Skip to content

07 Security

Jump to bottom
redhook edited this page Apr 6, 2020 · 36 revisions

Security Management

When the component is registered, and you have fixed the storage mode, it's important to configure some security options.

  • Number of tries
  • Secret Seed
  • Super User Credentials
  • Encryption library version
  • Protection against Replay
  • WinRM parameters

Changing Security with PowerShell

  • Log on the a primary Adfs server as administrator
  • Launch a new PowerShell session as administrator
  • type get-help Get-MFASecurity –detailed to get information.
  • type get-help Set-MFASecurity –detailed to get information.
  • Enter your command
Get-MFASecurity
$c = Get-MFASecurity
...
Set-MFASecurity $c

General Security Properties Description

List of all prperties you can access using Get-MFASecurity and update with Set-MFASecurity

Properties Values Comments
DeliveryWindow 300 A totp code change every 30 seconds, no network transmission occurs, it’s computed.
But for external systems we rely on the transmission of the data like email providers or SMS gateways, the time to distribute the access code to the user is not guaranteed. DeliveryWindow is the maximum time allowed for submitting the totp code. this value is in seconds 300 (5 minutes).
MaxRetries 3 Maximum number of identification errors before rejecting the connection
LibVersion V2 Encryption library version
V1 : All versions before 2.4
V2 : version 2.4 and upper
ReplayLevel Disabled - Disabled : No replay detection
- Full : replay detection enabled
- Intermediate : replay detection enabled except from the same ip address (useful for developers)
XORSecret string Your secret key for XOR operations
default = ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
this value is encrypted in config file with AES128
PinLength(1) 4 PIN length wehen using pin (activation on each provider)
DefaultPin(1) 1234 Default PIN value
Super User Account
DomainAddress empty (optional) domain address in LDAP format -> mydomain.com
Account empty (optional) All request to ADDS are made under ADFS Service Account.
If you have authentication problems, you can specify the "Super User" account to use to access ADDS forests.
domain\account is the required format
or
domain\account$ for managed service account
Password empty (optional) Password used with account
this value is encrypted in config file with AES128

(1) Only available with PowerShell

Managing MFA Security with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

MMC SEC

RNG Security Properties Description

List of all prperties you can access using Get-MFASecurity -Kind RNG and update with Set-MFASecurity -Kind RNG

RNG are the simplest method to generate a random key for each user, these keys are only encrypted with the security XORKey property, these keys are stored with other metadata in ADDS attribute or in SQL database.

Properties Values Comments
KeyGenerator ClientSecret512 Key length for RNG generator
Guid
ClientSecret128
ClientSecret256
ClientSecret384
ClientSecret512.

Managing RNG Security with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

MMC RNG

RSA Security Properties Description

List of all prperties you can access using Get-MFASecurity -Kind RSA and update with Set-MFASecurity -Kind RSA

RSA are the strongest method to generate a key for each user based on certificate(s), these keys are encrypted and decrypted with asymetric keys of 2048 bits length. and then encrypted with the security XORKey property, these keys are stored with other metadata in ADDS attribute or in SQL database.

Properties Values Comments
CertificateValidity 5 Certificate duration in years used in RSA and CUSTOM modes when generating a cetificate
CertificatePerUser true Generate a certificate per user or one RSA certificate for all users
CertificateThumbprint string Certificate thumbprint when CertificatePerUser is False.

If CertificatePerUser is True, no more configuration is needed. Each user certificate is stored in the users metadata.

If CertificatePerUser is False, the generated certificate must be exported on all others Adfs servers.

On each Adfs server you must run the cmdlet Update-MFACertificatesAccessControlList

Managing RSA Security with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

MMC RSA

BIOMETRICS Security Properties Description

List of all prperties you can access using Get-MFASecurity -Kind BIOMETRIC and update with Set-MFASecurity -Kind BIOMETRIC

WebAuthn / FIDO2 is a new open authentication standard, supported by browsers and many large tech companies such as Microsoft, Google etc.

