1 / 37

Remote Access Technologies

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |. Remote Access Technologies. Network Access Technologies. VPN SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop no clipboard, no file proliferation

lemuel
Download Presentation

Remote Access Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Remote Access Technologies

  2. Network Access Technologies • VPN • SMB/SQL/LDAP/DCOM sensitive to RTT • Remote Desktop • no clipboard, no file proliferation • limited malware surface • 802.1x • WiFi or Ethernet • no encryption, authorization only • DirectAccess • GPO managed IPSec tunnel over IPv6

  3. VPN Scenario VPN Client SQL DC FS NAT SharePoint RDP VPN Gateway RADIUS

  4. DA Scenario DAClient SQL DC FS NAT SharePoint RDP DA Server RADIUS

  5. RDP Scenario RDPClient SQL DC FS Wks NAT Wks SharePoint Wks RDP RDP Gateway RADIUS

  6. 802.1x WiFi Scenario SQL DC FS SharePoint WiFi AP RDP WiFiClient RADIUS

  7. 802.1x Ethernet Scenario SQL DC FS SharePoint Wks Switch RDP Wks RADIUS Printer

  8. VPN Compared

  9. VPN Compared

  10. Network Access Protection (NAP) • Client health validation before connecting • Firewall on? • Windows up-to-date? • Antimalware up-to-date? • SCCM compliance items in order? • Client validates itself • no security, only an added layer of obstruction

  11. Microsoft RADIUS Server • Standard authentication server • IAS - Internet Authentication Service (2003-) • NPS - Network Policy Service (2008+) • Authentication options • login/password • certificate • Active Directory authentication only • Clear-text transport with signatures • message authenticator (MD5)

  12. RADIUS General RRAS VPN WiFi AP Access Client Ethernet Switch RDP GW Access Server DHCP Server VPN WiFi Ethernet RADIUS RDP GW RADIUS DHCP AD Passthrough Authentication Active Directory

  13. RADIUS Terminology RRAS VPN WiFi AP Access Client Ethernet Switch RDP GW RADIUS Client DHCP Server VPN WiFi Ethernet RADIUS RDP GW RADIUS DHCP AD Passthrough Authentication Active Directory

  14. Authentication Methods • PAP, SPAP • clear, hash resp. • CHAP • MD5 challenge response • Store passwords using reversible encryption • MS-CHAP • NTLM equivalent • DES(MD4) • MS-CHAPv2 • NTLMv2 equivalent plus improvements (time constraints) • HMAC-MD5 (MD4) • EAP-TLS, PEAP • client authentication certificate • in user profile or in smart/card • No authentication • sometimes the authentication occurs on the Access Server itself (RD Gateway)

  15. PPTP issues • MPPE encryption • proprietary, RC4 • Encrypted by authentication products • "by" password or "by" certificate • PAP/SPAP/EAP travels in clear

  16. EAP-TLS vs. PEAP • EAP-TLS is designed for protected transport • does not protect itself • Protected EAP • EAP wrapped in standard TLS

  17. EAP/PEAP Generic Access Client VPN Tunnel Server Certificate Access Server EAP/PEAP Client Certificate EAP/PEAP Server Certificate VPN Tunnel Client Certificate RADIUS Active Directory

  18. MS-CHAPv2 with SSTP Access Client VPN Tunnel Server Certificate Access Server RADIUS Active Directory

  19. EAP with SSTP Access Client VPN Tunnel Server Certificate Access Server EAP/PEAP Client Certificate EAP Server Certificate RADIUS Active Directory

  20. PEAP with SSTP Access Client VPN Tunnel Server Certificate Access Server EAP/PEAP Client Certificate PEAP Server Certificate EAP Server Certificate RADIUS Active Directory

  21. RADIUS Clients configuration • IP address of the device • can translate from DNS, but must match IP address of the device (no reverse DNS) • Shared secrets • MD5(random message authenticator + shared secret) • NETSH NPS DUMP ExportPSK=YES

  22. Implementing NPS Policy

  23. Implementing NPS Policy

  24. Implementing NPS Policy

  25. Implementing NPS Policy

  26. NPS Auditing

  27. PEAP on NPS

  28. PEAP on NPS

  29. VPN Client Notes • Validates CRL • SSTP • does not use CRL cache • HKLM\System\CCS\Services\SSTPSvc\Parameters • NoCertRevocationCheck = DWORD = 1 • IPSec • set global ipsecstrongcrlcheck0 • HKLM\System\CCS\Services\PolicyAgent • StrongCrlCheck = 0 = disabled • StrongCrlCheck = 1 = fail only if revoked • StrongCrlCheck = 2 = fail even if CRL not available • HKLM\System\CCS\Services\IPSec • AssumeUDPEncapsulationContextOnSendRule = 2

  30. PEAP Client Settings

  31. VPN Client Configuration • Group Policy Preferences • limited options • Connection Manager Administration Kit (CMAK) • create VPN installation packages

  32. 802.1x Notes • Required services • WLAN Autoconfig (WlanSvc) • Wired Autoconfig (Doc3Svc) • Group Policy Settings • Windows XP SP3 and newer • full configuration options

  33. 802.1x Authentication • User authentication • login/password • client certificate in user profile or in smart card • Computer authentication • MACHINE$ login/password • client certificate in the local computer store • Computer authentication with user re-authentication • since Windows 7 works like charm

  34. MS-CHAPv2 with 802.1x Access Client APswitch single Ethernetcable WiFi RADIUS Active Directory

  35. EAP/PEAP with 802.1x Access Client APswitch EAP/PEAP Client Certificate single Ethernetcable EAP/PEAP Server Certificate EAP-TLS Server Certificate Machine User WiFi RADIUS Active Directory

  36. RD Proxy Troubleshooting • RPCPING-t ncacn_http-e 3388-s localhost(local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm(nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm(RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"-U NTLM (HTTP proxy authentication ntlm/basic) • rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz-H ntlm -P "kamil,gps,Pa$$w0rd"

  37. RPC Proxy Troubleshooting • https://rpcserver/Rpc/RpcProxy.dll • https://rpcserver/RpcWithCert/RpcProxy.dll

More Related