Don’t Give Away Keys to Your Kingdom with ADFS

By Tim Boivin

For more than 15 years, organizations have been using Active Directory to manage end user access to network resources. As remote access and cloud applications became more popular, Microsoft launched Active Directory Federated Services (ADFS), hoping to enable organizations to better manage access for the constantly evolving modern hybrid enterprise.

Only one problem: if you rely on ADFS to manage user accounts for local and cloud resources, you potentially are giving away the keys to your kingdom. Microsoft claims ADFS resolves and simplifies the complex authentication issues of today’s perimiterless world, but it can also expose you to higher levels of risk.

ADFS is one tool used by organizations to provide a simpler way for end users to sign into resources, both local and cloud. By “federating” the identities between local and cloud, a company can gain more control of the sign in process and make it consistent between local and cloud resources. This means the same set of credentials can access local and cloud resources. This is great for making it easier for end users.

However, federated identities also make an organization using them higher-value target for hackers because they get access to more resources by cracking one single identity. And many deployments of ADFS are not adequately protected as we discuss later in this article.

Depending on a cloud service’s security requirements, ADFS can also introduce more complexity into your organization, significantly increase the cost of managing and updating your access controls…and still leave you vulnerable to phishing, password spray, brute force and other attacks. They may even be able to buy valid credentials to your organization on the Dark Web.

To prevent hackers from compromising ADFS user accounts, many organizations now rely on Total Access Control (TAC), the Zero Trust Access solution from PortSys. TAC obscures hackers’ visibility into any session, local or cloud, including ADFS. Its Zero Trust approach thoroughly examines the context of access for each request using the organization’s own security policies – not the one-size-fits-all policy approach of most cloud providers.

We’ll explore how TAC goes far beyond ADFS to improve your security posture in more detail later in this post. First, let’s examine why ADFS alone is not enough to keep your infrastructure secure.

Unmasking ADFS Vulnerabilities

Malicious actors are getting more sophisticated in their attempts to compromise accounts in ADFS, going far beyond the brute force attacks that get the most publicity. Hackers also deploy password spray campaigns, password crackers and phishing attacks.

Many organizations deploy ADFS in a rudimentary fashion. This means that access to ADFS is controlled by username and password alone to authenticate access. Hackers seize on this weakness. If they can get access to an ADFS account, then all the federated accounts (cloud and local) are now open to them as well. That means cracking ADFS has more value to a hacker – for instance, making the organization an even easier target for a brute force attack, where intruders use automated tools to try different combinations until they hit on a winner.

Password spray campaigns also target federated authenticated protocols, the most popular of which is overwhelmingly ADFS. These spray campaigns, also called the “low and slow” method, target Single Sign-On and cloud applications, because federated authentication helps mask malicious traffic through those channels. Hackers attempt a single password against many accounts before moving on to subsequent passwords, allowing them to stay undetected by avoiding rapid or frequent account lockouts.

According to a CISA alert from the Department of Homeland Security and FBI in 2018, hackers were leveraging ADFS’s inbox synchronization through a spray attack with the goal of later moving laterally across the enterprise to:

  • Obtain valid credentials for an organization
  • Gain unauthorized access to email and other local and cloud resources available to the compromised account
  • Monitor all incoming and outgoing email on those accounts
  • Attack other resources through VPN, RDP or Network Access by using compromised credentials
  • Secure the organization’s Global Email Address List so they could repeat these attacks on every account
These ADFS attacks are particularly damaging if the compromise becomes public and/or sensitive information is exposed. According to the alert, the impact of the hack could include:

  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • Potential harm to an organization’s reputation
To protect against such password spray and brute force attacks targeting ADFS and other federated services, organizations are told to enable Multi-Factor Authentication (MFA) and review MFA settings to ensure coverage over all active, internet-facing protocols.

Unfortunately, MFA is usually an all-or-nothing setting with ADFS and most federated services. It can also add even more complexity into your organization’s infrastructure. Often, it requires your team to customize the settings – manually programming the logic when a third-party MFA solution is enabled.

The issue is that organizations don’t take a user’s full context of access, such as where a person is accessing from, into consideration before approving an access request. They just rely on credentials. Also, 3rd-party MFA solutions require a license for every user as opposed to just the subset of users who may need access to the specific resource for which you need enhanced protection. After all, not all use cases require MFA, such as those applications with lower risks. That can get very expensive, very quickly.

There are other significant issues to consider if you are solely relying on ADFS or a third-party MFA solution:

  • Many 3rd-party MFA solutions still lack GeoIP policies to access ADFS.
  • ADFS exposes multiple URLs to the public on the internet through authentication solutions such as SAML or OAuth. URLs that can be discovered would include authentication URLs that can lead to Active Directory locking out an account in the event of a brute force attack. C-Level executives are often the targets for this type of attack, so learning what authentication URLs a company has is an attractive place for these bad actors to start searching for vulnerabilities.