The main driver is to allow a user to login without passwords, creating passwordless flows or strong MFA for user signup/login on websites.

The standard is not limited to web applications with support coming to Active Directory and native apps. The technology builds on public/private keys, allowing authentication to happen without sharing a secret between the user & platform.

This brings many benefits, such as easier and safer logins and makes phishing attempts extremely hard.

  • Log on the a primary ADFS server as administrator
  • Launch a new PowerShell session as administrator
  • type get-help Get-MFASecurity –detailed to get information.
  • type get-help Set-MFASecurity –detailed to get information.
  • Enter your command
Properties Values Comments
AuthenticatorAttachment Platform - Platform
- Cross-Platform (NFC, BlueTooth,...)
https://w3c.github.io/webauthn/#attachment
AttestationConveyancePreference Direct - none
- direct
- indirect
https://w3c.github.io/webauthn/#attestation-convey
UserVerificationRequirement Preferred - Required
- Preferred
- Discouraged
https://w3c.github.io/webauthn/#enumdef-userverificationrequirement.
Extensions true https://www.w3.org/TR/webauthn/#extensions
UserVerificationIndex true https://www.w3.org/TR/webauthn/#sctn-uvi-extension
Location true https://www.w3.org/TR/webauthn/#sctn-location-extension
UserVerificationMethod true https://www.w3.org/TR/webauthn/#sctn-uvm-extension
RequireResidentKey false

Managing BIOMETRIC Security with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

MMC BIO

CUSTOM Security Properties Description

List of all prperties you can access using Get-MFASecurity -Kind CUSTOM and update with Set-MFASecurity -Kind CUSTOM

The Secret Key Manager as no implementation, just one sample working with an SQL Database. To develop your own component you must implement the ISecretKeyManager interface and derive your component from the KeysRepositoryService abstract class. These interfaces and the necessary classes are found in the Neos.IdentityServer.MultiFactor.Common assembly.

When choosing CUSTOM mode, we use a certificate par user to encrypt the random key, and we include inside the name of the user A verification is made when the user logon. the key can not be shared between multiple users. Encryption is done with RSA 2048 bits and CNG padding is used if available. User key must be nenewed when the certificate expires or simply if you change it. Because users keys and certificates are store in SQL Server database, you must create a database on a full instance of SQL Server with New-MFASecretKeysDatabase PowerShell cmdlet. If you are using an SQL Server 2016 instance or up, you can use encrypted columns to be compliant with RGPD (GDPR). In this case, only ADFS Servers can read database informations, not your DBA's... otherwise you need to deploy the certificate on your database server.

This sample is now deprecated and superseded by RSA per user mode.

More details in chapter "Development".

Neos.IdentityServer.Multifactor.Keys.Sample

  • DBKeysRepositoryService a full implementation of KeysRepositoryService and ISecretKeyManager.
    You must watch at this project if you want to develop your own Secret Keys Repository Service or interact with an appliance.

Managing MFA External Keys Manager Properties

Property Value Comments
ConnectionString string Database connection string
FullQualifiedImplementation string If you want to replace default Key manager with your own solution, you must specify the Full Qualified replacement Class This implementation MUST implement ISecretKeyManager interface
Parameters string Configuration parameters passed to the component
IsAlwaysEncrypted False If True, using SQL Server 2016 encrypted columns
If using Encrypted Columns
ThumbPrint 89C4...CB28 Encrypted columns certificate ThumbPrint This certificate must be deployed on each ADFS Server, password is blank, at machine/personal level in certstore
CertificateValidity 5 Validity of the certificate (in years)
CertReuse False if True, do not generate a new certificate for columns encryption
KeyName adfsmfa Name of the encryption columns SQLServer Key, you can change it if you want

There is no MMC interface for this mode

Creating MFA Custom Keys Database

  • Log on the a primary ADFS server as administrator
  • Launch a new PowerShell session as administrator
  • type get-help New-MFASecretKeysDatabase –detailed to get information.
  • Enter your command
# Using an SQL account for connecting to the MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
       -UserName sqlaccount -Password pass

