Securing Office 365 accounts and preventing account lock outs with Centrify

Securing Office 365 accounts and preventing account lock outs with Centrify

By Centrify Advisor IV ‎04-16-2018 03:22 PM

Enabling multi-factor authentication (MFA) for your Office 365 accounts can help protect against credential stuffing, phished passwords and meet regulatory complaince. However MFA alone is not enough to block all types of attacks on your Office 365 accounts. Brute force attacks, another highly common attack on Office 365 accounts, can result in account lockouts or undesirable amounts of MFA notifications caused by unauthorized login attempts. This article will go over several techniques to configure Centrify and Office 365 to help prevent account lockouts and block invalid MFA notifications.

 

Prerequisites

 

Solution 1: Mitigate scripted IMAP and SMTP attacks

 

Disable legacy email protocols that do not support modern authentication

In order to enforce multifactor authentication for all Office 365 account logins and help prevent Active Directory account lockouts, you'll need to disable legacy email protocols that do not support Office 365 modern authentication. This includes SMTP authentication, IMAP, and POP3.

 

1. Disable unused protocols

Disable IMAP and  SMTP client authentication (these are the most protocols common we have seen used in this type of attack). Microsoft makes this easy via Azure Powershell and has even added the ability recently to allow SMTP client authentication to be disabled at the CAS Mailbox. For example:

Cas1.png

Here is a simple loop to disable IMAP and SMTP Client authentication across all mailboxes. *Note that Powershell knowledge is needed to run any of the commands shown here. For more information on any of the command, visit Microsoft for more details.

 

 

$mailboxes = get-casmailbox


foreach($mailbox in $mailboxes){Set-CASMailbox $mailbox.id -SmtpClientAuthenticationDisabled $true -ImapEnabled $false}

 

 

Then, enable on a per user basis, ONLY as needed.

 

2. Allow for MFA

Make sure Modern Authentication can be used in your organization. If not compatible yet, try to migrate to compatible clients. Once ready, enable, Modern Authentication on the Exchange Online server. Newer tenants come enabled by default. Here is a way to check if the tenant is enabled for Modern Authentication. 

modernauthcheck1.png

If the OAuthClientProfileEnabled configuration is set to “True,” ADAL authentication is already in use where supported by the mail client!  If this “False” here is how to set to “True” to enable.

enablemodernauth.png

This way, Modern authentication can be used and MFA can be added to the authentication. Be sure that the mail clients in use support it (Outlook 2016 for Mac or Mac Mail app, or for Windows Outlook 2013 or 2016 and Outlook for mobile are a few). Here is a page showing compatible clients, (provided as a courtesy and subject to change): https://www.microsoft.com/en-us/microsoft-365/blog/2015/11/19/updated-office-365-modern-authenticati...

 

3. (Optional) Allowing basic login from inside the network

You may have network printers, a SIEM, or other internal systems that still need to use basic authentication. What you can do in the following configuration example is require MFA for login attempts outside.    

O365 MFA.png

 

 

  • Next, edit your Office 365 app settings in Centrify, then add the rule to require MFA for login attempts outside the corporate network. For detailed instructions

O365 external.png

 

  • On the left column, go to Core Services > Policies  and edit default policy. Then go to Application Policies > User Settings. Set Enable WS-Trust protocol to Yes and put a check next to Enforce application challenge with WS-Trust

WS-trust policy.png

These settings will allow basic authentication to work inside your network, but fail outside the network, because basic authentication does not support MFA. 

 

Another variation is to set “Enable WS-Trust protocol” to “No” for most users by setting one policy to “No” and assigning  to the Role(s) used to grant access to the app. This is on top of disabling the protocol on the Exchange CAS mailbox. Then, create a second role  (“Allow WS-Trust”) for selected exempted members only, which can use AD Security group to grant membership to, and a policy which allows WS-Trust as the only setting, scoped appropriately (above the Deny policy the rest of the Users are assigned to) and assign to the “Allow WS-Trust” role  only.  Careful use of the App policy rules will make sure only very few users can access mail using WS-Trust endpoints, and only under very specific conditions. There are many ways to configure based on the needs of the organization, so careful testing is recommended. Contact Centrify if Expert help is needed for your deployment and the Professional Services team can help roll out a solution that is best before migrating to Centrify.

