Share via

What are the risks of exposing the Windows Kerberos proxy to the Internet ?

Serge Caron 25 Reputation points
2025-12-23T19:26:21.4766667+00:00

The basic configuraton: firewall that filters everything out EXCEPT traffic on port 443.

The firewall redirects traffic to Windows Server 2025, port 443.

I am striclty interested in the KDC Proxy and the IIS configuration is reduced to the minimum.

IIS "web.config" is:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="Strict-Transport-Security" value="max-age=15552001;includeSubDomains;preload" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="X-XSS-Protection" value="1;mode=block" />
                <add name="Content-Security-Policy" value="upgrade-insecure-requests" />
                <add name="Permissions-Policy" value="geolocation=(self)" />
                <add name="Referrer-Policy" value="same-origin" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

IIS "iisstart.htm" is:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <style type="text/css">
        .wide-image {
            background: url("Your_Favorite_Image.jpg") no-repeat;
            background-size: cover;
        }
        #clickable-div /*Cover the entire image*/
        {
            position:fixed;
            padding:0;
            margin:0;
            top:0;
            left:0;
            width: 100%;
            height: 100%;
        }
    </style>
</head>
<body class="wide-image">
    <div id="clickable-div" onclick="location.href = 'https://www.google.com/maps';">
    </div>
</body>
</html>

This proxy may or may not be a domain controller.

Amongst other things, I understand that failed connections are downgraded to NTLM and some, if not all, users should be members of the Protected Users group.

Is there a way to assess the risk of exposing this KDC proxy ?

Regards,

Windows for business | Windows Server | Directory services | User logon and profiles
0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.