Block legacy authentication
Demonstrate that the organization has technically enforced the blocking of legacy authentication protocols across all authentication endpoints and that no users or applications can successfully authenticate using non-modern authentication methods.
Description
What this control does
This control enforces the disabling or blocking of legacy authentication protocols (such as basic authentication, SMTP AUTH, POP3, IMAP without modern authentication, and legacy Office protocols) that do not support multi-factor authentication or modern security features. Legacy authentication protocols transmit credentials in easily intercepted formats and cannot enforce conditional access policies, making them prime targets for credential stuffing, password spray attacks, and replay attacks. Organizations implement this by configuring authentication policies in identity platforms (e.g., Azure AD Conditional Access, on-premises authentication gateways) to reject sign-in attempts using older protocols while permitting modern authentication methods like OAuth 2.0 and OpenID Connect.
Control objective
What auditing this proves
Demonstrate that the organization has technically enforced the blocking of legacy authentication protocols across all authentication endpoints and that no users or applications can successfully authenticate using non-modern authentication methods.
Associated risks
Risks this control addresses
- Credential stuffing attacks succeed because legacy protocols lack multi-factor authentication enforcement, allowing attackers to validate stolen credentials at scale
- Password spray attacks bypass conditional access controls and risk-based authentication because legacy protocols do not transmit client context or device information
- Man-in-the-middle attacks intercept plaintext or weakly encoded credentials transmitted via basic authentication over non-TLS connections
- Compromised service accounts or application credentials persist undetected because legacy authentication bypasses modern logging and anomaly detection mechanisms
- Attackers exploit legacy protocol endpoints as a foothold after perimeter defenses are breached, establishing persistent access without triggering modern security controls
- Compliance violations occur when legacy authentication permits access from unmanaged devices or untrusted locations despite organizational policies requiring device compliance checks
- Token replay attacks succeed against systems using NTLM or other legacy challenge-response mechanisms that lack adequate anti-replay protections
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's authentication policy documentation identifying which legacy protocols are defined as blocked (e.g., basic auth, NTLM, legacy Office protocols).
- Export conditional access policies or equivalent authentication gateway configurations from the identity provider platform (Azure AD, Okta, on-premises AD FS).
- Review each authentication policy to identify rules explicitly blocking legacy authentication protocols and document the scope (all users, exceptions, specific applications).
- Select a representative sample of 10-15 user accounts spanning different roles, including privileged accounts, service accounts, and standard users.
- Attempt to authenticate using legacy protocols (e.g., configure an email client with basic authentication, use PowerShell with legacy auth, test IMAP/POP3 access) for sampled accounts and document authentication failures.
- Review authentication logs for the past 90 days filtering for legacy authentication attempts, analyzing any successful legacy authentications and validating they are explicitly approved exceptions.
- Interview IT administrators to confirm exceptions are documented, justified, have compensating controls, and are subject to periodic review.
- Test that monitoring and alerting mechanisms trigger when legacy authentication attempts occur, and verify incident response procedures address such alerts.
Where this control is tested