 

Solution 2: Mitigate unauthorized web logins and Outlook set ups

 

Use passwordless authentication at the Centrify User Portal

Enabling passwordless authentication at the Centrify User Portal, can help secure from:

  • Unauthorized Office 365 web login attempts
  • Unauthorized Outlook set up attempts on a new machine

1. Create an authentication profile that does not use a password and only uses FIDO U2F Security Key and/or OATH OTP client. Set the Challenge Pass-Through Duration to No Pass-Through.

 

 Portal MFA.png

 

2. Apply the password-less authentication profile to the policy for Centrify Portal login.

   a. Log into the Centrify Admin Portal.

   b. Go to Core Services > Policies.

   c. Edit an existing policy by clicking on the name of the policy or create a new one.

   Select policy set.png

   Create a new policy and assign it to a role if you only want to apply these restrictions to a subset of users. 

   d. Go to Login Policies > Centrify Portal.

   e. Select Yes in the Enable authentication policy controls drop-down.

   f. Select the authentintication profile you created/prepared in step 1 from the Default Profile drop-down.  

   g. Press Save.

 

 

Blacklist/whitelist locations

Blocking by country

To minimize or eliminate MFA notifications from illegitimate login attempts, blacklist/whitelist where users log in from or configure Outlook/email setup. If you see a pattern of unauthorized login attempts from a specific country your can create the rule to block the country or block all attempts outside the country. Be careful with legitimate cases such as employees logging in while on vacation or on a business trip. Also consider potential business partners and consultants from foreign countries that may also need access.

 

1. In the policy you just edited for passwordless authentication, go to Login Policies > Centrify Portal.

2. Click on the Add Rule button.

3. Click on the Add Filter button.

4. Click on the Filter drop-down and select Country. Select the desired Condition and Value, then click Add

country selection.png

 

Other examples: "Country not equal to United States"

Repeat this step to add additional countries.

5. Click on the drop-down list for Authentication Profile and select Not Allowed or an authentication profile that only uses OATH OTP client and/or FIDO U2F Security Key so endusers will not be disturbed with illegitimate MFA requests. 

6. Save the settings.

 

Blocking by IP range

Alternately you can also restrict access to only internal corporate IP ranges.

1. Add a rule for Login Policies > Centrify Portal. 

2. Add a filter to use IP Address.

3. Select the condition "outside corporate IP range", then click Add.

4. Click on the drop-down list for Authentication Profile and select Not Allowed or an authentication profile that only uses an OATH OTP client so endusers will not be disturbed with illegitimate MFA requests. 

5. Save the settings.

6. Go to Settings > Network > Corporate IP Range, then add the external IP address(es) for your corporate network(s).

 

Only allow access from company/trusted devices

Another option is to only allow login or Outlook/email set up from a company owned device. Centrify identifies a "trusted" device as a device that is enrolled in Centrify's MDM. To create this rule:

1. Add a rule for Login Policies > Centrify Portal. 

2. Add a new filter for Managed Device and select the condition False.

3. Click on the drop-down list for Authentication Profile and select Not Allowed or an authentication profile that only uses an OATH OTP client and/or FIDO U2F Security Key so endusers will not be disturbed with illegitimate MFA requests. 

4. Save the settings.

 

Other conditional rules

You'll notice that there are other filter options such as Identity Cookie, Day of the Week, Date, Date, Range, Time Range, Device OS, Browser, and Risk Level. Note: Risk Level requires additional licensing for this option to be visible. You can optionally combine these options with Country and IP address or use these options instead if Country and IP range are too restrictive. 

 

Use Outlook on Mobile

We have not seen brute force attacks via ActiveSync yet, but if you have a requirement for MFA, then you'll need to use Outlook for Android and iOS, which does support modern authentication.

 

Summary

In conclusion, enable MFA to block hackers from getting into your account. Disable IMAP and SMTP at the CAS mailbox to block the majority of brute force attacks that causes AD account lockouts. And use non-push MFA options such as OATH OTP client or FIDO U2F Security Key to avoid receiving invalid MFA attempts and prevent account lockout. 

 

Comments
By Centrify Advisor IV
on ‎05-18-2018 06:04 PM

Thanks to @RyanV for his feedback. I updated this article to include blocking IMAP and SMTP at the CAS mailbox, which should block the majority of brute force attempts we have been seeing on Office 365 accounts. 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel