mitigate attacks

[Adriano Santos]

I came across this article and became concerned about security. Is there any way to mitigate the attack mentioned in the article?

article:

https://olivierkonate.medium.com/hackthebox-authority-efc1168b9d5d

HackTheBox : Authority. Authority is a great Windows machine… | by 0liverFlow | Medium

[Jason Rivard]

If you read the article you'll note it's not an attack against PWM so much as a whole package of services with publicly available ports in various configuration states.  PWM itself is in "open" configuration mode which is it's initial un-configured nonfunctional state that should never be exposed publicly and in fact shows this in the screenshots.   It's also an out of date version of PWM.

Nevertheless it's an interesting article and I'll review it further to see if there is any actionable changes that can be made to PWM.  Particularly the trick of using the LDAP test to discover a pre-configured password is novel.  However in this state PWM isn't intended to be secure, it's intended to be flexible to allow the administrator to configure the app.  I'll have to think about a process to mitigate this particular state.

In any case, I don't think there is anything specific I can suggest about PWM security that isn't already obvious.  Don't expose an unconfigured PWM app to the public internet.  Pay attention to the UI warnings.  Don't expose other services like SMB and LDAP to the public internet!