  • Hackers can use Shodan or other search engine services to crawl the internet and expose, steal or lockdown your critical proprietary metadata, such as that held on Office 365 servers. While Metadata can’t be abused per se, it does reveal a company’s information, which helps identify potential vectors for attacks. If a hacker wants to target a company without relying on social engineering to compromise credentials or corporate devices, this would be a good place to start probing for vulnerabilities.
  • If hackers gain access through the cloud with user credentials in Active Directory, they can gain access to any of your other resources, local and cloud.
AFDS doesn’t always make things easier, causing user frustrations itself. For example, organizations often have short password lifecycles in ADFS to limit the risk of compromised credentials. However, when users change passwords on their corporate devices, they often forget to change the cached credentials on their mobile devices.

This often leads to lockouts as the cache repeatedly calls up the wrong password too many times. The user gets frustrated, so then your support team jumps in to reset the password. At the end of the day a password reset ends up costing an inordinate amount of valuable time, stalls productivity, and ties up critical resources that could be more strategically deployed elsewhere.

TAC’s Context-Based Access Policy

Total Access Control (TAC), a Zero Trust Access solution, goes far beyond ADFS’s core identity-based approach to security by deploying TAC’s context-based policy engine to vet any session, including those tapping into ADFS.

In addition to the traditional identity-based user credentials required for ADFS, TAC takes into account the method in which someone is accessing, where the user comes in from (trusted or untrusted location), the type of device, and the status of that device.

By understanding a user’s context of access, TAC provides many factors of authentication to give you a much stronger security posture and prevent or limit access from untrusted scenarios. The user then gains access to only the resources they qualify for under their current circumstances.

Before authenticating access to ADFS or any of your other resources – local or cloud – TAC’s reverse proxy gateway can examine multiple factors related to the user’s context of access, including:

  • GeoIP Location
  • Device Type – Corporate or Personal
  • Operating System
  • Version/Patch Level
  • Current AntiVirus
  • Registry Entries
  • Certificate
  • Domain Joined Status
  • Jailbreak/Rooted Device Check
  • Mobile Device PIN Requirement
The advanced ability of TAC to consider context provides much more stringent granular control over when users can access various resources. For instance, should a user’s location change during a session, TAC’s GeoIP technology immediately re-evaluates the user’s session based on rules set by your organization – and if the user no longer qualifies for that resource, their session is ended.

Device Validation

TAC seamlessly applies this context of access approach to any user session, whether it’s an application such as ADFS, 3rd-party MFA solutions, or other productivity applications, local or cloud. TAC can also limit access to corporate-managed devices only – unlike ADFS, where for the most part authentication is an all-or-nothing approach.

For instance, with device validation, a user’s device is bound to that user’s ADFS account. The device must be approved for use by an administrator before that user gains access.  The user must have both their valid credentials and the approved hardware device before any access is allowed. You can also add multifactor authentication to make it even more secure.

TAC also makes it easy to quickly revoke access privileges for devices. For example, TAC can block access from a user’s lost mobile phone while still enabling access from the same user’s tablet or laptop. The mobile phone can also be fully or partially wiped to protect the information on the device.

Flexible Authentication

Chances are you may be relying on more than one vendor solution for authentication. Regardless of which authentication solutions you decide to use, TAC enables you to manage all user access from one central location – something that organizations have not been able to do before. PortSys offers a robust suite of supported authentication products through TAC that includes:

  • Radius
  • OAuth
  • ADFS
  • LDAP
  • SAML
Keep in mind that whether your organization wants to federate identify with one or more cloud providers, you still don’t have to hand over your entire Active Directory to them. TAC manages the process for you, handling the user repository and credentials for cloud applications, but obscuring them from cloud providers.

TAC still makes all decisions on which users get access to what resources, and to what extent. The best part is users don’t even have to remember their cloud credentials. The just log in through a single URL to the portal and TAC handles the rest, behind the scenes.

All of this is transparent to users. With TAC’s Single Sign-On (SSO), they seamlessly get one-click access, but only to resources for which they have been authenticated after meeting security policies you – not a cloud provider – set in TAC’s dynamic policy engine.

The same holds true for third parties who require access, such as contractors or business partners. TAC quickly and securely scales access for them as well as your own employees, without any heavy lifting on your part.

Active Directory and ADFS aren’t going away any time soon, and neither are the hackers targeting them for brute force, password spraying, or phishing attacks. Don’t simply give away the keys to the kingdom with ADFS.

TAC’s Zero Trust approach, leveraging context of access, does a much better job of keeping out those malicious actors and preventing them from doing damage in today’s dynamic, perimeterless world.