Acknowledge the impact on your account and click Create.
Conclusion
As organizations continue to embrace cloud and hybrid environments, the importance of securing authentication methods cannot be overstated. While Single Sign-On (SSO) plays a vital role in enhancing security, it is essential to address the risks posed by legacy authentication methods.
By actively identifying and eliminating these outdated protocols, security teams can strengthen their defenses and better protect sensitive data from evolving threats. Proactive measures are key to ensuring that security frameworks remain effective and resilient in the face of potential vulnerabilities.
Want to learn more about how CYE can help you strengthen your security posture? Contact us.