TDR AD Helper Urgent Security Improvement

This article https://www.watchguard.com/wgrd-blog/tdr-ad-helper-urgent-security-improvement implies that the web config page should only be reachable from the computer upon which it is installed. However, I have TDR AD Helper 5.8.5.10317 installed on my Windows 2019 server and I can access it from my Win 10 workstation with Firefox pointing to http://dc1:8080/app/#/domain-management URL.

Gregg Hill

Comments

  • I just accessed the config page using IKEv2 VPN from Starbucks, although I have to use http://dc1.home.domainname.net:8080/app/#/domain-management to reach it. "Ping DC1" works on the LAN but not via IKEv2 VPN, and I just started looking into why not.

    Gregg Hill

  • From my workstation on the LAN (192.168.16.191), I can access the AD Helper Configuration UI on my domain controller via both of the following URLs.

    http://dc1:8080/app/#/domain-management

    http://192.168.16.11:8080/app/#/domain-management

    Gregg Hill

  • edited March 2020

    @Greggmh123 said:
    From my workstation on the LAN (192.168.16.191), I can access the AD Helper Configuration UI on my domain controller via both of the following URLs.

    http://dc1:8080/app/#/domain-management

    http://192.168.16.11:8080/app/#/domain-management

    It does not work for me.. I tried HTTP and HTTPS.. Only localhost running from a browser on the server (Windows 2012 R2) itself works for me.. (version 5.8.5.10317).. My laptop and the server are on the same subnet. (i.e. no traffic passes through the Firewall.)

    Adrian from Australia

  • Adrian,

    Did it ever work for you from a LAN computer to the server? By default, the Windows Firewall on the server will block port 8080 inbound, so test with the server's firewall off. I am running 5.8.5.10317, and I can log into it from any domain computer on http://dc1:8080/app/#/domain-management, http://192.168.16.11:8080/app/#/domain-management, http://dc1:8080, or http://dc1.internaldomainname.net:8080

    Gregg Hill

  • edited March 2020

    Yes. If I turn off the Server's Firewall I can access the ADHelper configuration page.. Is this the only way you can access the page?

    The article does go on to say, "most internet-based attackers should not be able to reach this web interface unless you allowed it via your firewall." I take that to also include the Server's firewall.. I don't allow port 8080 access from the Internet..

    Adrian from Australia

  • Adrian,

    I do have 8080 open from my clients' IP addresses for those who have UniFi wireless access points, but 8080 is directed to my UniFi wireless controller. The APs phone home on 8080 TCP and 3478 UDP for management and reporting.

    On my LAN, I have 8080 open in the server's Windows Defender Firewall so that I can hit the TDR Helper configuration page from my desktop. As I read their article, I no longer should be able to do that from just any LAN computer, but only locally on the server where it's installed. That's what is failing...I am able to access it from anything on my LAN.

    Gregg Hill

Sign In to comment.