Web interface for remote reset of Active Directory passwords.
Written to address the mess of Microsoft licensing associated with remote users and password write-back, specifically Microsoft's P1 and P2 license.
- Single endpoint design with absolutely minimal attack surface
- Custom nginx config with strict input rules per above
- No stored Active Directory credentials, authorises against current user password only
- Rate limiting on per username basis
- Rate limiting on per IP basis
- Critical AD accounts blacklisted from access
- Ban bots (Google Recaptcha)
- Whitelist validation of input fields
- IP reputational lookup, banning proxy and Tor endpoints
- Static code analysis (utilising PEST)
- Encryption forced in AD communication
- Passwords checked with Pwned Passwords API for compromised
- API success and fail logged in
Example configuration implements the following:
- Only single endpoint forwarded to backend
- Limits access to POST
- Limits access to correct content type
- Rate limits by IP address
- Customises errors for friendly parsing by frontend (no HTML)
- Standard security headers
The following API keys are required to utilise this tool:
The file private.config should follow this format:
[
{p3, [
{captcha_key, <<"captcha">>},
{domain_list, [ "domain1.lolware.net", "domain2.lolware.net" ]},
{server_list, ["127.0.0.1"] },
{iphub_key, <<"key">> }
]}
].
Frontend is a React based UI. The use of Google recaptcha was regrettably required, but no other Javascript or third party resources are utilised. The landing page is entirely self hosted.
Build dev
npm run build
Build prod
npm run prod