Version Affected: All
Description:
If WindowsSSO realms are accessible from external, Bad Actors can use tools to force the server to divulge internal information via NTLM, such as NetBIOs_Domain_Name, Computer Name, DNS Domain Name, DNS Tree suffix, and product version.
Cause:
NetBios will respond to requests with this information, even if the Bad Actor sent "Null"
Resolution:
Having separate Internal and External IdPs will prevent this issue.
If your IdPs serve both External and Internal visitors, Use URL Rewrite and/or IP Blocking to prevent external access to the internal WindowsSSO website.
URL Rewrite
To redirect external Users from the internal realm, do the following
1. Open IIS and navigate to the Default Website
2. At the Default Website level, open URL Rewrite and create a blank incoming rule
3. Set "Matches the pattern" and "Using regular expressions"
4. Pattern will be
^.*secureauth12.*$
(Assuming the windows SSO realm is called secureauth12, adjust to match your realm)
5. Set a condition such as {Remote_ADDR} Matfches the Pattern 172.16.20.2
(this assumes that your external users all get tagged with the IP address of your load balancer)
6. Set the Action Type to Redirect, Set the redirect URL to the external realm and set a redirect type of Temporary (307)
IP Blocking
1. Open IIS and drill down to the Windows SSO realm
2. Double Click on IP Address and Domain Restrictions
3. Click Add Deny Entry
4. Specify the IP Address of the load balancer.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.