1 / 42

DirectAccess Technical Overview and Security Considerations

Session Code : SEC302. Principal Knowledge Engineer/Principal Writer. Microsoft – SCD iX Solutions Team. DirectAccess Technical Overview and Security Considerations. Dr. Thomas W Shinder. What’s on Tap?. Technical Discussion of DirectAccess Define DirectAccess

gates
Download Presentation

DirectAccess Technical Overview and Security Considerations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session Code: SEC302 Principal Knowledge Engineer/Principal Writer Microsoft – SCD iX Solutions Team DirectAccess Technical Overview and Security Considerations Dr. Thomas W Shinder

  2. What’s on Tap? • Technical Discussion of DirectAccess • Define DirectAccess • DirectAccess Infrastructure Technologies • Deploying DirectAccess • DirectAccess Security Issues

  3. Assumptions • You’ve heard of IPsec • You’re comfortable with IPv4 • You’ve worked with Active Directory authentication and AuthN protocols • You’ve worked with Active Directory Group Policy • You’ve heard of Network Load Balancing (NLB) • You’ve worked with DNS • You’ve worked with certificates (PKI) • You don’t know anything about IPv6 • You want to know more about the technologies that support a DirectAccess solution

  4. Define DirectAccess – 30,000 Foot Description • Always on – bidirectional remote access connection • Not a VPN! • Extends intranet management to all corporate computers • Makes “always managed” a reality • Core requirements • Windows 7 Enterprise or Ultimate • Windows Server 2008 R2 for the DirectAccess Server • DirectAccess Client and Server are domain members • Two “flavors” of DirectAccess • Vanilla – Windows DirectAccess • Vanilla Chocolate Swirl – Forefront UAG DirectAccess DirectAccess is an Enterprise Solution: No support for Windows 7 Professional Requires two consecutive public IP addresses Cannot NAT to the DirectAccess server Value depends on enterprise management infrastructure

  5. Define DirectAccess – Windows DA and UAG DA • Windows DirectAccess • Windows Server 2008 SP2 or 2008 R2 DC required • Windows Server 2008 SP2 or 2008 R2 DNS required • IPv6 capable intranet resource access only • Limited HA • UAG DirectAccess • Only the UAG DirectAccess server must be Windows Server 2008 R2 • Can have mix of IPv4/IPv6 intranet resources • Built-in HA with UAG DirectAccess arrays and NLB • Today’s focus is UAG DirectAccess

  6. Define DirectAccess – Always-On Employees • Employee on Corpnet • Turn on laptop and connects to intranet • Employee at home • Turn on laptop and connect to intranet • Employee at Hotel or Conference Center • Turn on laptop and connect to intranet • User experience is the same regardless of location • When on intranet – connect over local interface • When on Internet – connect over DirectAccess • Internet access method might differ/force tunneling/split tunneling

  7. Define DirectAccess – Always-on IT • Laptop on the intranet– Always Managed • Group Policy updates • Applications deployed • Remote assistance initiated by IT • Password changes CTRL+ALT+DEL • Laptop on the Internet – Always Managed • Group Policy update • Applications deployed • Remote assistance initiated by IT • Password change CTRL+ALT+DEL • Internal or External – no difference

  8. DirectAccess – Infrastructure Technologies • IPv6 and related technologies • IPsec and Windows Firewall with Advanced Security (WFAS) • Name Resolution Policy Table (NRPT) • Network Location Detection (NLS)

  9. Infrastructure Technologies – IPv6 • Why-oh-why IPv6? • Solves IPv4 address depletion problem • Addressing method of the future • New IPv6 transition technologies in Windows Server 2008+ and Windows 7 actually makes IPv6 deployable • Provides globally unique addresses (prevents the “hotel has the same network ID as the office” scenario) for all nodes • Enables true end-to-end connectivity and security (no NAT!)

  10. Infrastructure Technologies – IPv6 Transition Technologies • Connecting IPv6 over the IPv4 Internet • 6to4 • Teredo • IP-HTTPS • Connecting IPv6 over the IPv4 intranet • Intra-site Automatic Tunnel Addressing Protocol (ISATAP)

  11. Infrastructure Technologies – 6to4 • 6to4 encapsulates IPv6 packets in an IPv4 header (Protocol 41) • Requires that IP Protocol 41 be open between DirectAccess client and DirectAccess server • Used when the DirectAccess client has a public IP address • Connects the DirectAccess client to the 6to4 relay (automatically installed on the UAG DirectAccess server) • 6to4 address *is* an IPv6 address • DirectAccess client registers this address with corporate DNS • Internal hosts can reach the 6to4 enabled DirectAccess client using the 6to4 IPv6 address • 6to4 hosts can communicate with one another (potential security consideration, discussed later)

  12. Infrastructure Technologies - Teredo • Teredo encapsulates IPv6 packets in IPv4 header (UDP transport) • Used when DirectAccess client behind a NAT (assigned private address) • Requires UDP port 3544 be open between DirectAccess client and server • Connects to corporate resources through Teredo server and Teredo relay (automatically configured on UAG DirectAccess server) • Teredo server – enables Teredo client address configuration • Teredo relay – enables access to the resources on intranet • Teredo address *is* an IPv6 address • DirectAccess client registers this address with corporate DNS • Internal hosts can reach the Teredo enabled DirectAccess client using the Teredo address • Teredo hosts can communicate with one another (potential security consideration, discussed later)

  13. Infrastructure Technologies – IP-HTTPS • IP-HTTPS encapsulates IPv6 in IPv4, TCP and HTTP headers (and TLS encryption of HTTP) – TCP Port 443 • IPv6 Transition Technology of “last resort” • IP-HTTPS used when 6to4 and Teredo connectivity not available • UAG DirectAccess wizard configures DirectAccess server as IP-HTTPS server • Requires web site certificate for IP-HTTPS Listener (public or private cert) • Typically used when DirectAccess client is behind a port restricted firewall or web proxy • web proxy must not force authentication/DirectAccess - client cannot auth with proxy • Netsh command required to inform DirectAccess client web proxy address • netsh winhttp import proxy source=ie • Required for “Force Tunneling” • High encryption (IPsec/HTTPS) and protocol overhead reduces performance

  14. Infrastructure Technologies - ISATAP • Used on intranet to tunnel IPv6 messages over IPv4 network (IP Protocol 41) • Address assignment via ISATAP router • UAG DirectAccess server configured as ISATAP router by UAG DirectAccess wizard • You enable ISATAP queries and create ISATAP entry in DNS • Windows Vista+/2008+ clients automatically configured as ISATAP hosts • ISATAP addresses registered in DNS • DirectAccess clients on Internet connect to intranet ISATAP IPv6 addresses • TIP: Do not disable IPv6 on ISATAP hosts

  15. Infrastructure Technologies – NAT64/DNS64 (1/3) • NAT64 and DNS64 are the current IPv6/IPv4 Translation Technologies • Enables access to IPv4-only resources • Server OS might be IPv4-only (Windows 2000/2003) • Server application might be IPv4-only (IPv4-only service on a IPv6 capable OS) • Extends DirectAccess client reach to: • Native IPv6 networks • IPv6 capable networks (non-native IPv6, but ISATAP capable/some native) • IPv4-only network or IPv4 servers, services or segments • Available with UAG only!

  16. Infrastructure Technologies – NAT64/DNS64 (2/3) • DirectAccess client always uses IPv6 to communicate with DirectAccess server • NAT64/DNS64 translates the IPv6 communications to IPv4 communications • NAT64/DNS64 translates IPv4 responses to IPv6 responses • No support for reverse NAT64 • Management stations cannot initiate connections to DirectAccess clients over NAT64/DNS64 (reduces “manage out” capabilities a bit) • Like other NAT solutions, protocols that imbed addresses in the application layer protocol can be problematic (OCS client) • Enables scenarios where the UAG DirectAccess server is the only Windows Server 2008 R2 server on the network

  17. Infrastructure Technologies – NAT64/DNS64 (3/3)

  18. Infrastructure Technologies: Summary of IPv6 and Related Technologies • Windows DirectAccess requires IPv6 from end to end • UAG DirectAccess with NAT64/DNS64 enables DirectAccess clients to connect to IPv4 resources through IPv6/IPv4 protocol translation • DirectAccess client always uses IPv6 to communicate with DirectAccess server • DirectAccess client can use the following IPv6 transition technologies to tunnel IPv6 packets over the IPv4 Internet: • 6to4 (when DirectAccess client has public IP address) • Teredo (when DirectAccess client has private IP address) • IP-HTTPS (when 6to4 or Teredo can’t be used) • ISATAP is used on the intranet to tunnel IPv6 messages over an IPv4 intranet

  19. Infrastructure Technologies: IPsec • IPsec support built into Windows since Windows 2000 • Works with both IPv4 and IPv6 • Supports two modes: • IPsec Transport Mode – protects packet payload from end to end • IPsec Tunnel Mode – protects entire packet from client to gateway • DirectAccess uses IPsec to: • Protect traffic between the DirectAccess client and DirectAccess server using IP sec tunnel mode • Protect traffic end to end between DirectAccess client and destination intranet server using IPsec transport mode

