11/19/2023 0 Comments Fs secureOrganizations can do achieve this state, by setting up firewall rules on each server. Make sure that only these servers can communicate with each other and no other is a measure of defense in depth. Communication between Federation Serversįederation servers on an AD FS farm communicate with other servers in the farm and the Web Application Proxy (WAP) servers via HTTP port 80 for configuration synchronization. This is a local port that will not need to be opened in the firewall but will be displayed in a port scan. This port can be seen by running Get-AdfsProperties | select NetTcpPort. TCP port AD FS uses for the local WCF endpoint to transfer configuration data to the service process and PowerShell. Port 808 (Windows Server 2012R2) or port 1501 (Windows Server 2016+) is the Net. If the deployment does not include Azure AD / Office 365, the sync requirements can be disregarded. The below diagram depicts the firewall ports that must be enabled between and amongst the components of the AD FS and WAP deployment. Update to the latest AD FS version for security and logging improvements (as always, test first).We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically. Use a long (>25 characters), complex password for the AD FS service account.Remove unnecessary protocols & Windows features.Set logging to the highest level and send the AD FS (& security) logs to a SIEM to correlate with AD authentication as well as AzureAD (or similar).Additionally, we recommend protecting signing keys/certificates in a hardware security module (HSM) attached to AD FS. Ensure the installed certificates are protected against theft (don’t store these on a share on the network) and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth).This limits potential privilege escalation through GPO modification. All GPOs that apply to AD FS servers should only apply to them and not other servers as well.Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.Ensure AD FS Admins use Admin Workstations to protect their credentials.Limit access on-network via host firewall.Minimal administration capability via agents.Require all cloud admins use Multi-Factor Authentication (MFA).Reduce local Administrators group membership on all AD FS servers.Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.The following is a list of best practices and recommendations for hardening and securing your AD FS deployment: If a planned topology includes a Read-Only Domain controller, the Read-Only domain controller can be used for authentication but LDAP claims processing will require a connection to the writable domain controller. AD FS requires a full writable Domain Controller to function as opposed to a Read-Only Domain Controller.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |