remote-access-wug - Ondrej Sevecek`s Blog
advertisement
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | REMOTE ACCESS TECHNOLOGIES Network Access Technologies VPN SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop no clipboard, no file proliferation limited malware surface 802.1x WiFi or Ethernet no encryption, authorization only DirectAccess GPO managed IPSec tunnel over IPv6 VPN Scenario VPN Client SQL DC FS Share Point RDP RADIUS VPN Gateway DA Scenario DA Client SQL DC FS Share Point RDP RADIUS DA Server RDP Scenario RDP Client SQL DC FS Wks Wks Wks Share Point RDP RADIUS RDP Gateway 802.1x WiFi Scenario SQL DC FS Share Point WiFi AP RDP WiFi Client RADIUS 802.1x Ethernet Scenario SQL DC FS Share Point Wks Switch RDP Wks RADIUS Printer VPN Compared Protocol Transport Client PPTP TCP 1723 IP GRE MS-DOS and newer L2TP SSTP IKEv2 UDP 500, 4500 IP ESP TCP 443 TLS UDP 500, 4500 IP ESP RRAS Server Server Requirements NT 4.0 and newer - 2000 and newer IPSec certificate public name Public IP 2008 and newer TLS certificate public name 2008 R2 and newer IPSec certificate public name Public IP - NT 4.0, 98 and newer IPSec machine certificate Vista/2008 and newer - 7/2008 R2 and newer IPSec machine certificate VPN Compared Protocol RD Gateway Transport TCP 443 TLS Client RDP Client 6.0 and newer RRAS Server Server Requirements 2008 and newer TLS certificate public name 2012 and newer IPSec certificate TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO IPSec machine certificate Network Access Protection (NAP) Client health validation before connecting Firewall on? Windows up-to-date? Antimalware up-to-date? SCCM compliance items in order? Client validates itself no security, only an added layer of obstruction Microsoft RADIUS Server Standard authentication server IAS - Internet Authentication Service (2003-) NPS - Network Policy Service (2008+) Authentication options login/password certificate Active Directory authentication only Clear-text transport with signatures message authenticator (MD5) RADIUS General RRAS VPN WiFi AP Access Client Ethernet Switch RDP GW VPN Access Server DHCP Server WiFi Ethernet RDP GW DHCP RADIUS RADIUS AD Passthrough Authentication Active Directory RADIUS Terminology RRAS VPN WiFi AP Access Client Ethernet Switch RDP GW VPN RADIUS Client DHCP Server WiFi Ethernet RDP GW DHCP RADIUS RADIUS AD Passthrough Authentication Active Directory Authentication Methods PAP, SPAP CHAP NTLMv2 equivalent plus improvements (time constraints) HMAC-MD5 (MD4) EAP-TLS, PEAP NTLM equivalent DES(MD4) MS-CHAPv2 MD5 challenge response Store passwords using reversible encryption MS-CHAP clear, hash resp. client authentication certificate in user profile or in smart/card No authentication sometimes the authentication occurs on the Access Server itself (RD Gateway) PPTP issues MPPE encryption proprietary, RC4 Encrypted by authentication products "by" password or "by" certificate PAP/SPAP/EAP travels in clear EAP-TLS vs. PEAP EAP-TLS is designed for protected transport does not protect itself Protected EAP EAP wrapped in standard TLS EAP/PEAP Generic Access Client EAP/PEAP Client Certificate VPN Tunnel Client Certificate VPN Tunnel Server Certificate Access Server EAP/PEAP Server Certificate RADIUS Active Directory MS-CHAPv2 with SSTP Access Client VPN Tunnel Server Certificate Access Server RADIUS Active Directory EAP with SSTP Access Client EAP/PEAP Client Certificate VPN Tunnel Server Certificate Access Server EAP Server Certificate RADIUS Active Directory PEAP with SSTP Access Client EAP/PEAP Client Certificate VPN Tunnel Server Certificate Access Server PEAP Server Certificate EAP Server Certificate RADIUS Active Directory RADIUS Clients configuration IP address of the device can translate from DNS, but must match IP address of the device (no reverse DNS) Shared secrets MD5(random message authenticator + shared secret) NETSH NPS DUMP ExportPSK=YES Implementing NPS Policy Implementing NPS Policy Implementing NPS Policy Implementing NPS Policy NPS Auditing PEAP on NPS PEAP on NPS VPN Client Notes Validates CRL SSTP does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1 IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2 PEAP Client Settings VPN Client Configuration Group Policy Preferences limited options Connection Manager Administration Kit (CMAK) create VPN installation packages 802.1x Notes Required services WLAN Autoconfig (WlanSvc) Wired Autoconfig (Doc3Svc) Group Policy Settings Windows XP SP3 and newer full configuration options 802.1x Authentication User authentication login/password client certificate in user profile or in smart card Computer authentication MACHINE$ login/password client certificate in the local computer store Computer authentication with user re- authentication since Windows 7 works like charm MS-CHAPv2 with 802.1x Access Client single Ethernet cable AP switch WiFi RADIUS Active Directory EAP/PEAP with 802.1x Access Client EAP/PEAP Client Certificate User single Ethernet cable Machine WiFi AP switch EAP/PEAP EAP-TLS Server Server Certificate Certificate RADIUS Active Directory RD Proxy Troubleshooting RPCPING -t ncacn_http -e 3388 -s localhost (local TSGateway COM service) -v 3 (verbose output 1/2/3) -a connect (conntect/call/pkt/integrity/privacy) -u ntlm (nego/ntlm/schannel/kerberos/kernel) -I "kamil,gps,*" -o RpcProxy=gps-wfe.gopas.virtual:443 -F ssl -B msstd:gps-wfe.gopas.virtual -H ntlm (RPCoverHTTP proxy authentication ntlm/basic) -P "proxykamil,gps,*" -U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd" RPC Proxy Troubleshooting https://rpcserver/Rpc/RpcProxy.dll https://rpcserver/RpcWithCert/RpcProxy.dll
