An open potential issue with SfB server has been the potential to get a list of accounts, try lots of random passwords and lock those accounts out.
With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.
For more PowerShell information:
- Get-CsAuthConfig https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/skype/skype-ps/skype/Get-CsAuthConfig.md
- Set-CsAuthConfig https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/skype/skype-ps/skype/Set-CsAuthConfig.md
Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)
Now username/password auth is disabled, your users use Certificate Based Auth to get in externally
Here is an article that explains the details: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth