For the last few years Microsoft has been talking about "Modern" this or "Modern" that. In the quest for improved security they are agressively trying to move everyone to more modern protocols. The impending LDAPS changes are an example of this. However, there are more processes and protocols that they are urging you to retire. These older technologies are often used by hackers because we all forget that in 2004 we did this and we left it operational. Examples of what you need retire ASAP are:
- IMAP. Modern email doesn't need IMAP. This is true for Exchange, Office 365, or Google Apps. Hackers love IMAP connections because none of the advanced security protocols can be turned on. Make sure the IMAP service is turned off.
- POP3. See #1. Same story. Make sure the POP3 service is turned off.
- Self-Signed SSLs on internet facing devices such as VPN. If it touches the internet, *YOU MUST BUY AND IMPLEMENT A COMMERCIAL SSL* - No exceptions. If this is you, resolve this ASAP.
- Anything using plain text, "basic authentication"
- Anything using TLS 1.0 or 1.1
- Anything using SMB v1 on your Windows network.
- Anything using VNC
- Anything using RDP directly to the internet
- Any internet facing remote access gateway that does not use multi-factor authentication (MFA).
More specifically to Microsoft they are pushing for "Modern Authentication". To them that means everything needs to support and be configured to support OAuth 2.0 and that "Basic Authentication" be turned off.
Microsoft announced their intention to force this issue with Office 365. Beginning October 13, 2020, Microsoft will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.
If you use Office 365 for email, these changes are relevant to you. You can read more about the changes at: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-auth-and-exchange-online-february-2020-update/ba-p/1191282
Google Apps users need to make the same changes as well to eliminate these older access methods that are security holes.
When you are doing all this work to tighten things up, be sure to combine this with rolling out at least a basic form of MFA such as texting your user's phone or more ideally something like Cisco DUO so that you can plug the 99.9% of the credential theft exploits that are out there. Talk to Lisa about licenses.
If you need help sorting this all out, give us a call.