Support Desk

The Intranet Provisioning Website is designed to authenticate domain users on the internal network (Windows authentication - so AD username and password). We do this because we need a way to authenticate the user before assigning them a token and on the internal network this is OK - we now know who the user is and can assign a token to them based on their AD credentials. We assume that the user is valid because they are on the internal network and have valid AD credentials. Having access to the internal network means they are likely to be a valid user simply because they have access to the internal network. If a hacker has access to the internal network then the customer has other problems !

Putting the website into the DMZ is no more secure than making it publicly available - it is still using the internal AD to verify the user (would require opening LDAP ports from the DMZ website to the internal AD domain controllers - not a great idea) and since the website has no concept of rate limiting or blocking access to external parties who try to brute force the credentials a hacker could happily pound away at the website until they cracked a username/password combination (let's say administrator - which is a popular choice :-)). Now they can assign themselves a soft token and use the credentials and the soft token to login via the MFA secured VPN as administrator and do whatever they like. Do you see why this is a very bad idea?