Hardening your AD FS servers with HSMs

Microsoft provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy.

For deployment in on-premises environments, Microsoft recommends a standard deployment topology consisting of one or more AD FS servers on the internal corporate network, with one or more Web Application Proxy (WAP) servers in a DMZ or extranet network.

Hardening your AD FS servers

Here is the list of best practices and recommendations for hardening and securing your AD FS deployment:

  • Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
  • Reduce local Administrators group membership on all AD FS servers.
  • Require all cloud admins use Multi-Factor Authentication (MFA).
  • Minimal administration capability via agents.
  • Limit access on-network via host firewall.
  • Ensure AD FS Admins use Admin Workstations to protect their credentials.
  • Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
  • All GPOs that apply to AD FS servers should only apply to them and not other servers as well. This limits potential privilege escalation through GPO modification.
  • Ensure the installed certificates are protected against theft (don’t store these on a share on the network) and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, protect signing keys/certificates in a hardware security module (HSM) attached to AD FS.
  • Set logging to the highest level and send the AD FS (& security) logs to a SIEM to correlate with AD authentication as well as AzureAD (or similar).
  • Remove unnecessary protocols & Windows features
  • Use a long (>25 characters), complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
  • Update to the latest AD FS version for security and logging improvements (as always, test first).

Hardware Security Module (HSM)

In its default configuration, the keys AD FS uses to sign tokens never leave the federation servers on the intranet. They are never present in the DMZ or on the proxy machines. Optionally to provide additional protection, Microsoft recommends protecting these keys in a hardware security module (HSM) attached to AD FS. Microsoft does not produce an HSM product, however there are several on the market that support AD FS. In order to implement this recommendation, follow the vendor guidance to create the X509 certs for signing and encryption, then use the AD FS installation powershell commandlets, specifying your custom certificates. 

Generating and storing cryptographic keys in dedicated hardware devices has been best practice for more than two decades now - your organization should follow it, too.

Read original article here.  

 


----

Source: Microsoft/CREAplus cybersecurity team

News

What is the difference between a General Purpose and Payment HSM?

blockchainAlthough we do not give much thought to hardware security modules (HSMs), they are a critical element of security in an organisation’s IT infrastructure used for securing sensitive data.

Read more ...

Hardware Security Module (HSM) Explained

blockchainA hardware security module (HSM) is a small device that allows you to create, manage, and store cryptographic keys. They are considered one of the most secure ways to protect sensitive encrypted data.

Read more ...

The Role of HSMs in Public Key Infrastructure (PKI)

blockchainThe underlying hardware security modules (HSMs) in publick key infrastructure (PKI) are the root of trust which protect PKI from being breached. 

Read more ...

Providing a Secure Blockchain Through the Adoption of HSMs

blockchainThe strong cryptography provided by HSMs will become crucial to blockchain-based fintechs as they generate, store and protect the private and public keys that form the ‘root of trust’ in blockchains.

Read more ...

Hardening your AD FS servers with HSMs

adfssecMicrosoft provides best practices for the secure planning and deployment of Active Directory Federation Services (AD FS) and Web Application Proxy.

Read more ...