GSA/https

Active Directory Federation Services server

jwilkinsusaid opened this issue · 4 comments

I have a project that is using Active Directory Federation Services and doesn't have any of the HSTS settings. ADFS is a single sign on service from MS. It's a pre-canned service that runs an inclusive web server (not IIS). The site is redirected from NetScalers over SSL. ADFS will only answer on specified URLs.

Here's a write up from MS: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq

Is it possible to get a waiver or have the server excluded from being scanned?

alex commented

One solution that would work is to have usaid.gov do HSTS with includeSubDomains; preload, and then get it included in the HSTS preload list.

This will have the effect of providing HSTS for ADFS (though I'm not sure how the scanner would display it).

I'd also encourage you to send MS a feature request for HSTS, hopefully they'd be responsive to customer's requests for improved security!

Hi @jwilkinsusaid, unfortunately, Microsoft's statements are inaccurate. This is what they say on https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq:

All AD FS endpoints for web authentication traffic are opened exclusively over HTTPS. As a result, AD FS effectively mitigates the threats that HTTP Strict Transport Security policy mechanism provides (by design there is no downgrade to HTTP since there are no listeners in HTTP). In addition, AD FS prevents the cookies from being sent to another server with HTTP protocol endpoints by marking all cookies with the secure flag.

Therefore, implementing HSTS on an AD FS server is not required because it can never be downgraded. For compliance purposes, AD FS servers meet these requirements because they can never use HTTP and all cookies are marked secure.

This is not accurate, because HSTS controls client behavior.

If a server only closes port 80, but doesn't use HSTS, clients may still issue plain HTTP requests to that service (for example, if the domain is typed into the URL bar, or the user clicks/pastes a link using http://). These plain HTTP requests can be hijacked by a malicious network before they ever reach the "real" service.

For this (and other) reasons, HSTS is required in addition to HTTPS enforcement on the server side.

I encourage you to inform Microsoft that their statement is inaccurate, as they likely want to publish only accurate information.

To @alex's comment:

This will have the effect of providing HSTS for ADFS (though I'm not sure how the scanner would display it).

Both pulse.cio.gov and DHS' reports both factor in preload status when displaying HSTS support.

You can see an example of this on the Pulse results for fedramp.gov:

screen shot 2018-03-22 at 5 05 49 pm

So yes, preloading usaid.gov will also resolve this issue for USAID, in practice and from a reporting standpoint. However, USAID would need to ensure that any intranet subdomains of usaid.gov, which may not be measured by Pulse or DHS, will also need to at least support valid https:// connections.

Closing, since this is a straightforward issue of non-compliance.