Brian Puhl's Weblog

These postings are provided "AS IS" with no warranties, and confer no rights...WHEW...glad we got that over with, let's get to the good stuff now...

Blogs

ADFS and Domain Admins (or anyone else for that matter)

  • Comments 15
  • Likes

I spend a lot of time answering questions or making comments in e-mails that would make good blog posts.  So it may seem a bit cheesy (at least it does to me), but it's turning out that reposting these e-mails seems like an easy way to do this...so here's another one...hope you don't mind (again, some edits to protect the innocent)...(and fix typo's)...


________________________________________
From: Brian Puhl
Sent: Monday, September 18, 2006 1:18 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

More generically – it’s a good thing to remember that anyone who can join an machine to a domain, can install ADFS and create federations.

We had several conversations with the ADFS team during R2 dogfooding about this – to summarize weeks of discussions into a couple of bullet points:

  • Generally speaking, “IT” controls the network perimeter – So the ‘threat’ of setting up an incoming federation to allow 3rd party access to your network would require someone who was deploying ADFS to also be able to deploy applications to the internet
  • Anyone could configure ADFS, and work with a partner to configure an outbound federation, enabling all users in the directory (and trust realm) to ADFS authenticate to an application.  The primary concern here was data disclosure, but the only data they could disclose are things that are already readable by the user in the directory anyways, so there were a lot easier ways to disclose this info if that was the goal.

From the MS IT perspective, our largest concern was actually the support impact.  For example, you go to a website one day, and it just suddenly “logs you in”, because someone internally joined an R2 machine to the domain, and worked with the application owner to set up the federation.  This is all goodness, until the day that the federation breaks – Because the users will call the help desk (approx $50 per call), and it is extremely difficult to track down where the federation server is, who owns it, how it’s configured, why it broke, etc…  All of this takes administrator time and effort ($$$), for what is essentially a user impacting rogue application.

The ADFS Product Group has a DCR <Design Change Request> to give us more control over rogue ADFS instances in LH Server.  I don't know the status, but they understand the problem of needing to answer the question "Who do we have federations with." 

Brian Puhl
Microsoft IT

--------------------------------------------------------------------------------

From: T
Sent: Monday, September 18, 2006 12:36 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

No, as domain admins can do whatever they want to in their domain
 
--------------------------------------------------------------------------------

From: M
Sent: 15 września 2006 19:32
To: ADFS Discussion
Subject: Domain Admin and ADFS

QUESTION:

<My customer with multiple domains> are going to upgrade their servers to R2 and they want to know if there is any way to prevent Domain Admins of installing and configuring ADFS

Any comment/suggestion will be greatly appreciated

Best regards,
M

Comments
  • Hm.  In a perfect world, there would need to be a contractual component to any and all technical federations, and those contractual components should go through review by the privacy officer, and also by the admin team.  

    Companies and admin groups need to get religion over the process involved with creation of federations, if for no other reason than to protect themselves from liability.  

    Here is more about liability and federation:  http://www.rsasecurity.com/go/siliconcom/liability.asp

    Cheers,

    Pam







  • adultfriendfind is alright, i know these two companys are at war with the dating niche. : At [url=http://online4love.com]dating[/url],

    we will see how comes out at the end

  • Hi people!!! I want introduce my [url=http://www.xrum.977mb.com]new year foto. [/url]

  • 1Wxbz1 r u crazzy? I told u! I can't read!

  • IeAc6z r u crazzy? I told u! I can't read!

  • Hello, of course I came to visit your site and thanks for letting me know about it.

    I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.

  • sj9Ncg r u crazzy? I told u! I can't read, man!

  • kGtArF r u crazzy? I told u! I can't read!

  • FIH3ZX r u crazzy? I told u! I can't read!

  • jklZcK r u crazzy? I told u! I can't read!

  • Q7B9WJ r u crazzy? I told u! I can't read!

  • PCjhrk r u crazzy? I told u! I can't read!

  • bk7Qmi r u crazzy? I told u! I can't read!

  • TfPa2F r u crazzy? I told u! I can't read!

  • hN2b2k Cool, bro!

    http://groups.google.com/group/clock-screensaver/web/1

    [url=http://groups.google.com/group/clock-screensaver/web/1]clock screensaver[/url],

    <a href="http://groups.google.com/group/clock-screensaver/web/1">clock screensaver</a>