Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Endpoints’ Category

(2019-07-30) ADFS Security: Disable WS-Trust Windows Transport Endpoints On PROXYs/WAPs (Extranet)

Posted by Jorge on 2019-07-30


Due to a known security vulnerability it is highly recommended that the WS-Trust Windows Transport Endpoints are disabled on the ADFS Proxies/WAPs (from the extranet). Be careful though that these endpoints are needed by Windows 10 and Windows Server 2016 and higher on the INTRANET side of ADFS to leverage Azure AD Domain Join, a.k.a. Hybrid Azure AD Domain Join (HAADJ). For more detail please see the section “ADFS Endpoints” in the blog post (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail

When enabled on the EXTRANET side, it will allow NTLM logins to be processed from the extranet. As a result, it will bypass AD FS lockout protections and allow brute force password attacks or account lockouts on the user account, which of course is something you do not want! Also check out: Best practices for securing Active Directory Federation Services – ADFS Endpoints

What do you need to do?

Check the status of the WS-Trust ‘2005’ Windows Transport Endpoint And Disabling It On Extranet Side If Needed. You can do that through the following PowerShell commands. When using SQL you can run the commands on any ADSF server. When using WID you need to run the commands on the primary ADFS server.

Clear-Host
$adfsWSTrust2005EndpointPath = "/adfs/services/trust/2005/windowstransport"
$adfsWSTrust2005 = Get-AdfsEndpoint -AddressPath $adfsWSTrust2005EndpointPath
If ($adfsWSTrust2005.Enabled -eq $true) {
    Write-Host ""
    Write-Host "WS-Trust ‘2005’ Windows Transport Endpoint On The INTRANET Is ENABLED…" -ForegroundColor Green
    If ($adfsWSTrust2005.Proxy -eq $true) {
        Write-Host ""
        Write-Host "WS-Trust ‘2005’ Windows Transport Endpoint On The EXTRANET Is ENABLED…" -ForegroundColor Red
        Write-Host "Due To A Security Vulnerability It Is Highly Recommended To Disable This Endpoint On The Extranet Side Of ADFS!…" -ForegroundColor Red
        Write-Host ""
        $confirmationAdfsWSTrust2005 = Read-Host "Do You Want To Disable This Endpoint On The Extranet Side? [Yes|No]"
        If ($confirmationAdfsWSTrust2005.ToUpper() -eq "YES" -Or $confirmationAdfsWSTrust2005.ToUpper() -eq "Y") {
            Set-AdfsEndpoint -TargetAddressPath $adfsWSTrust2005EndpointPath -Proxy $false           
            Write-Host ""
            Write-Host "Action Confirmed…" -ForegroundColor Green
            Write-Host "WS-Trust ‘2005’ Windows Transport Endpoint On The EXTRANET Has Been DISABLED…" -ForegroundColor Green
            Write-Host ""
        } Else {
            Write-Host ""
            Write-Host "Action Not Confirmed…" -ForegroundColor Yellow
            Write-Host "Nothing Was Changed…" -ForegroundColor Yellow
            Write-Host ""
         }
    } Else {
        Write-Host ""
        Write-Host "WS-Trust ‘2005’ Windows Transport Endpoint On The EXTRANET Is DISABLED…" -ForegroundColor Green
        Write-Host "Nothing To Do Here!…" -ForegroundColor Green
        Write-Host ""
    }
} Else {
    Write-Host ""
    Write-Host "WS-Trust ‘2005’ Windows Transport Endpoint On The INTRANET Is DISABLED…" -ForegroundColor Green
    Write-Host "Therefore, WS-Trust ‘2005’ Windows Transport Endpoint On The EXTRANET Is Also DISABLED…" -ForegroundColor Green
    Write-Host "Nothing To Do Here!…" -ForegroundColor Green
    Write-Host ""
}

image

Figure 1: Checking Status Of The WS-Trust ‘2005’ Windows Transport Endpoint And Disabling It On Extranet Side If Needed

Check the status of the WS-Trust ‘13’ Windows Transport Endpoint And Disabling It On Extranet Side If Needed. You can do that through the following PowerShell commands:

Clear-Host
$adfsWSTrust13EndpointPath = "/adfs/services/trust/13/windowstransport"
$adfsWSTrust13 = Get-AdfsEndpoint -AddressPath $adfsWSTrust13EndpointPath
If ($adfsWSTrust13.Enabled -eq $true) {
     Write-Host ""
     Write-Host "WS-Trust ’13’ Windows Transport Endpoint On The INTRANET Is ENABLED…" -ForegroundColor Green
     If ($adfsWSTrust13.Proxy -eq $true) {
         Write-Host ""
         Write-Host "WS-Trust ’13’ Windows Transport Endpoint On The EXTRANET Is ENABLED…" -ForegroundColor Red
         Write-Host "Due To A Security Vulnerability It Is Highly Recommended To Disable This Endpoint On The Extranet Side Of ADFS!…" -ForegroundColor Red
         Write-Host ""
         $confirmationAdfsWSTrust13 = Read-Host "Do You Want To Disable This Endpoint On The Extranet Side? [Yes|No]"
         If ($confirmationAdfsWSTrust13.ToUpper() -eq "YES" -Or $confirmationAdfsWSTrust13.ToUpper() -eq "Y") {
             Set-AdfsEndpoint -TargetAddressPath $adfsWSTrust13EndpointPath -Proxy $false           
             Write-Host ""
            Write-Host "Action Confirmed…" -ForegroundColor Green
             Write-Host "WS-Trust ’13’ Windows Transport Endpoint On The EXTRANET Has Been DISABLED…" -ForegroundColor Green
             Write-Host ""
         } Else {
             Write-Host ""
             Write-Host "Action Not Confirmed…" -ForegroundColor Yellow
             Write-Host "Nothing Was Changed…" -ForegroundColor Yellow
             Write-Host ""
        }
     } Else {
         Write-Host ""
         Write-Host "WS-Trust ’13’ Windows Transport Endpoint On The EXTRANET Is DISABLED…" -ForegroundColor Green
         Write-Host "Nothing To Do Here!…" -ForegroundColor Green
         Write-Host ""
     }
} Else {
     Write-Host ""
     Write-Host "WS-Trust ’13’ Windows Transport Endpoint On The INTRANET Is DISABLED…" -ForegroundColor Green
     Write-Host "Therefore, WS-Trust ’13’ Windows Transport Endpoint On The EXTRANET Is Also DISABLED…" -ForegroundColor Green
     Write-Host "Nothing To Do Here!…" -ForegroundColor Green
     Write-Host ""
}

image

Figure 2: Checking Status Of The WS-Trust ‘13’ Windows Transport Endpoint And Disabling It On Extranet Side If Needed

After doing this, you need to restart the ADFS service so that it consumes the configuration change. It is recommended to do this on one ADFS server at a time and not all at the same time. If you have a load balancer, it should determine when the ADFS service is being started, that ADFS server is (temporarily) unavailable. If you do not have a load balancer, you really need to plan this accordingly!

Restart-Services ADFSSRV

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Federation Services (ADFS), Endpoints | Leave a Comment »