Allows authorized users to continue accessing cloud-based services even when their account is under DDoS attack

ADFS – an enterprise security risk 

  
Active Directory Federation Services (ADFS) is an authentication service developed by Microsoft that allows the secure sharing of identity information between trusted business partners across an extranet and the company’s local Active Directory.

Enterprises utilizing cloud services, such as Office 365, typically use ADFS to extend their end users’ single sign-on (SSO) access to applications and systems outside the corporate firewall. Allowing an external service to authenticate against your local Active Directory (AD) presents a security challenge,   and puts ADFS at risk for Distributed-Denial-of-Service (DDoS) attacks. Even without the password, an attacker can easily lock an account simply by sending failed login attempts with the employee’s user name, a value that is easily exposed.

Microsoft Windows 2012 Extranet Lockout protection limitations

Traditional solutions such as the built-in Windows 2012 Extranet Lockout protection – a part of the Windows 2012 server – fail to provide a workable solution for most enterprises.  Once the software detects an attack, the Extranet Lockout is activated and ALL external access is denied, with no exceptions. This means that while the internal account remains secure, legitimate users are still unable to access the account through ADFS, causing significant disruption to business operations. As more and more services depend on ADFS, the impact of DDoS is more significant.

In addition, Windows 2012 Extranet Lockout fails to fully protect the AD account from all lockouts. AGAT has identified and demonstrated the ability to lock Active Directory accounts even when the ADFS Extranet Lockout feature was configured to block account lockout.  SphereShield for ADFS’ robust solution addresses this vulnerability, ensuring the enterprise extranet is secured in all scenarios.