Hardening your AD FS servers with HSMs

Microsoft provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy.

For deployment in on-premises environments, Microsoft recommends a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network.

Hardening your AD FS servers

Here is the list of best practices and recommendations for hardening and securing your AD FS deployment:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators group membership on all AD FS servers.
  • Require all cloud admins use Multi-Factor Authentication (MFA).
  • Minimal administration capability via agents.
  • Limit access on-network via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • All GPOs that apply to AD FS servers should only apply to them and not other servers as well. This limits potential privilege escalation through GPO modification.
  • Ensure the installed certificates are protected against theft (don’t store these on a share on the network) and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, protect signing keys/certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (& security) logs to a SIEM to correlate with AD authentication as well as AzureAD (or similar).
  • Remove unnecessary protocols & Windows features
  • Use a long (>25 characters), complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).

Hardware Security Module (HSM)

In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. They are never present in the DMZ or on the proxy machines. Optionally to provide additional protection, Microsoft recommends protecting these keys in a hardware security module (HSM) attached to AD FS. Microsoft does not produce an HSM product, however there are several on the market that support AD FS. In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates. 

Generating and storing cryptographic keys in dedicated hardware devices has been best practice for more than two decades now - your organization should follow it, too.

Read original article here.  



Source: Microsoft/CREAplus cybersecurity team


Another successful HSM training

Technical training on HSMCREAplus successfully delivered another online hands-on technical training on Utimaco hardware security module (HSM).

Read more ...

Protecting digital identities

Protecting Digital Identities, 14 September 2022, Vienna, AustriaWould you like to get the latest information on PKI & IoT, eSigning & eIDAS and PQC?Join us on 14 September 2022 in Vienna! 

Read more ...

CREAplus obtained the Excellent SME certificate

Excellent SMECREAplus received the Excellent SME certificate, issued by the Chamber of Commerce and Industry and credit rating agency Coface.


Read more ...

Protecting Digital Identities - Save the Date!

Excellent SMESave the date! Plan to attend our event "Protecting Digital Identities" on Wednesday, 14 September 2022, in Vienna, Austria. 

Read more ...

u.trust 360 v4.0 - Centralized Management and Monitoring Platform

u.trust 360 v4.0u.trust 360 v4.0 - the next generation of easy and convenient HSM administration is available now! 

Read more ...