Microsoft provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy.
For deployment in on-premises environments, Microsoft recommends a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network.
Hardening your AD FS servers
Here is the list of best practices and recommendations for hardening and securing your AD FS deployment:
- Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
- Reduce local Administrators group membership on all AD FS servers.
- Require all cloud admins use Multi-Factor Authentication (MFA).
- Minimal administration capability via agents.
- Limit access on-network via host firewall.
- Ensure AD FS Admins use Admin Workstations to protect their credentials.
- Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
- All GPOs that apply to AD FS servers should only apply to them and not other servers as well. This limits potential privilege escalation through GPO modification.
- Ensure the installed certificates are protected against theft (don’t store these on a share on the network) and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, protect signing keys/certificates in a hardware security module (HSM) attached to AD FS.
- Set logging to the highest level and send the AD FS (& security) logs to a SIEM to correlate with AD authentication as well as AzureAD (or similar).
- Remove unnecessary protocols & Windows features
- Use a long (>25 characters), complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
- Update to the latest AD FS version for security and logging improvements (as always, test first).
Hardware Security Module (HSM)
In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. They are never present in the DMZ or on the proxy machines. Optionally to provide additional protection, Microsoft recommends protecting these keys in a hardware security module (HSM) attached to AD FS. Microsoft does not produce an HSM product, however there are several on the market that support AD FS. In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates.
Generating and storing cryptographic keys in dedicated hardware devices has been best practice for more than two decades now - your organization should follow it, too.
Read original article here.
Source: Microsoft/CREAplus cybersecurity team