# Using a domain account for connection to the MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
       -UserName Domain\ADFSaccount

# Using ADFS managed account for connecting to the new MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
        -UserName Domain\ADFSManagedAccount$

Creating a MFA Database with Always Encrypted Columns (SQLServer 2016+)

# Using an SQL account for connecting to the MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
       -UserName Domain\ADFSaccount -Encrypted

# Using a domain account for connection to the MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
       -UserName Domain\ADFSaccount -Encrypted -EncryptedKeyName mykey

# Using ADFS managed account for connecting to the new MFA Keys Database
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
       -UserName Domain\ADFSManagedAccount$ -Encrypted -ReuseCertificate
       -ThumPrint  0123456789ABCDEF...
New-MFASecretKeysDatabase -ServerName SQLServer\Instance -DatabaseName MFAKeysDB
        -UserName Domain\ADFSManagedAccount$ -Encrypted -ReuseCertificate
        -ThumPrint  0123456789ABCDEF... -EncryptedKeyName mykey

WinRM Security Properties Description

List of all properties you can access using Get-MFASecurity -Kind WSMAN and update with Set-MFASecurity -Kind WSMAN

  • Log on the a primary ADFS server as administrator
  • Launch a new PowerShell session as administrator
  • type get-help Get-MFASecurity –detailed to get information.
  • type get-help Set-MFASecurity –detailed to get information.
  • Enter your command
Property Value Comments
AppName wsman Name of WinRM configuration name (default wsman)
ShellUri http://schemas.microsoft.com/powershell/Microsoft.PowerShell Default WinRM shell Uri
Port 5985 Default http port
TimeOut 30000 Default 30 seconds

Managing WSMAN configuration with MMC

  • Log on the a primary ADFS server as administrator
  • Launch MMC snappin

Create a highly secure configuration

General Settings

  • Choose the adequate User Policy Template : Mixed, Strict or Administrative template are good choices
  • Enable custom password management (disable /adfs/portal/updatepassword in adfs endpoints)
  • Enable Notifications on configuration changes (email provider must be active)
  • Make ADFS Account member of ADFS Admin group
  • Remove Local Administrator privileges for the ADFS Account.
  • Ajust Rights on Certificates with appropriate cmdlet
  • Enable firewall rules between Farm servers

Data Storage

  • Active Directory : Deploy our Secure Schema extension on your domains.
  • Active Directory : Use the Super User Account
  • SQL Server : Use "Always Encrypted Columns" if you have SQL Server 2016 and Up.

If you are using the MFA Extension Schema with CONFIDENTIAL flags, the account accessing the different ADDS forests (ADFS Account or SuperUser Account) MUST have Read/Write rights on all Users MFA Properties.

With CONFIDENTIAL flag set, this account can be a Domain Admin or a member of the "Account Operators" group for each domain. Account Operators cannot Read or Write Confidential Attributes of Domain Administrators

Security

  • Select RSA for keys encryption. and RSA per user is better.
  • If you select RNG, keysize must be 512 bits
  • Enable ReplayLevel : Full or Intermediate
  • Change the XORKey with your own. do it at installation, changing XORKey invalidate all stored password and keys
  • Set the library Version to V2, only if you have an old config set the library to V1
  • Setup the super user account
  • Set DeliveryWindow to 300 seconds
  • Set MaxRetries to 3

Providers

  • Totp Provider : TOTPShadows = 2
  • Totp Provider : Algorithm = SHA512
  • Totp Provider : KeysFormat = RSA
  • Totp Provider : KeySize = 1024 bits or up
  • Email Provider : UseSSL = true
  • Email Provider : do not use Anonymous
  • Email Provider : DeliveryNotification = true
  • Biometric Provider : ChallengeSize = 32 or up if possible (compatibility with some devices)
  • Biometric Security Options : choose defaults
Clone this wiki locally