locked
Blocking authentication requests from countries on Server 2012 R2 ADFS RRS feed

  • Question

  • Hi,

    We have Windows Server 2012 R2 ADFS servers, that handle the SSO authentication for our Office 365 services. Is it possible to create rules to permit office 365 requests from countries where our offices are located, and block client requests originating from other countries?

    Appreciate your help. Thanks. 


    Mathew


    • Edited by MathewKEO Tuesday, August 28, 2018 7:03 AM
    Tuesday, August 28, 2018 6:29 AM

Answers

  • It's not possible in ADFS, in the network layer it could be possible in theory, but I would not think it possible to implement and maintain.

    Also even if you would allow only a specific set of countries IP ranges, a malicious user would be able to spoof the IP or use a gateway to bypass that.

    • Marked as answer by MathewKEO Thursday, August 30, 2018 9:53 AM
    Wednesday, August 29, 2018 11:14 AM
  • Yes you could do it. But these rules will be evaluated after a successful authentication.

    I wrote a POC back in the day: https://blogs.technet.microsoft.com/pie/2016/03/02/ad-fun-services-playing-with-claim-rules-and-attribute-store-to-trigger-mfa-when-the-user-is-connected-from-a-different-country/ it was to trigger MFA but the logic for access denied is the same.

    With ADFS 2016 and the June update roll-up, there is a new option to ban specific IPs. Not really a country thing, but it can help.

    Against account lockout, the recommendation is to use ADFS 2016 Smart Lockout feature: https://support.microsoft.com/en-ca/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MathewKEO Thursday, August 30, 2018 9:53 AM
    Wednesday, August 29, 2018 8:21 PM

All replies

  • It's not possible in ADFS, in the network layer it could be possible in theory, but I would not think it possible to implement and maintain.

    Also even if you would allow only a specific set of countries IP ranges, a malicious user would be able to spoof the IP or use a gateway to bypass that.

    • Marked as answer by MathewKEO Thursday, August 30, 2018 9:53 AM
    Wednesday, August 29, 2018 11:14 AM
  • Hi Jesper,

    Thank you for the response. I've attached a link here, that made me think that its possible. If it could provide some protection, I'd like to try it. We have accounts being locked out several times a day.  

    access-control-policies-w2k12

    Thanks.


    Mathew


    • Edited by MathewKEO Wednesday, August 29, 2018 12:45 PM
    Wednesday, August 29, 2018 12:44 PM
  • Yes you could do it. But these rules will be evaluated after a successful authentication.

    I wrote a POC back in the day: https://blogs.technet.microsoft.com/pie/2016/03/02/ad-fun-services-playing-with-claim-rules-and-attribute-store-to-trigger-mfa-when-the-user-is-connected-from-a-different-country/ it was to trigger MFA but the logic for access denied is the same.

    With ADFS 2016 and the June update roll-up, there is a new option to ban specific IPs. Not really a country thing, but it can help.

    Against account lockout, the recommendation is to use ADFS 2016 Smart Lockout feature: https://support.microsoft.com/en-ca/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by MathewKEO Thursday, August 30, 2018 9:53 AM
    Wednesday, August 29, 2018 8:21 PM
  • Yes you could do it. But these rules will be evaluated after a successful authentication.

    I wrote a POC back in the day: https://blogs.technet.microsoft.com/pie/2016/03/02/ad-fun-services-playing-with-claim-rules-and-attribute-store-to-trigger-mfa-when-the-user-is-connected-from-a-different-country/ it was to trigger MFA but the logic for access denied is the same.

    With ADFS 2016 and the June update roll-up, there is a new option to ban specific IPs. Not really a country thing, but it can help.

    Against account lockout, the recommendation is to use ADFS 2016 Smart Lockout feature: https://support.microsoft.com/en-ca/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Hi Pierre,

    In theory or as you write, POC, it makes sense. But in reality, does it really offer anything? Even a mediocre user could type in a proxy adress in the browser to bypass that, no?

    Thursday, August 30, 2018 9:33 AM
  • Yes. Also, you could call the paid service of IPStack to get the threat level of the IP and deny access to known proxy or TOR endpoints.

    But again, this does not prevent lockout, just block the access of an already compromised account.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 30, 2018 3:49 PM