How can you Protect Your ADFS against Hackers?

There are two ways in which hackers try to gain access to a user’s account, either by password spraying or by a brute force attack. In contrast to the brute force password attack, Hackers execute a password spraying assault by trying different common passwords across many accounts to luckily gain access to some user’s account.

This pattern avoids any detection of security monitors because it is similar to a failed login attempt. A software component developed by Microsoft, Active Directory Federation Services runs on a Windows Operating System to provide users with single sign-on access to systems and applications located across organizational boundaries.

The identity access solution provides client computers (internal or external to a network) with uninterrupted SINGLE SIGN-ON access to internet-facing applications even when the user accounts and applications are located in an entirely different organization or network.

Organizations are able to bypass requests for a user’s secondary credentials by providing trust relationships which the organization can use to project a user’s digital identity and access rights to partners.

For the attackers it is like a game because they know that there are some common passwords out there which they can use to gain access to user’s accounts. Organizations using ADFS would be vulnerable to these attacks when they are successful as hackers would gain access to parts of the organizations more easily.

There are no significant targets in this type of attack, they try to have successful attempts for more exploitation. They use the account to send phishing emails, links and texts (smishing), access a user’s personal data or even expand the spray target group. ADFS and networks need to be configured correctly to secure against these attacks.

Measures Taken by ADFS to Prevent Hackers

1. Baseline

Microsoft recommends users upgrade to AD FS 2016. In AD FS 2016, you can implement an extranet smart lockout that will be used to track familiar locations and will allow users to come through if they have previously logged in from that location

Using this, you can ensure threat actors will not be able to brute force attack the users and will only allow the legitimate users to have access. AD FS 2016 also has an Extranet banned IP address feature to block requests from flagged IP addresses

Using the Azure Active Directory Premium edition, it comes with more demanding identity and access management needs. You can implement Connect Health for AD FS and it also provides a Risky IP report notification.

This allows you to investigate IP’s that are generating large amounts of failed logins. You can also use Azure password protection to prevent guessable passwords from getting into Azure AD.

2. Protect your Extranet

This involves the use of modern authentication for clients accessing from the extranet and also enabling multi-factor authentication (MFA). Azure AD Conditional Access policies can be used to control the MFA in the Azure AD premium.

If you don’t have Azure AD or any apps that allow internet-based access, you can implement MFA and do a global MFA policy for all extranet access.

3. Move to Passwordless for all extranet access

Move to Windows 10 and use Hello For Business and if on AD FS 2016. You can use Azure MFA OTP as the first factor and a password as the second factor for your authentication. Certificates can also be used to log in users using MDM managed mobile devices.

The suggestion of not using a password means that accounts with passwords have been realized to be weak and vulnerable to attacks. Forgetting passwords can be very painful too when trying to gain access. Security is now beyond passwording, this is definitely to ensure optimum protection against some cyber attacks.