Exchange Server 2019 Security
CU2, released this week, notably brings the ability to disable old authentication protocols organizationwide, which is a new capability. The idea is to switch to using so-called "hybrid modern authentication" instead, which is deemed as being more secure.
By "hybrid," Microsoft typically means that an organization's servers connect in some way to Microsoft's "cloud"-based services, typically the Azure Active Directory identity provider service. The "modern" part of "hybrid modern authentication" is a reference to client applications that use the Active Directory Authentication Library (ADAL) for sign-ins.
The old or "legacy" authentication protocols that Microsoft wants organizations to remove include the following, per the announcement:
- Basic authentication
- Digest authentication
- Windows authentication (NTLM and Kerberos)
"Basic authentication" is just the requirement for a user name and password to verify access to Exchange e-mail. Basic authentication should be blocked because it's subject to "brute force or password spray attacks," Microsoft explained. A password spray attack is a method of trying weak passwords (such as "password" or "12345678") across an organization to gain a network foothold.
"Digest authentication" is an old challenge-and-response protocol for verifying user identities, according to Microsoft's glossary. The "NT LAN Manager" (NTLM) authentication protocol is another challenge-and-response protocol that gets used with Exchange, but it recently made the news as being potentially subject to relay attacks by remote attackers. Kerberos is a ticket-based authentication system for exchanging information.
The announcement listed a bunch of other old protocols to block when using Exchange Server 2019, including things like Exchange Active Sync, IMAP and POP3. IT pros can use PowerShell cmdlets to enforce the protocol blocking.
In contrast to those old protocols, hybrid modern authentication depends on having federated trust with the Azure Active Directory identity provider service for end users. Moreover, it involves exchanging tokens based on the Open Authentication (OAuth) protocol standard.
Here's how Greg Taylor, a principal program manager for Office 365, described it in an Exchange Team blog post on hybrid modern authentication (HMA):
HMA enables Outlook to obtain Access and Refresh OAuth tokens from Azure AD (either directly for password hash sync or Pass-Through Auth identities, or from their own STS for federated identities) and Exchange on-premises will accept them and provide mailbox access.
Organizations wanting to use hybrid modern authentication need to be using at least Exchange Server 2013 with CU19 or greater installed and/or Exchange Server 2016 with CU8 and/or Exchange Server 2019. It doesn't work with Exchange Server 2010.
E-mail clients need to support ADAL for hybrid modern authentication, which additionally lets them "use sign-in features such as Multi-Factor Authentication (MFA), smart card and certificate-based authentication," according to this Microsoft document. Multifactor authentication is a recommended approach by Microsoft that requires a secondary means of verifying a user's identity besides a password. The secondary means might be a user response to a text message or automated cell phone call, or the use of PIN.
Given the ADAL requirement, specific e-mail clients need to be in place to use hybrid modern authentication with Exchange Server. Those clients, per the announcement, include:
- Outlook 2013 or later (Outlook 2013 requires a registry key change)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
Getting to modern hybrid authentication requires carrying out lots of steps, as outlined by Taylor. Even Microsoft has messed it up, he confessed:
Like all changes, it [modern hybrid authentication] requires careful planning and execution, and particularly when messing with auth, be super careful, please. If people can't connect, that's bad. We've been running like this for months inside Microsoft, and we too missed an SPN when we first did it, so it can happen.
Microsoft recommends testing hybrid modern authentication out first in a lab environment before trying to turn it on.