To improve Windows Server I suggest you ...

← General Feedback

Significantly increase the number of Banned IPs that can be stored in ADFS.

ADFS 2019 allows for 300 IPs to be added to the "Banned IP list"

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-banned-ip#adding-banned-ips

As there are nearly four billion public IPs on the internet, 300 is woefully inadequate.

Small customers that are only trying to block a few users aren't likely using ADFS anyway. Large organizations that rely on ADFS will hit the 300 limit almost immediately.

I'd like to see this number raised to 65538 (/16) or something similar.

9 votes
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Mike Crowley shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

6 comments

Attach a File
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jordan Mills commented  ·   ·  Flag as inappropriate

    This STILL needs to be fixed. But something that will help a lot with the password spray attacks is to disable basic authentication on the web application proxies:

    Get-AdfsEndpoint | Where-Object { $_.clientcredentialtype -eq "Username-Password-Clear" } | Out-GridView | Select-Object -ExpandProperty FullUrl | Set-AdfsEndpoint -Proxy $false

    This has the potential to break exchange online and sharepoint online if you haven't completely moved to modern auth, so you should probably audit the use of those endpoints before doing that. Despite the documentation, not all clients completely change to modern auth when you change the defaults. Some need to be disconnected and reconnected or reinstalled on the client endpoints.

  • Dan Park commented  ·   ·  Flag as inappropriate

    Both the ADFS bannedIpList count limit of 300 and the Office 365 Set-OrganizationConfig -IPListBlocked limit of~1173 need to be increased. Tried to add a geofence to ADFS, but we would need to write some C# code for that. We're ingesting our ADFS audit data with Elasticsearch and we're seeing access attempts from around the world to our employee Office 365 accounts. Office 365 is probably one of the biggest target on the Internet. Microsoft, please make ADFS more secure!

  • Anonymous commented  ·   ·  Flag as inappropriate

    The "set-orgconfig" to block iP's from being routed to on-prem ADFS is good to protect for that kind of attach, but a target attack against your public ADFS is still a huge problem and should definitely have more than 300 addresses in the block list! //K

  • Mike Crowley commented  ·   ·  Flag as inappropriate

    Not to take wind out of my own sail here, but FYI:

    If you are attempting to block IPs for use with Office 365 federation, you can do this directly in the tenant via Set-OrganizationConfig -IPListBlocked. In my testing, I was able to add ~1173 entries. Listed IP addresses will not be proxied to AD FS for authentication.
    ref: https://www.slideshare.net/AndresCanello/azure-ad-password-attacks-logging-and-protections

General Feedback: Configuration

Feedback and Knowledge Base

(thinking…)