January 2016 Issue No: 2.0

Security Procedures

Windows

IPsec Client

Security Procedures

Windows IPsec Client

Issue No: 2.0 January 2016

This document is for the purposes of issuing advice to UK Government, public sector organisations and/or related organisations. The copying and use of this document for

any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.

The copyright of this document is reserved and vested in the Crown.

Document history

Version Date Comment

1.0 August 2014 First issue

2.0 January 2016 Updating to remove Windows specific version numbers

Page 1

Windows IPsec Client

About this document These Security Procedures provide guidance in the secure operation of the Windows IPsec Client in Windows 7 Enterprise and newer Windows Enterprise versions. This document is intended for System Designers, Risk Managers and Accreditors. CESG recommends you establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures. The Security Procedures come from detailed technical assessment carried out on behalf of CESG. They do not replace the need for tailored technical or

Legal advice on specific systems or issues. CESG and its advisors accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed on this guidance.

Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the Microsoft product documentation for the relevant version of Windows.

Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details. CESG Enquiries

Hubble Road Cheltenham GL51 0EX United Kingdom

enquiries@cesg.gsi.gov.uk Tel: 01242-709141 (OFFICIAL faxes only)

We welcome feedback, positive or negative, about this document. Please send your comments to enquiries@cesg.gsi.gov.uk

Page 2

Windows IPsec Client

Contents:

Chapter 1 - Outline Description ................................................................................ 3

Product Summary ..................................................................................................... 3

Certification ............................................................................................................... 3 Components ............................................................................................................. 3

Chapter 2 - Security Functionality ........................................................................... 4

Chapter 3 - Secure Operation ................................................................................... 5

Pre-installation .......................................................................................................... 5

Installation ................................................................................................................ 6 Configuration ............................................................................................................ 6

VPN Client Configuration .......................................................................................... 7 DirectAccess Client Configuration ............................................................................ 7 Operation .................................................................................................................. 8 Maintenance and updates ........................................................................................ 8

System logs .............................................................................................................. 9 Device Administration ............................................................................................. 10

Chapter 4 - Security Incidents ................................................................................ 11

Incident management ............................................................................................. 11

Chapter 5 - Disposal and Destruction .................................................................... 12

References ............................................................................................................... 13

Page 3

Windows IPsec Client

Chapter 1 - Outline Description

Product Summary

1. The term ‘product’ is used throughout these Security Procedures to refer to the VPN-client component provided by Windows 7 and newer Enterprise versions of Microsoft operating systems. Windows 7 and newer clients support the tunnelling protocol: IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2). This makes VPN connections more reliable by automatically re-establishing the connection when a user has temporarily lost Internet connectivity, and particularly when a client computer changes its IP address.

2. In addition, the VPN capability can be configured to support DirectAccess, which is a Remote Access component of Windows 7 and newer Enterprise versions of Windows, that helps remote users to securely access shared resources, websites and applications on an internal network. DirectAccess establishes bidirectional connectivity with an organisation’s corporate network every time a DirectAccess-enabled computer is connected to the Internet, i.e. the connection is transparent to the user, and does not require to be manually initiated. DirectAccess is based on AuthIP (Authenticated IP), which is a Microsoft proprietary extension of the IKEv1 protocol.

Certification

3. The product has undergone CPA assessment and has been certified as meeting Foundation Grade requirements, as described in the IPsec Client SC v2.3 (reference [a]). Later versions are automatically covered by this certification until the certificate expires or is revoked, as stated on the product’s certificate and on the CPA website1. Specific modes of operation covered under the certification are as described in Chapter 2, paragraph 6 of this document.

Components

4. The IPsec Client functionality (both IKEv2 and DirectAccess) is provided by the Remote Access component of Windows.

5. A client running the product should be treated at a security classification commensurate with the highest security classification of data which the device has or will handle.

1 CPA website address: http://www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA.aspx

Page 4

Windows IPsec Client

Chapter 2 - Security Functionality

6. The product provides the following primary security functionality assessed at Foundation Grade:

Built in IKEv2 VPN providing support for the PSN End-State IPsec profiles (Windows 8.1 and newer versions of Windows Enterprise operating systems)

DirectAccess mode of operation

7. The product also relies on the following native Windows security functionality:

Windows logon controls provide identification and authentication of users and administrators

Split-Tunnelling is disabled using Managed Tunnel customisations through configuration of the Windows Firewall with Advanced Security to restrict user access to corporate network resources and explicit allowed exclusions. In addition, the use of a corporate outbound/forward proxy server is enforced

