Skype for Business Server 2015 CU7 Now Supports Blocking external NTLM (username/password auth) for Security

An open potential issue with SfB server has been the potential to get a list of accounts, try lots of random passwords and lock those accounts out.

With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.

For more PowerShell information:

• Get-CsAuthConfig https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/skype/skype-ps/skype/Get-CsAuthConfig.md
• Set-CsAuthConfig https://github.com/MicrosoftDocs/office-docs-powershell/blob/master/skype/skype-ps/skype/Set-CsAuthConfig.md

Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)

Now username/password auth is disabled, your users use Certificate Based Auth to get in externally

Here is an article that explains the details: https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth

Original Microsoft post: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/SfB-Server-Now-Supports-Blocking-NTLM-Externally/ba-p/261696