Difference between revisions of "Windows Federated Services"

From Michael's Information Zone
Jump to navigation Jump to search
Line 61: Line 61:
 
set-adfsproperties -ExtendedProtectionTokenCheck Require
 
set-adfsproperties -ExtendedProtectionTokenCheck Require
 
</pre>
 
</pre>
*Disable unneeded and vulnerable endpoints<ref>https://dirteam.com/sander/2019/08/06/howto-disable-unnecessary-ad-fs-endpoints/</ref>
+
*Disable unneeded and vulnerable endpoints<ref>https://dirteam.com/sander/2019/08/06/howto-disable-unnecessary-ad-fs-endpoints/</ref>. The following are recommended based on what I have read.
 
<pre>
 
<pre>
 
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false
 
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false
 
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false
 
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false
 +
</pre>
 +
I disabled these because they are of "Authentication Type" Password.
 +
<pre>
 +
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/usernamemixed -Proxy $false
 +
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/usernamemixed -Proxy $false
 
</pre>
 
</pre>
 
*Set time outs and softlock<ref>https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection</ref>
 
*Set time outs and softlock<ref>https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection</ref>

Revision as of 10:26, 30 October 2019

General Notes

This service is easy enough to get up and running using server manager. In my case I have Server 2016 Core running in AWS on a private subnet.
You do need to ensure you have the following

  • A certificate for the publicly accessible fqdn. i.e. sts.yourdomain.tld. This does NOT need to match your internal domain.
    • A CSR can be created using Windows MMC[1] and is easy to do.
    • Make sure to import the acquired cert back into the same system that created the CSR, then export the whole thing with key.
  • Have a dedicated service account created in AD.
  • Firewall issues will get you if you are not careful

Enable test page

[2]This is used to test sign in.
I was able to log in from both the native domain as well as a trusted domain without further configuration.

Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

Then go to https://sts.yourdomain.tld/adfs/ls/idpinitiatedsignon.htm

AD FS Proxy

In my case I wanted to use Server 2016 Core and NOT enroll it in my domain. Domain joined computers on the internet scares me. [3]

  • Please make sure that you either used an alternate name in the certificate, or you will need to add a host to the hosts file. i.e.
$newhost='xxx.xxx.xxx sts.yourdomain.tld'
$newhost | Out-File -FilePath C:\Windows\System32\drivers\etc\hosts -Append -Encoding ascii
  • If you haven't, install the certificate. Copying from another server if needed.
$mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password belowe'
Import-PfxCertificate -FilePath C:\sts.yourdomain.tld.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.password
  • Make sure you have the certificate thumbprint/hash as well. The following command should show this to you.
netsh http show ssl
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools
Install-WebApplicationProxy -FederationServiceName "sts.yourdomain.tld" -FederationServiceTrustCredential $FScredential -CertificateThumbprint "0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d0a1b2c3d"



Manage using headless server

This does not work

  • To manage the headless server using Server Manager
    • Give the server a fqdn and manually add the DNS entry.
    • Add the server to the trusted hosts for management[4]

Note : If your trusted hosts entry is empty, then just use the set-item command without the currentlist variable.

$CurrentList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "Server03.Domain.local, $CurrentList"
  • On the target computer, allow elevated remote sessions.
New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

Hardening

[5] The reference from Microsoft is rather vague. It looks like these settings can be applied to either the proxy or the internal server. Testing is needed as I am unable to find the ADFS powershell modules on a clean install of a WAP. I assume you would need to install the ADFS package, but this would defeat the purpose. For now the following is being performed on the internal server.

  • Enforce ExtendedProtectionTokenCheck [6]
set-adfsproperties -ExtendedProtectionTokenCheck Require
  • Disable unneeded and vulnerable endpoints[7]. The following are recommended based on what I have read.
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/windowstransport -Proxy $false
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/windowstransport -Proxy $false

I disabled these because they are of "Authentication Type" Password.

Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/13/usernamemixed -Proxy $false
Set-AdfsEndpoint -TargetAddressPath /adfs/services/trust/2005/usernamemixed -Proxy $false
  • Set time outs and softlock[8]
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 2 -ExtranetObservationWindow (new-timespan -Minutes 30)