  20. Infrastructure Technologies: IPsec Configuration for DirectAccess Clients • Windows Firewall with Advanced Security (WFAS) console • WFAS Group Policy and Group Policy snap-in • WFAS Connection Security Rules configuration: • Source and destination address (IPv6 addresses) • Authentication (Kerberos, NTLMv2, Certificates) • Encryption (DES, 3DES, AES128, AES192, AES256 • NEW! Dynamic tunnel endpoints • Create tunnel-mode Connection Security Rules that specify an address for only one endpoint of the tunnel • NEW! IPsec tunnel authorization with null encapsulation (AuthIP) • Not the same as ESP-NULL

  21. Infrastructure Technologies: IPsec and Access Models • DirectAccess Infrastructure Tunnel (IPsec tunnel mode/management servers/computer account (NTLMv2) + certificate) • DirectAccess Intranet Tunnel (IPsec tunnel mode/user account (Kerberos) + computer certificate) • UAG DirectAccess Access Models • End to edge • End to end (referred to as Selected Server Access in Windows DirectAccess)

  22. Infrastructure Technologies: Name Resolution Policy Table (NRPT) (1/2) • NEW! NRPT in Windows 7 and Windows Server 2008 R2 • Used to support both DirectAccess and DNSSEC • NRPT enables “policy based routing” for DNS queries – examples: • DNS queries for *.contoso.com go to UAG DirectAccess DNS proxy • DNS queries for *.woodgrovebank.com go to UAG DirectAccess DNS proxy • DNS queries for everything else, goes to locally configured DNS server • NRPT Exemption Rules - examples: • DNS queries for nls.contoso.com go to locally configured DNS server (NLS server exemption) • DNS queries for www.contoso.com to locally configured DNS server (split DNS infrastructure example)

  23. Infrastructure Technologies: NRPT (2/2) DirectAccess client speaks IPv6 only DNS queries are for only AAAA records

  24. Infrastructure Technologies: Network Location Detection(1/2) • Network Location Awareness/Domain Determination • Detects if the client is connected to the intranet • Uses connectivity tests to a domain controller (any domain controller) • Determines what WFAS Profile to use • If intranet detected – Enable Domain WFAS Profile • If intranet not detected – Enable either Public or Private Profile (user choice) • DirectAccess firewall and Connection Security Rules are enabled by public or private WFAS profile – these turn on the infrastructure and intranet tunnels • Intranet Detection • Connect to SSL Web site (Network Location Server) • Success turns off NRPT

  25. Infrastructure Technologies: Network Location Detection (2/2) • DirectAccess client on the intranet • Assumes not connected to intranet • Establishes HTTPS connection to Network Location Server/Finds DC • RESULT: Domain WFAS Profile activated and NRPT disabled –No DA tunnels • DirectAccess client on the Internet • Assumes not connected to intranet • Fails to establish HTTPS connection to Network Location Server • RESULT: Public or Private Profile activated and NRPT enabled – DA tunnels activated

  26. DirectAccess Deployment • Infrastructure requirements • UAG DirectAccess solution requirements • Service configuration before deployment • The UAG DirectAccess Setup Wizard • The UAG DirectAccess Options and Advantages • DirectAccess Security Issues

  27. UAG DirectAccess Deployment: Infrastructure Requirements (1/3) • Active Directory • UAG DirectAccess server and DirectAccess clients must be domain members • Dependencies on Group Policy and Active Directory Certificate mapping (DS Mapper for IP-HTTPS clients to enable mutual certificate authentication) • Active Directory authentication (Certificate/NTLMv2/Kerberos) • Windows Server 2008+ Active Directory not required • DNS • Any DNS server – Windows or non-Windows • Prefer DNS server that can dynamically register IPv6 addresses, though not required

  28. UAG DirectAccess Deployment: Infrastructure Requirements (2/3) • Public Key Infrastructure • Assign computer certificates to DirectAccess clients • Assign web site certificate to Network Location Server • Assign web site certificate to IP-HTTPS listener on DirectAccess server • CRL for the CA must be accessible for NLS and IP-HTTPS certificates HINT

  29. UAG DirectAccess Deployment: Infrastructure Requirements (3/3) • Network Location Server • Used for intranet detection • Highly available SSL Web site • Responsible for disabling the NRPT • UAG DirectAccess Server running on Windows Server 2008 R2 • Two consecutive public IP addresses on external NIC • Computer certificate for IPsec authentication/encryption • Web site certificate (server authentication) for IP-HTTPS listener • DirectAccess clients running Windows 7 (Enterprise or Ultimate) or Windows Server 2008 R2 (branch office scenario) • Computer certificate for IPsec authentication/encryption (autoenrollment)

