Full Report
Microsoft has announced that the Microsoft 365 apps for Windows will start blocking access to files via the insecure FPRPC legacy authentication protocol by default starting late August. [...]
Analysis Summary
# Best Practices: Deprecating Legacy Authentication Protocols for Microsoft 365 File Access
## Overview
These practices focus on enhancing the security posture of Microsoft 365 environments by eliminating reliance on insecure, legacy authentication protocols like FrontPage Remote Procedure Call (FPRPC) for file access. This transition shields users from brute-force and phishing attacks commonly exploiting these outdated mechanisms.
## Key Recommendations
### Immediate Actions
1. **Review Current Legacy Protocol Usage:** Inventory all applications, scripts, or devices that currently connect to Microsoft 365 services using legacy authentication protocols, specifically focusing on FPRPC, RPS, FTP, and HTTP file opens.
2. **Communicate Upcoming Changes:** Alert end-users and application owners about the default blocking of file access via FPRPC scheduled for late August 2025, ensuring they understand the impact on business continuity.
3. **Monitor Security Event Logs:** Increase monitoring intensity for authentication failure events related to legacy protocols to establish a baseline of usage before the mandatory blocking occurs.
### Short-term Improvements (1-3 months)
1. **Identify and Remediate FPRPC Dependencies:** For any identified applications relying on FPRPC, prioritize updating them to use modern authentication methods (e.g., OAuth 2.0, bearer tokens) supported by Microsoft 365 APIs.
2. **Block Risky Attachments in Outlook:** Immediately begin blocking risky attachment types, such as `.library-ms` and `.search-ms` file types, in Microsoft Outlook to mitigate immediate phishing risks, aligning with July deployments.
3. **Disable ActiveX Controls:** Verify that ActiveX controls are disabled by default across all Windows versions of Microsoft 365 and Office 2024 applications to reduce code execution risks.
### Long-term Strategy (3+ months)
1. **Deprecate FTP and HTTP File Opens:** Configure centralized management policies to disable FTP and HTTP file open capabilities, even though they might remain allowed by default initially, to enforce a higher standard of secure connectivity.
2. **Enforce Modern Authentication via Policy:** Utilize Group Policy (GPO) or the Cloud Policy Service (CPS) to mandate the disabling or restriction of legacy authentication protocols across the entire organization, overriding user-level Trust Center settings.
3. **Implement Advanced Meeting Security:** Roll out and enforce the Microsoft Teams feature designed to block screen capturing during sensitive meetings to protect proprietary information shared during collaboration sessions.
## Implementation Guidance
### For Small Organizations
- **Focus on User Education:** Since administrative tooling might be limited, use administrative or group notifications to explicitly inform users not to attempt re-enabling FPRPC via the Trust Center settings once they are managed by policy.
- **Manual Review:** Conduct manual reviews of core workstations to ensure legacy authentication methods are not hardcoded into critical applications.
### For Medium Organizations
- **Utilize Cloud Policy Service (CPS):** Leverage the CPS for Microsoft 365 Apps settings to centrally manage and enforce the configuration for blocking legacy protocols, ensuring centralized governance.
- **Pilot Program:** Test the blocking of FPRPC on a small, non-critical user cohort before the August 2025 general availability date to validate business processes.
### For Large Enterprises
- **GPO/CPS Enforcement (Mandatory):** Immediately use Group Policy Objects (GPO) or the Cloud Policy Service (CPS) to manage authentication protocol settings. Configuring policies via CPS will prevent users from overriding security settings in the Trust Center.
- **Application Auditing:** Employ advanced application dependency mapping tools to comprehensively identify all internal and third-party applications utilizing legacy authentication paths to create a structured remediation roadmap.
## Configuration Examples
**Enforcing Protocol Disablement via Cloud Policy Service (CPS):**
Administrators should configure settings under the **Cloud Policy Service (CPS) > Microsoft 365 Apps settings** to explicitly set authentication protocol preferences.
*Example Policy Action:* Configure the setting controlling the legacy protocol access to *Disabled* or explicitly deny access via FPRPC, RPS, FTP, and HTTP file operations. *Note: Specific CPS policy names for these settings must be confirmed in the latest Microsoft documentation.*
**User Trust Center Management (Warning):**
During the transition period, users might be able to re-enable FPRPC via the Trust Center settings in applications like Word or Excel (under File > Options > Trust Center > Trust Center Settings). **Administrators must use GPO or CPS to manage these settings to ensure they cannot be bypassed by end-users.**
## Compliance Alignment
- **NIST CSF:** Implements controls under **ID.RA (Risk Assessment)** and **PR.AC (Personnel Access Control)** by removing pathways exploited by known attack vectors.
- **ISO 27001:** Aligns with controls related to system hardening and secure application development practices by moving away from insecure legacy authentication.
- **CIS Benchmarks:** Supports hardening of endpoint software (Microsoft 365 Apps) by disabling insecure features (ActiveX, legacy protocols).
## Common Pitfalls to Avoid
1. **Assuming Default Blocking is Sufficient:** Do not rely solely on Microsoft's default rollout schedule. Proactively enforce restrictions via GPO/CPS immediately to establish the most secure configuration possible now.
2. **Ignoring User Configuration Override:** Failing to manage settings via CPS or GPO will allow users to potentially re-enable FPRPC through the Trust Center, undermining the security improvement.
3. **Delaying Application Remediation:** Pushing all remediation until after the default block date risks service disruption for legacy dependent systems still in use. Start modernizing applications immediately.
4. **Forgetting Other Legacy Protocols:** Focusing only on FPRPC while ignoring the continued default allowance of FTP and HTTP file opens leaves secondary, insecure access vectors open.
## Resources
- **Microsoft 365 Security Documentation:** Consult the authoritative documentation portal for the precise GPO/CPS configuration keys related to legacy authentication block policies.
- **MITRE ATT&CK Framework:** Use the framework to understand how the targeted legacy protocols facilitate successful brute-force and phishing campaigns (e.g., T1110 Brute Force, T1566 Phishing).