Windows event logging ensures relevant IPsec events are logged and timestamped, together with other events that may affect the security of the deployment e.g. crashes. Event logs are protected from unauthorised access

Windows Event Forwarding provides the capability to automatically forward event logs to another server (Windows Event Collector)

Windows Update supports the timely application of security updates to the product and assuring their authenticity and integrity

Page 5

Windows IPsec Client

Chapter 3 - Secure Operation

8. The following recommendations outline a configuration for the product so that it is in line with the Security Characteristic for IPsec Client. These requirements must be followed unless there is a strong business requirement not to do so. Such instances should be discussed with your Accreditor. Note that must indicates a configuration instruction that is mandatory in order to ensure that the product is in a secure and approved state.

Pre-installation

9. Before installing the product, a check should be made to verify the authenticity of the installation media or the download contents. Microsoft openly publishes the SHA-1 hash values within the additional details for each product listed on MSDN Subscriber Downloads and the relevant one must be validated against the (ISO image) installation software. A variety of publicly available utilities can be used, including the Microsoft File Checksum Integrity Verifier which can be obtained at reference [b]. The command to be executed for a single file using the File Checksum Integrity Verifier is:

fciv -sha1 <filename>.

10. As stated in the IPsec Client SC (reference [a]), the guidance and patterns described in CESG Architectural Pattern No. 2, Walled Gardens for Remote Access (reference [c]) should be followed when deploying the product as part of a remote working VPN deployment. See also the End User Device Security Guidance for the host operating system published at reference [d] (section 5, Network Architecture).

11. However, the use of a presentation layer (as advocated within the Walled Garden pattern) may impact the user experience when using DirectAccess and detract from the ethos of transparent access to corporate resources that DirectAccess is intended to provide. In order to permit access to corporate resources without the use of presentation services, an advanced perimeter firewall and/or Intruder Detection Systems (IDS) should be employed to inspect traffic originating from DirectAccess clients that are communicating with corporate resources via the DirectAccess server.

12. The deployment must be supported by an internal Public Key Infrastructure (PKI).

13. User access to Internet resources must be routed through an outbound/forward proxy server to ensure that there is appropriate control, inspection and monitoring of such access by end users.

Page 6

Windows IPsec Client

14. It is recommended that the following TechNet guidance is consulted prior to deployment of DirectAccess clients:

Remote Access Prerequisites [e]

Remote Access (DirectAccess) Unsupported Configurations [f]

Installation

15. Installation must only be performed by trained, knowledgeable and authorised personnel. Details regarding installation of the host operating system can be found at reference [g].

16. The host operating system should be hardened using the baseline security settings recommended in the Security Compliance Management Toolkit (reference [h]), augmented by the End User Device Security Guidance for the host operating system (reference [d]).

17. Guidance on how to configure the product may be found at references [i], [j] and [k].

18. Guidance on how to configure a DirectAccess Client in a single server deployment with mixed IPv4 and IPv6 resources may be found at reference [l].

19. Note: Guidance provided for DirectAccess simplified setup or using the Getting Started Wizard must not be followed as this does not meet the certificate requirements of the CPA security characteristic. Therefore, only advanced setup guidance should be followed.

20. Only drivers that have been through the Microsoft driver verification program should be used on the host operating system. These will have the correct signature and logo to demonstrate that they have successfully been evaluated. Drivers that do not have the signature and logo should not be used.

Configuration

21. Note: On Windows 7 the product will trust a Gateway certificate signed by any CA root in the certificate store; minimise this list where possible.

22. Active Directory controls must be used to enforce separate accounts for the following roles:

Management of the Windows IPsec clients

User account administration

Standard users with remote access permissions

23. Standard users must not be granted privileges to change the product, host operating system security settings, or Windows firewall configuration.

24. ASLR is enabled by default on installation of the host operating system. It must not be disabled.

Page 7

Windows IPsec Client

25. Windows clients should be protected with a hard disk encryption product (e. g. Microsoft BitLocker) that uses a Trusted Platform Module (TPM) in addition to mandatory Personal Identification Number (PIN) entry during the boot process.

26. The Windows Firewall on the host operating system must be configured to block inbound connections. See the End User Device Security Guidance for the host operating system [d]. If remote management of clients is required, this must only be permitted via an IPsec tunnel to the client.

27. Microsoft has developed customisation scripts in order to meet the PSN End-State or align to the Interim IPsec profile requirements. The intention is that these scripts will be hosted on the product’s certification page on the CESG website www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx and made available in text form. These are to be copied from the web page and the scripts executed as described in the CPA customisation guides, as detailed in the following sections.

