I'm currently investigating the deployment of an Active Directory Federation Services (ADFS) server for providing Single Sign-on for various services. By default, ADFS enables support for Extended Protection for Authentication (EPA) to protect against man-in-the-middle attacks against Integrated Windows Authentication (IWA). This is all well and good, but no web browsers currently support EPA with the exception of Internet Explorer (which is pretty unfortunate given how long EPA has been available to protect against this vulnerability). Standardising on Internet Explorer is not a viable option for us and so this leaves disabling EPA as the only other option if we want to enable seamless authentication to supported services from internal network clients. I'm curious though as to other hardening approaches that could be used to help mitigate the risk of disabling EPA, with the understanding that none of these will outright remove the underlying vulnerability which EPA seeks to address (at least, none that I'm aware of).
My idea was, apart from the whitelisting that all the major browsers require in the default configuration for URLs where IWA is permitted to be used, was to perform some sort of certificate pinning against the certificate(s) used on the SSO server(s). In this sense, a theoretical attacker would need to both impersonate one of the whitelisted URLs and also have access to the private key for one of the certificates that the browser is pinned against for the URL. This of course doesn't outright prevent the attack that EPA seeks to prevent as I understand it, but it would presumably make performing the MitM in order to carry out the attack substantially harder, given you'd need:
- Knowledge of one of the whitelisted URLs which is to be MitM'd (not overly difficult)
- Access to the private key of one of the pinned certificates (assume very difficult)
- Ability to break the cryptography of the existing certificate (currently impossible)
So my questions are:
- Is the thinking behind the above generally sound or are there major gaps?
- If not are the other alternate steps that could be taken to help reduce the risk of disabling EPA?