AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of Pau Lo
Pau Lo
 asked on

AD authentication for external facing services

Is it fairly common for ports/apps that are ‘external facing’ e.g., exposed to the Internet or approved 3rd party sites via your perimeter firewall rule base, to require AD username/password for authentication? We have recently had a risk assessment return for a 3rd party, which claimed all external user access requires MFA, which is likely true for all accounts permitted to login to the private network for home working via a particular web access gateway, but that doesn’t necessarily mean this is true for every open port allowed through the boundary firewall.  


I was trying to learn of other common examples whereby individual apps/services that are permitted through a perimeter firewall also utilise domain credentials for access/authentication, to assess if these systems are also are protected by MFA.  I appreciate everyone's external IP range is providing a different set of services/applications to the outside world, but for comparison, do any open ports on your external IP range, that don't represent an 'all user' remote access gateway system, also use AD credentials for authentication. remote access systems for home working represent only 1 of potentially numerous open ports on the boundary firewall that integrate with AD for authentication and access. I was just trying to think of other example scenarios of internet facing services whereby AD accounts may be involved. Which public facing services/apps require you to enter domain username/password from outside your LAN (if any)?


To put it into context, the risk assessment is working off the basis if an external hacker had compromised a users domain credentials, what could they do with it from outside the LAN environment based on your external facing landscape. E.g. attack remote access gateways that are designed from home  working, would typically be protected in such a scenario as that particular system is protected by MFA, so the username/password combination for an AD account permitted to use the system for home working is not sufficient for a breach.

NetworkingSecurityActive DirectoryHardwareSoftware
Avatar of undefined
Last Comment
kevinhsieh
8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
harbor235
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
kevinhsieh
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent