ondřej Ševeček | gopas a.s. | mcm: directory services | mvp: enterprise security |...
TRANSCRIPT
REMOTE ACCESS TECHNOLOGIES
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
Network Access Technologies VPN
SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop
no clipboard, no file proliferation limited malware surface
802.1x WiFi or Ethernet no encryption, authorization only
DirectAccess GPO managed IPSec tunnel over IPv6
RDP
VPN ScenarioVPN
Client
VPN Gatewa
y
DCFS
SQL
RADIUS
NATSharePoint
RDP
DA ScenarioDA
Client
DA Server
DCFS
SQL
RADIUS
NATSharePoint
WksWks
RDP
RDP ScenarioRDP
Client
RDP Gatewa
y
DCFS
SQL
RADIUS
NATSharePoint
Wks
RDP
802.1x WiFi Scenario
WiFiClient
DCFS
SQL
RADIUS
WiFi A
P
SharePoint
RDP
802.1x Ethernet Scenario
Wks
DCFS
SQL
RADIUS
Switch
SharePoint Wks
Printer
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
PPTP TCP 1723IP GRE
MS-DOS and newer NT 4.0 and newer -
-
L2TPUDP 500, 4500IP ESP
NT 4.0, 98and newer 2000 and
newer
IPSec certificatepublic namePublic IPIPSec machine
certificate
SSTP TCP 443TLS
Vista/2008 and newer 2008 and
newerTLS certificatepublic name
-
IKEv2UDP 500, 4500IP ESP
7/2008 R2 and newer 2008 R2 and
newer
IPSec certificatepublic namePublic IP
IPSec machine certificate
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
RD Gateway
TCP 443TLS
RDP Client 6.0and newer 2008 and
newerTLS certificatepublic name
-
DirectAccess
IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4
7/2008 R2 EntepriseIPv6 enabled, GPO 2012 and
newer
IPSec certificateTLS certificatepublic nameIPSec machine
certificate
Network Access Protection (NAP)
Client health validation before connecting Firewall on? Windows up-to-date? Antimalware up-to-date? SCCM compliance items in order?
Client validates itself no security, only an added layer of
obstruction
Microsoft RADIUS Server
Standard authentication server IAS - Internet Authentication Service
(2003-) NPS - Network Policy Service (2008+)
Authentication options login/password certificate Active Directory authentication only
Clear-text transport with signatures message authenticator (MD5)
RADIUS General
Access Client
RADIUS
Active Director
y
VPN
WiFi
Ethernet
RDP GWRADIUS
Access Server
AD Passthrough Authentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
RADIUS Terminology
Access Client
RADIUS
Active Director
y
VPN
WiFi
Ethernet
RDP GWRADIUS
RADIUS Client
AD Passthrough Authentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
Authentication Methods
PAP, SPAP clear, hash resp.
CHAP MD5 challenge response Store passwords using reversible encryption
MS-CHAP NTLM equivalent DES(MD4)
MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints) HMAC-MD5 (MD4)
EAP-TLS, PEAP client authentication certificate in user profile or in smart/card
No authentication sometimes the authentication occurs on the Access Server itself (RD
Gateway)
PPTP issues
MPPE encryption proprietary, RC4
Encrypted by authentication products "by" password or "by" certificate
PAP/SPAP/EAP travels in clear
EAP-TLS vs. PEAP
EAP-TLS is designed for protected transport does not protect itself
Protected EAP EAP wrapped in standard TLS
EAP/PEAP Generic
Access Client
RADIUS
Active Director
y
EAP/PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
VPN Tunnel Client
Certificate
MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Director
y
Access Server
VPN Tunnel Server
Certificate
EAP with SSTP
Access Client
RADIUS
Active Director
y
EAPServer
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
PEAP with SSTP
Access Client
RADIUS
Active Director
y
PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
EAP Server
Certificate
RADIUS Clients configuration IP address of the device
can translate from DNS, but must match IP address of the device (no reverse DNS)
Shared secrets MD5(random message authenticator +
shared secret) NETSH NPS DUMP ExportPSK=YES
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
NPS Auditing
PEAP on NPS
PEAP on NPS
VPN Client Notes
Validates CRL SSTP
does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1
IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
VPN Client Configuration
Group Policy Preferences limited options
Connection Manager Administration Kit (CMAK) create VPN installation packages
802.1x Notes
Required services WLAN Autoconfig (WlanSvc) Wired Autoconfig (Doc3Svc)
Group Policy Settings Windows XP SP3 and newer full configuration options
802.1x Authentication
User authentication login/password client certificate in user profile or in
smart card Computer authentication
MACHINE$ login/password client certificate in the local computer
store Computer authentication with user
re-authentication since Windows 7 works like charm
MS-CHAPv2 with 802.1x
Access Client
RADIUS
Active Director
y
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP with 802.1x
Access Client
RADIUS
Active Director
y
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP Client
Certificate
UserMachin
eEAP-TLS Server
Certificate
EAP/PEAP Server
Certificate
RD Proxy Troubleshooting
RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting
https://rpcserver/Rpc/RpcProxy.dll https://rpcserver/RpcWithCert/
RpcProxy.dll