28. The user running the customisation scripts must have appropriate privileges to make the required changes (local administrator, or permissions to modify Group Policies, as indicated in the CPA customisation guides referenced in the following sections).

VPN Client Configuration

29. The default configuration of the VPN server and clients must be modified as described in the CPA Customisation Guide – VPN, Microsoft (reference [m]). These configuration customisations include the following in relation to the product:

Configuration of the product in order to meet the custom cryptography requirements of the End-State profile

Configuration of the Windows Firewall with Advanced Security to apply customised outbound firewall rules that only permit access to corporate network resources and explicit allowed exclusions in line with the End-User Device Security Guidance [d]. In addition, the use of a corporate outbound/forward proxy server is enforced and cannot be disabled by end users

30. However the PowerShell scripts use cmdlets that are not available in Windows 7, i.e. products on Windows 7 clients cannot be configured to satisfy the PSN Interim or End-State profile requirements.

DirectAccess Client Configuration

31. The default configuration of the DirectAccess server and clients must be modified as described in the CPA Customisation Guide – DirectAccess, Microsoft

Page 8

Windows IPsec Client

(reference [n]). These configuration customisations include the following in relation to the DirectAccess Client:

Configuration of the DirectAccess Server component in order to meet the custom cryptography requirements of the Interim or End-State profiles

Configuration of the Windows Firewall with Advanced Security to apply customised outbound firewall rules that only permit access to corporate network resources and explicit allowed exclusions. In addition, the use of a corporate outbound/forward proxy server is enforced and cannot be disabled by end users

32. The user running the customisation scripts must have local administrator privileges and permissions to modify Group policies as appropriate to make the required changes.

Operation

33. The products must only be used with VPN Security Gateways that have been certified to CPA Foundation Grade.

34. The deployment includes an internal PKI (see above) that must be used to issue and (where necessary) revoke all gateway and client certificates, using Active Directory Certificate Services.

35. The default certificate templates that are included in Windows Server based enterprise certification authorities ensure that all client certificates are renewed every year. Certificate lifetimes must not be increased beyond 2 years.

36. When a replacement certificate is provisioned for an IPsec gateway, the old certificate must be revoked on all Windows IPsec clients.

37. User SyOPs should provide security instructions as to how to physically protect the end user device appropriately for the environment it is deployed in. This should include:

Physical security measures to protect against theft or tampering when the device is unattended

Instructions covering the use of BitLocker or third-party Data-at-Rest Encryption products (including password security) as described at references [d]

Maintenance and updates

38. The latest version of the product should be used (i.e. updated with the most recent security patches). Therefore Windows updates should be applied as soon as is possible. General guidance on this matter is provided in CESG Good Practice Guide No. 7 (GPG 7), Protection from Malicious Code (reference [o]).

39. The Windows clients should be configured to use either the Windows Update process or the Windows Software Update Services (WSUS) process.

Page 9

Windows IPsec Client

Alternatively an enterprise tool such as System Center Configuration Manager (SCCM) may be deployed to ensure that server and client software is kept up to date.

40. Guidance on the Windows Update process may be found at reference [p].

System logs

41. The product must be configured to log all actions that are deemed to be of interest, in sufficient detail to support forensic investigation during security incident management. Details of the IPsec and Windows Firewall events that may be logged are provided in reference [q].

42. It should be noted that, by default, Windows Firewall with Advanced Security does not generate audit events for either the Windows Firewall service or IPsec. Event logging must therefore be enabled in order to see these events, as described in reference [r].

43. Audit logs must be regularly reviewed for unexpected entries. Events of interest include (but are not limited to):

Failed server administrator logon attempts or account lockout

Account activity occurring at unusual times

Security policy configuration changes

Dropping or blocking of packets

Failed or blocked connections

Failed negotiations

Failed Windows updates

Service or system failures

44. See also the general guidance on this matter that is provided in CESG Good Practice Guide No 13 (GPG 13), Protective Monitoring for HMG ICT Systems (reference [s]). The impact of log entries related to a suspected compromise or attempt at compromise should be assessed, and organisational procedures followed for incident resolution (see Chapter 4).

45. Review of audit logs may be carried out using any of the following means:

Manually, using Windows Event Log Viewer. See the guidance on using Event Viewer to examine IPsec and Windows Firewall audit events in reference [t]

Using a third-party Security Event and Incident Management (SEIM) product

Using an enterprise-monitoring solution such as System Centre Operations Manager (SCOM)

Page 10

Windows IPsec Client

46. Windows Event Forwarding should be configured to automatically export logs to a Windows Server Event Collector, as described in reference [u].

