How to Turn On ADFS Security Auditing with Powershell

Providing the best user experience with a Single-Sign-On  (SSO) capability without compromising security is key of successful implementations of federation services. I personally like the ADFS model and SAML (Security Assertion Markup Language) because is robust, effective and suitable from small to large organizations offering an incredible amount of features if it configured/implemented correctly.

What Does ADFS really do?

Active Directory Federation Services (AD FS) provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

What are the default settings that we can leverage for troubleshooting or security?

Security and Operations Teams frequently work on the same issues but on a different angle and most of the times they agree on some default values and to change others.  Configure AD FS Extranet Soft Lockout Protection
is one of these and to achieve this result we need to delve into the ADFS and AD configuration and policies.

When your authentication requests come through the WAP (Web Application Proxy), by default ADFS will NOT stop trying to authenticate any attempt legitimate or malicious. In short, there is no limit.

Let me clarify why this is so important, but to look at the full picture we need to start to have a look to Active Directory where every Authentication Request against the domain get logged and update the AD User attributes if the login is successful or not.

In AD, every username has a default (and possibly a fine-grained) policy applied that after a certain number of unsuccessful authentication attempts will lead to a lockout event.

Check also if there is a specific FineGrained Policy applied:

Last week article was on this topic (Powershell: Monitoring AD Account Lock-Out Events).

Lockout Events are an effective protection against brute force attacks and monitor them can be crucial to identify risks and troubleshoot authentication issues.

ADFS is authenticating against AD a username and password on behalf of a trusted external application, but without leaving any trace of that attempt in AD.  In other words, by default is not locking out your account will be triggered by ADFS to let the AD account block. This is not completely a bad thing, otherwise will expose AD to a big DDOS risk, but the fact that there is no audit for successful or failed requests will be basically potentially exposed to brute-force attacks.

So what can we do to mitigate that risk and be more aware of what is going on on ADFS?

The answer is turning on Security Auditing and enable AD FS Extranet Soft Lockout Protection.

Let’s first check our ADFS settings

Let’s start with checking if ADFS is installed (repeat these steps for all ADFS servers)

And for your information let’s list all the available cmd-lets for this powershell module:

Let’s focus of checking if the extranet lockout is enabled or not if Get-ADFSProperties:

Checking the ADFS log level:

No Failure or Success Audits are turned on by default, so I need to change it  to :

Turn On Loggin with Group Policy:

Let’s turn on the Extranet Lockout

Note that is recommended that ADFS Lockout Threshold is smaller than the AD Lockout event.

AD FS extranet lockout functions independently from the AD lockout policies. However, we strongly recommend that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold. Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory.

When AD FS Extranet lockout on Server 2012 R2 is enabled all authentication requests through the WAP are validated by AD FS on the PDC. When the PDC is unavailable, users will be unable to authenticate from the extranet.

There is also a new addition for Server 2016 where you can allow AFDS to fallback to another DC if a Primary Domain Controller (PDC) is not available. This Parameter is called ExtranetLockoutRequirePDC  and the Type is Boolean.

Checking the Security Events from the Event Log of ADFS

This is a summary from microsoft doc:

Troubleshooting

Once the security auditing is turned on ADFS and on the Local Security Policy the troubleshooting options available to engineers and sysadmin are a lot more. This article offers some good idea on how to troubleshoot ADFS Authentication issues.

More about ADFS

Since the introduction of Active Directory Federation Services, authorization policies have been available to restrict or allow users access to resources based on attributes of the request and the resource. As AD FS has moved from version to version, how these policies are implemented has changed.

(2016) ADFS and Banned IP address (and subnets)

On Windows Server 2016 (since June ADFS 2018 update)

This update enables you to configure a set of IP addresses globally in AD FS, so that requests coming from those IP addresses, or that have those IP addresses in the x-forwarded-for or x-ms-forwarded-client-ip headers, will be blocked by AD FS.

ADFS Conditional Access /MFA

(2019) ADFS Additional authentication methods:

Extranet Soft LockOut vs (ADFS 2019 ) Smart lockout

Extranet Smart Lockout in AD FS 2019 adds the following advantages compared to AD FS 2016:

  • Set independent lockout thresholds for familiar and unfamiliar locations so that users in known good locations can have more room for error than requests from suspect locations

  • Enable audit mode for smart lockout while continuing to enforce previous soft lockout behavior

Wrap Up

Turning on Audits for ADFS is essential to work with lockout events, but audits are essential for overall security and troubleshooting purposes. The next step will be turning on Windows Events Forwarding (WEF)  to collect and analyze all attempts. Last year I read this nice article about WEF and I definitely recommend it in case you missed it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.