Roughly 6 months ago, on February 26th, 2020, we saw the release of Microsoft Multi-factor Authentication Server (MFA Server) version 8.0.4. Now it’s time for an update to Microsoft’s product that allows organization to add multi-factor authentication to RADIUS-, AD FS-, IIS-based and other on-premises authentication scenarios. This week, Microsoft released version 18.104.22.168.
The release notes mention the following changes:
Added Cross Site Request Forgery (CRSF) prevention to User Portal
Cross-site request forgery (CSRF) is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.
CSRF attacks are now prevented in MFA Server’s User Portal. The User Portal is where end-users and service desk personnel can register (end-users only) and make changes to the MFA settings, stored in the MFA Server database.
As MFA Server’s User Portal, by default, shows the User Portal version on the sign-in page, and MFA Server User Portals are easy to find, even with a simple Bing search, organizations should really upgrade their MFA Server implementations to avoid propagating a vulnerable MFA Server User Portal.
Added compatible Content-Security-Policy headers to the User Portal’s Web.Config
Cross-Site Request Forgery Prevention can be achieved in many ways. While MFA Server’s User Portal obviously added CSRF tokens, a double submit cookie and value, or an encrypted token, Microsoft didn’t stop there.
Microsoft also changed the Content-Security-Policy header.
To prevent malicious attacks, many new protections for websites utilize security headers. Through security headers, you can prevent malicious scripts from running in browsers visiting your AD FS infrastructure, prevent the acceptance of forged TLS certificates and prevent clickjack attacks. Through security response headers, the information security level of the MFA Server’s User Portal is upgraded to a higher level.
The CSP response header is used to prevent cross-site scripting, clickjacking and other data injection attacks by preventing browsers from inadvertently executing malicious content.
Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.
You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.
You can download Azure Multi-Factor Authentication Server 22.214.171.124 here.
The download weighs 128 MB.
This is version 126.96.36.199 of Azure Multi-Factor Authentication Server.
It was signed off on August 25th, 2020.