  30. UAG DirectAccess Deployment: Service Configuration • Create Global Groups for DirectAccess clients and “end to end” (Selected Server) destination servers • Remove ISATAP from the DNS query block list • Configure computer certificate autoenrollment • Configure intranet DNS with name of Network Location Server • Configure intranet DNS with mapping for ISATAP (internal address of UAG DirectAccess server) • Configure public DNS with name on IP-HTTPS certificate • Configure Internet and back-end firewall (as needed) • Confirm internal network access to NLS certificate CA’s CRL • Confirm external network access to IP-HTTPS certificate CA’s CRL

  31. The UAG DirectAccess Wizard

  32. Deploying DirectAccess: What does the Wizard Do? (1/2) • Create and (optionally) deploy a DirectAccess clients Group Policy Object • Configures IPv6 transition technologies • WFAS Firewall and Connection Security rules • Sets NRPT entries • Sets Network Location Server address • Creates and deploys a DirectAccess servers Group Policy Object • WFAS Firewall and Connection Security rules • Creates and deploys an Application Servers Group Policy Object • WFAS Firewall and Connection Security rules But that’s not all!

  33. Deploying DirectAccess: What did the Wizard Do? (2/2) • Configure the UAG DirectAccess server as a ISATAP router • Configure the UAG DirectAccess server as a 6to4 relay • Configure the UAG DirectAccess server as a Teredo server and relay • Configure the UAG DirectAccess server as an IP-HTTPS server • Configure the UAG DirectAccess server as a NAT64/DNS64 IPv6/IPv4 Protocol Translator • Configure the TMG firewall to support DirectAccess connectivity • Register the Corporate DNS Probe Host Name in DNS • Configure the HOSTS file (in an array deployment)

  34. Deploying DirectAccess: UAG DirectAccess Advantages and Options (1/2) • Enables access to IPv4 only network, IPv4 only resources or IPv4 segments • Courtesy of NAT64/DNS64 • High Availability • Built-in support for using NLB with bidirectional affinity • Built-in support for UAG DirectAccess arrays • Centralized configuration • Configure on the array manager • Automatically deploys configuration to other array members • Consolidate all remote access using a single solution • Web portal/reverse proxy • SSL VPN (port/socket forwarding, Network Connector-not supported on DirectAccess server ) • Network Level VPN (SSTP) • DirectAccess

  35. Deploying DirectAccess: UAG DirectAccess Options and Advantages (2/2) • Integrated support for Network Access Protocol (NAP) • Requires built up internal NAP infrastructure – automatic integration • Integrated support for two-factor authentication • Requires built up internal Smart Card infrastructure – automatic integration • Also support for OTP (OAuth) • Supports concurrent use for network level VPN connections • Host the SSTP server on the UAG DirectAccess server • Enables support for incompatible applications (not IPv6 aware) • When SSTP client connects – DirectAccess configuration disabled • VPN connection enables Domain Profile • Turns off the NRPT • Disables the DirectAccess Connection Security Rules

  36. Deploying DirectAccess: Security Considerations (1/2) • Default configuration is to enable split tunneling • Configure “Force Tunneling” to disable split tunneling • ICMPv6 is exempted from IPsec protection by default • Can configure ICMPv6 with IPsec protection • Disables Teredo client connectivity • Local Name Resolution enables NetBIOS and Local Link Multicast Name Resolution (LLMNR) when name is absent or DNS server is not available • Local name resolution configurable in UAG DirectAccess wizard • DirectAccess clients on the Internet are able to communicate with each other without IPsec protection • Can configure Connection Security Rules to force IPsec protection

  37. Deploying DirectAccess: Security Considerations (2/2) • All mobile clients (DirectAccess enabled or not) need BitLocker • Boot PIN should also be required • All clients (DirectAccess enabled or not) need AV/AM protection • Two factor log on significantly improves DirectAccess security • Strong enterprise management is key to secure DirectAccess deployment • Disable computer account to prevent connections from stolen clients

  38. Feedback Your feedback is very important! Please complete an evaluation form! Thank you!

  39. Resources • The Edge Man Blog • Test Lab Guide Wiki Site • DirectAccess Planning and Deployment Guide • UAG DirectAccess Planning and Deployment Guide • Book: Deploying UAG 2010 • DirectAccess in the Enterprise: Best Practices • SEC310 • Artyom Sinitsyn • HALL C1 – 11:00 AM • Be there!

  40. Questions? • SEC 302 • Dr. Thomas W Shinder • Principal Knowledge Engineer/Principal Writer • tomsh@microsoft.com • The Edge Man blog • You can ask your questions at “Ask the expert” zone within an hour after end of this session

More Related