Device Administration

47. Authorised administrators must have sufficient skills and experience to manage the product. They must also be cleared to access all material on the server and be trusted to follow the guidance and not misuse their privileges.

48. For remote management of DirectAccess clients initiated from intranet computers, internal application or management servers must also be fully IPv6 compliant and the server applications they run must be IPv6 compatible.

49. Administrators must not enable program exceptions to DEP and must not reduce DEP coverage to only essential Windows Programs and Services.

50. If a device with the product installed is lost or stolen, it is recommended that the computer account is disabled in Active Directory in addition to revoking computer certificates.

51. All certificates and, where possible, keys should be revoked prior to disposal, using Windows Active Directory Certificate Services.

Page 11

Windows IPsec Client

Chapter 4 - Security Incidents

Incident management

52. If a security incident results in the compromise of information protected by the product, the local IT security incident management policy should ensure that the Department Security Officer (DSO) is informed.

53. Any security incidents should be managed in accordance with the local accredited security incident management procedures and policies.

54. Contact CESG if a compromise occurs that is suspected to have resulted from a failure of the product.

Page 12

Windows IPsec Client

Chapter 5 - Disposal and Destruction

Routine destruction of equipment

55. Disposal and destruction of equipment (e.g. server hardware, network devices, etc.) must be in accordance with HMG policy and guidance (reference [v]), including preliminary sanitisation before it is sent for disposal or destruction.

Page 13

Windows IPsec Client

References

Unless stated otherwise, these documents are available from the CESG IA Policy Portfolio. [a] CPA Security Characteristic - IPsec VPN for Remote Working Software Client,

Version 2.3, April 2013 (available from www.cesg.gov.uk/servicecatalogue/CPA)

[b] Microsoft File Checksum Integrity Verifier, http://support.microsoft.com/default.aspx?scid=kb;en-us;841290

[c] CESG Architectural Pattern No. 2, Walled Gardens for Remote Access - latest issue available from the CESG website.

[d] End User Devices Security Guidance, https://www.gov.uk/government/collections/end-user-devices-security-guidance

[e] Remote Access (DirectAccess) Prerequisites: http://technet.microsoft.com/en-us/library/dn464273.aspx

[f] Remote Access (DirectAccess) Unsupported Configurations: http://technet.microsoft.com/en-gb/library/dn464274.aspx

[g] Install, upgrade, and activate Windows: http://windows.microsoft.com/en-gb/windows/install-upgrade-activate-help

[h] Microsoft Security Compliance Manager: http://www.microsoft.com/en-gb/download/details.aspx?id=16776

[i] Deploy VPN When Connecting Remotely with Windows 8, http://technet.microsoft.com/library/jj613768.aspx

[j] TLG: Demonstrate Remote Access VPNs: http://social.technet.microsoft.com/wiki/contents/articles/2473.test-lab-guide-demonstrate-remote-access-vpns.aspx

[k] Deploying Remote Access with VPN Reconnect: http://www.microsoft.com/en-us/download/details.aspx?id=20277

[l] Test Lab Guide: Demonstrate DirectAccess Single Server Setup with Mixed IPv4 and IPv6 in Windows Server 2012: http://www.microsoft.com/en-us/download/details.aspx?id=29031

[m] CPA Customisation Guide – VPN, Microsoft, latest version, www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx

Page 14

Windows IPsec Client

[n] CPA Customisation Guide – DirectAccess, Microsoft, latest version, www.cesg.gov.uk/servicecatalogue/Product-Assurance/CPA/Pages/CPA-certified-products.aspx

[o] CESG Good Practice Guide No. 7, Protection from Malicious Code – latest issue.

[p] How to Keep Windows up-to-date, http://support.microsoft.com/kb/311047

[q] Auditing: http://msdn.microsoft.com/en-us/library/windows/desktop/bb309058(v=vs.85).aspx.

[r] Enable IPsec and Windows Firewall Audit Events: http://technet.microsoft.com/en-us/library/cc754714(v=ws.10).aspx

[s] CESG Good Practice Guide Number 13, Protective Monitoring for HMG ICT Systems – latest issue available from the CESG website.

[t] Using Event Viewer to examine IPsec and Windows Firewall audit events: http://technet.microsoft.com/en-us/library/ff428140(v=ws.10).aspx

[u] “Quick and Dirty Large Scale Eventing for Windows” http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx see also: http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

[v] HMG IA Standard No. 5, Secure Sanitisation – latest issue.

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.

CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015.